================================================================================
NETWORK SHARE DEPLOYMENT GUIDE
================================================================================

Network Share Location: S:\dt\adata\script\deploy\pc-certificates

This guide shows how to deploy certificates from the network share to PCs.

================================================================================
SETUP (One Time)
================================================================================

STEP 1: Create CA and Sign Certificates (On Management Computer)
-----------------------------------------------------------------

  cd C:\path\to\winrm-ca-scripts

  # Create CA
  .\Create-CA-Simple.ps1

  # Install CA on your computer
  Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
      -CertStoreLocation Cert:\LocalMachine\Root

  # Sign all 175 certificates
  .\Sign-BulkCertificates.ps1


STEP 2: Copy Certificates to Network Share
-------------------------------------------

  # Copy the entire batch folder to network share
  Copy-Item "pc-certificates\batch-*" `
      -Destination "S:\dt\adata\script\deploy\pc-certificates\" `
      -Recurse


STEP 3: Copy Deployment Scripts to Network Share
-------------------------------------------------

  # Copy deployment scripts to network share
  Copy-Item "Deploy-PCCertificate.ps1" `
      -Destination "S:\dt\adata\script\deploy\"

  Copy-Item "Deploy-PCCertificate.bat" `
      -Destination "S:\dt\adata\script\deploy\"


STEP 4: Set Network Share Permissions
--------------------------------------

  - Grant "Domain Computers" READ access to:
    S:\dt\adata\script\deploy\pc-certificates\
    S:\dt\adata\script\deploy\Deploy-PCCertificate.*

  - Grant "Domain Computers" WRITE access to:
    S:\dt\adata\script\deploy\LOGS\


================================================================================
NETWORK SHARE STRUCTURE
================================================================================

S:\dt\adata\script\deploy\
├── Deploy-PCCertificate.ps1          # Deployment script
├── Deploy-PCCertificate.bat          # Batch wrapper
├── pc-certificates\                  # Certificate folder
│   └── batch-TIMESTAMP\              # Batch of certificates
│       ├── G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
│       ├── G1JJVH63ESF-logon.ds.ge.com-*.pfx
│       ├── ... (175 certificates total)
│       ├── certificate-list.csv
│       └── SUMMARY.txt
└── LOGS\                             # Log files
    └── HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt


================================================================================
DEPLOYMENT TO EACH PC (Method 1: Manual)
================================================================================

On each PC:

1. Navigate to: S:\dt\adata\script\deploy\

2. Right-click: Deploy-PCCertificate.bat

3. Select: "Run as Administrator"

4. Enter certificate password: PCCert2025!

5. Wait for SUCCESS message

6. Done!


The script will:
  ✓ Find the certificate for this PC automatically
  ✓ Import it to Local Machine certificate store
  ✓ Configure WinRM HTTPS listener
  ✓ Create firewall rule
  ✓ Log everything to S:\dt\adata\script\deploy\LOGS\


================================================================================
DEPLOYMENT TO EACH PC (Method 2: Remote PowerShell)
================================================================================

From management computer, deploy to multiple PCs:

  $pcs = Get-Content "shopfloor-hostnames.txt"
  $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force

  foreach ($pc in $pcs) {
      Write-Host "Deploying to $pc..." -ForegroundColor Yellow

      # Copy scripts to PC (if not using network share)
      # OR just invoke from network share

      Invoke-Command -ComputerName $pc -ScriptBlock {
          & "S:\dt\adata\script\deploy\Deploy-PCCertificate.bat"
      }

      Write-Host "$pc complete!" -ForegroundColor Green
  }


================================================================================
WHAT HAPPENS DURING DEPLOYMENT
================================================================================

1. Script checks network share access
   → S:\dt\adata\script\deploy\pc-certificates

2. Script finds certificate for this PC
   → Searches for: HOSTNAME-*.pfx

3. Script imports certificate
   → To: Cert:\LocalMachine\My

4. Script configures WinRM HTTPS
   → Listener on port 5986
   → Uses imported certificate

5. Script creates firewall rule
   → Allow inbound TCP 5986

6. Script logs everything
   → To: S:\dt\adata\script\deploy\LOGS\HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt


================================================================================
VERIFYING DEPLOYMENT
================================================================================

On the PC (after deployment):

  # Check certificate
  Get-ChildItem Cert:\LocalMachine\My | Where-Object {
      $_.Subject -like "*$env:COMPUTERNAME*"
  }

  # Check WinRM listener
  winrm enumerate winrm/config/listener

  # Check firewall rule
  Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"

  # Check port listening
  netstat -an | findstr :5986


From Management Computer:

  # Test connection
  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  # Create session
  $cred = Get-Credential
  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
      -Credential $cred -UseSSL -Port 5986


================================================================================
DEPLOYMENT LOG EXAMPLE
================================================================================

Log file: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt

============================================================================
PC Certificate Deployment Log
============================================================================
Hostname: G9KN7PZ3ESF
Date/Time: 10/17/2025 14:30:22
Log File: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
============================================================================

[2025-10-17 14:30:22] Computer: G9KN7PZ3ESF
[2025-10-17 14:30:22] FQDN: g9kn7pz3esf.logon.ds.ge.com

[2025-10-17 14:30:22] Checking network share access...
[2025-10-17 14:30:22] [OK] Network share accessible

[2025-10-17 14:30:22] Looking for certificate for G9KN7PZ3ESF...
[2025-10-17 14:30:23] [OK] Found certificate: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx

[2025-10-17 14:30:23] Importing certificate to Local Machine store...
[2025-10-17 14:30:24] [OK] Certificate imported successfully
[2025-10-17 14:30:24]      Subject: CN=g9kn7pz3esf.logon.ds.ge.com
[2025-10-17 14:30:24]      Thumbprint: ABC123...
[2025-10-17 14:30:24]      Issuer: CN=Shopfloor WinRM CA

[2025-10-17 14:30:24] Configuring WinRM service...
[2025-10-17 14:30:25] [OK] WinRM service configured

[2025-10-17 14:30:25] Creating WinRM HTTPS listener...
[2025-10-17 14:30:26] [OK] HTTPS listener created successfully

[2025-10-17 14:30:26] Configuring Windows Firewall...
[2025-10-17 14:30:27] [OK] Firewall rule created

============================================================================
[SUCCESS] Certificate Deployment Complete
============================================================================


================================================================================
TROUBLESHOOTING
================================================================================

Problem: "Cannot access network share"
Solution:
  - Verify S:\dt\adata\script\deploy\ is accessible from the PC
  - Check network connectivity
  - Verify permissions (Domain Computers should have READ access)

Problem: "Certificate not found for HOSTNAME"
Solution:
  - Verify certificate exists in S:\dt\adata\script\deploy\pc-certificates\batch-*\
  - Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
  - Run Sign-BulkCertificates.ps1 if certificates weren't created

Problem: "Wrong password"
Solution:
  - Default password is: PCCert2025!
  - If you used different password, use that instead

Problem: "Port 5986 not listening after deployment"
Solution:
  - Check deployment log in S:\dt\adata\script\deploy\LOGS\
  - Run Test-RemotePC-Debug.bat on the PC
  - Check for errors in listener creation

Problem: "Cannot connect from management computer"
Solution:
  - Verify CA certificate is installed on management computer:
    Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
  - Test port: Test-NetConnection -ComputerName HOSTNAME -Port 5986
  - Check firewall on both computers


================================================================================
BATCH DEPLOYMENT
================================================================================

To deploy to all 175 PCs at once:

Option 1: Group Policy (Recommended for large deployments)
  - Create GPO that runs Deploy-PCCertificate.bat at startup
  - Assign to OU containing shopfloor PCs
  - PCs will deploy on next reboot

Option 2: PowerShell Remote Execution
  - Use Invoke-Command to run deployment on multiple PCs
  - Requires existing WinRM access (HTTP on 5985)

Option 3: Manual in Batches
  - Deploy to 10-20 PCs at a time
  - Verify each batch before continuing
  - Track progress in spreadsheet


================================================================================
ADVANTAGES OF THIS APPROACH
================================================================================

✓ Centralized certificate storage (network share)
✓ Automatic certificate detection (finds correct cert for each PC)
✓ Self-contained deployment (one script does everything)
✓ Comprehensive logging (every deployment logged)
✓ Easy to deploy (just run the .bat file)
✓ Secure (each PC gets unique certificate)
✓ Clean connections (no -SessionOption needed)


================================================================================
SUMMARY
================================================================================

1. Sign certificates (once)
2. Copy to network share: S:\dt\adata\script\deploy\pc-certificates\
3. On each PC: Run Deploy-PCCertificate.bat
4. Connect cleanly from management computer

Simple and effective!

================================================================================
