================================================================================ NETWORK SHARE DEPLOYMENT GUIDE ================================================================================ Network Share Location: S:\dt\adata\script\deploy\pc-certificates This guide shows how to deploy certificates from the network share to PCs. ================================================================================ SETUP (One Time) ================================================================================ STEP 1: Create CA and Sign Certificates (On Management Computer) ----------------------------------------------------------------- cd C:\path\to\winrm-ca-scripts # Create CA .\Create-CA-Simple.ps1 # Install CA on your computer Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" ` -CertStoreLocation Cert:\LocalMachine\Root # Sign all 175 certificates .\Sign-BulkCertificates.ps1 STEP 2: Copy Certificates to Network Share ------------------------------------------- # Copy the entire batch folder to network share Copy-Item "pc-certificates\batch-*" ` -Destination "S:\dt\adata\script\deploy\pc-certificates\" ` -Recurse STEP 3: Copy Deployment Scripts to Network Share ------------------------------------------------- # Copy deployment scripts to network share Copy-Item "Deploy-PCCertificate.ps1" ` -Destination "S:\dt\adata\script\deploy\" Copy-Item "Deploy-PCCertificate.bat" ` -Destination "S:\dt\adata\script\deploy\" STEP 4: Set Network Share Permissions -------------------------------------- - Grant "Domain Computers" READ access to: S:\dt\adata\script\deploy\pc-certificates\ S:\dt\adata\script\deploy\Deploy-PCCertificate.* - Grant "Domain Computers" WRITE access to: S:\dt\adata\script\deploy\LOGS\ ================================================================================ NETWORK SHARE STRUCTURE ================================================================================ S:\dt\adata\script\deploy\ ├── Deploy-PCCertificate.ps1 # Deployment script ├── Deploy-PCCertificate.bat # Batch wrapper ├── pc-certificates\ # Certificate folder │ └── batch-TIMESTAMP\ # Batch of certificates │ ├── G9KN7PZ3ESF-logon.ds.ge.com-*.pfx │ ├── G1JJVH63ESF-logon.ds.ge.com-*.pfx │ ├── ... (175 certificates total) │ ├── certificate-list.csv │ └── SUMMARY.txt └── LOGS\ # Log files └── HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt ================================================================================ DEPLOYMENT TO EACH PC (Method 1: Manual) ================================================================================ On each PC: 1. Navigate to: S:\dt\adata\script\deploy\ 2. Right-click: Deploy-PCCertificate.bat 3. Select: "Run as Administrator" 4. Enter certificate password: PCCert2025! 5. Wait for SUCCESS message 6. Done! The script will: ✓ Find the certificate for this PC automatically ✓ Import it to Local Machine certificate store ✓ Configure WinRM HTTPS listener ✓ Create firewall rule ✓ Log everything to S:\dt\adata\script\deploy\LOGS\ ================================================================================ DEPLOYMENT TO EACH PC (Method 2: Remote PowerShell) ================================================================================ From management computer, deploy to multiple PCs: $pcs = Get-Content "shopfloor-hostnames.txt" $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force foreach ($pc in $pcs) { Write-Host "Deploying to $pc..." -ForegroundColor Yellow # Copy scripts to PC (if not using network share) # OR just invoke from network share Invoke-Command -ComputerName $pc -ScriptBlock { & "S:\dt\adata\script\deploy\Deploy-PCCertificate.bat" } Write-Host "$pc complete!" -ForegroundColor Green } ================================================================================ WHAT HAPPENS DURING DEPLOYMENT ================================================================================ 1. Script checks network share access → S:\dt\adata\script\deploy\pc-certificates 2. Script finds certificate for this PC → Searches for: HOSTNAME-*.pfx 3. Script imports certificate → To: Cert:\LocalMachine\My 4. Script configures WinRM HTTPS → Listener on port 5986 → Uses imported certificate 5. Script creates firewall rule → Allow inbound TCP 5986 6. Script logs everything → To: S:\dt\adata\script\deploy\LOGS\HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt ================================================================================ VERIFYING DEPLOYMENT ================================================================================ On the PC (after deployment): # Check certificate Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$env:COMPUTERNAME*" } # Check WinRM listener winrm enumerate winrm/config/listener # Check firewall rule Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" # Check port listening netstat -an | findstr :5986 From Management Computer: # Test connection Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 # Create session $cred = Get-Credential Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ================================================================================ DEPLOYMENT LOG EXAMPLE ================================================================================ Log file: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt ============================================================================ PC Certificate Deployment Log ============================================================================ Hostname: G9KN7PZ3ESF Date/Time: 10/17/2025 14:30:22 Log File: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt ============================================================================ [2025-10-17 14:30:22] Computer: G9KN7PZ3ESF [2025-10-17 14:30:22] FQDN: g9kn7pz3esf.logon.ds.ge.com [2025-10-17 14:30:22] Checking network share access... [2025-10-17 14:30:22] [OK] Network share accessible [2025-10-17 14:30:22] Looking for certificate for G9KN7PZ3ESF... [2025-10-17 14:30:23] [OK] Found certificate: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx [2025-10-17 14:30:23] Importing certificate to Local Machine store... [2025-10-17 14:30:24] [OK] Certificate imported successfully [2025-10-17 14:30:24] Subject: CN=g9kn7pz3esf.logon.ds.ge.com [2025-10-17 14:30:24] Thumbprint: ABC123... [2025-10-17 14:30:24] Issuer: CN=Shopfloor WinRM CA [2025-10-17 14:30:24] Configuring WinRM service... [2025-10-17 14:30:25] [OK] WinRM service configured [2025-10-17 14:30:25] Creating WinRM HTTPS listener... [2025-10-17 14:30:26] [OK] HTTPS listener created successfully [2025-10-17 14:30:26] Configuring Windows Firewall... [2025-10-17 14:30:27] [OK] Firewall rule created ============================================================================ [SUCCESS] Certificate Deployment Complete ============================================================================ ================================================================================ TROUBLESHOOTING ================================================================================ Problem: "Cannot access network share" Solution: - Verify S:\dt\adata\script\deploy\ is accessible from the PC - Check network connectivity - Verify permissions (Domain Computers should have READ access) Problem: "Certificate not found for HOSTNAME" Solution: - Verify certificate exists in S:\dt\adata\script\deploy\pc-certificates\batch-*\ - Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx - Run Sign-BulkCertificates.ps1 if certificates weren't created Problem: "Wrong password" Solution: - Default password is: PCCert2025! - If you used different password, use that instead Problem: "Port 5986 not listening after deployment" Solution: - Check deployment log in S:\dt\adata\script\deploy\LOGS\ - Run Test-RemotePC-Debug.bat on the PC - Check for errors in listener creation Problem: "Cannot connect from management computer" Solution: - Verify CA certificate is installed on management computer: Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"} - Test port: Test-NetConnection -ComputerName HOSTNAME -Port 5986 - Check firewall on both computers ================================================================================ BATCH DEPLOYMENT ================================================================================ To deploy to all 175 PCs at once: Option 1: Group Policy (Recommended for large deployments) - Create GPO that runs Deploy-PCCertificate.bat at startup - Assign to OU containing shopfloor PCs - PCs will deploy on next reboot Option 2: PowerShell Remote Execution - Use Invoke-Command to run deployment on multiple PCs - Requires existing WinRM access (HTTP on 5985) Option 3: Manual in Batches - Deploy to 10-20 PCs at a time - Verify each batch before continuing - Track progress in spreadsheet ================================================================================ ADVANTAGES OF THIS APPROACH ================================================================================ ✓ Centralized certificate storage (network share) ✓ Automatic certificate detection (finds correct cert for each PC) ✓ Self-contained deployment (one script does everything) ✓ Comprehensive logging (every deployment logged) ✓ Easy to deploy (just run the .bat file) ✓ Secure (each PC gets unique certificate) ✓ Clean connections (no -SessionOption needed) ================================================================================ SUMMARY ================================================================================ 1. Sign certificates (once) 2. Copy to network share: S:\dt\adata\script\deploy\pc-certificates\ 3. On each PC: Run Deploy-PCCertificate.bat 4. Connect cleanly from management computer Simple and effective! ================================================================================