# Network Share Deployment Guide This guide explains how to deploy WinRM HTTPS to shopfloor PCs using a network share. ## Overview Instead of manually copying files to each PC, you can: 1. Place all files on a network share 2. Access the share from each PC 3. Run a batch file to install This is faster and ensures all PCs get the same configuration. ## Setup Network Share ### Step 1: Create Network Share **On your file server or management computer:** ```powershell # Create deployment folder $deployPath = "C:\Deployment\WinRM-HTTPS" New-Item -Path $deployPath -ItemType Directory -Force # Copy all required files to deployment folder Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath -Recurse # Share the folder New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone" ``` **Or manually:** 1. Create folder: `C:\Deployment\WinRM-HTTPS` 2. Copy all files from `winrm-https` folder 3. Right-click folder Properties Sharing Advanced Sharing 4. Check "Share this folder" 5. Share name: `WinRM-HTTPS` 6. Permissions: Give "Everyone" Read access (or specific security group) ### Step 2: Verify Share Access **From another computer:** ```powershell # Test access (replace SERVER with your server name) Test-Path "\\SERVER\WinRM-HTTPS" # List files Get-ChildItem "\\SERVER\WinRM-HTTPS" ``` Expected files: - `Deploy-WinRM-HTTPS.bat` - `Setup-WinRM-HTTPS.ps1` - `wildcard-logon-ds-ge-com-20251017.pfx` - Other PS1 scripts --- ## Required Files for Deployment ### Minimal Deployment Package For basic deployment, you need: ``` \\SERVER\WinRM-HTTPS\ ├── Deploy-WinRM-HTTPS.bat (NEW - Main deployment script) ├── Setup-WinRM-HTTPS.ps1 (WinRM HTTPS setup) ├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED) └── README.txt (Optional - Instructions) ``` ### Complete Package (Recommended) Include everything for troubleshooting: ``` \\SERVER\WinRM-HTTPS\ ├── Deploy-WinRM-HTTPS.bat (Deployment batch file) ├── Test-WinRM-HTTPS.bat (Test batch file) ├── Setup-WinRM-HTTPS.ps1 (WinRM setup script) ├── Test-WinRM-HTTPS-Setup.ps1 (Test script) ├── Generate-WildcardCert.ps1 (Certificate generator - optional) ├── Generate-WildcardCert-Alternative.ps1 (Alternative generator) ├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED!) ├── README.md (Documentation) ├── GETTING_STARTED.md (User guide) ├── NETWORK_SHARE_DEPLOYMENT.md (This file) └── TROUBLESHOOTING_CERTIFICATE_GENERATION.md ``` --- ## Deployment Methods ### Method 1: User Runs from Network Share (Simplest) **On each shopfloor PC:** 1. Open Windows Explorer 2. Navigate to: `\\SERVER\WinRM-HTTPS` 3. Right-click `Deploy-WinRM-HTTPS.bat` 4. Select "Run as Administrator" 5. Enter certificate password when prompted 6. Wait for completion **Advantages:** - Simple - no copying needed - Always uses latest files - No local disk space used **Disadvantages:** - Requires network connectivity during install - Slower if network is congested --- ### Method 2: Copy to Local Then Run (Recommended) **On each shopfloor PC:** ```powershell # Copy files locally first New-Item -Path "C:\Temp\WinRM-Setup" -ItemType Directory -Force Copy-Item "\\SERVER\WinRM-HTTPS\*" -Destination "C:\Temp\WinRM-Setup\" -Recurse # Run locally cd C:\Temp\WinRM-Setup .\Deploy-WinRM-HTTPS.bat ``` **Or using batch file:** ```batch @echo off echo Copying deployment files... xcopy "\\SERVER\WinRM-HTTPS\*" "C:\Temp\WinRM-Setup\" /E /Y cd /d C:\Temp\WinRM-Setup Deploy-WinRM-HTTPS.bat ``` **Advantages:** - Faster execution - Works if network connection lost - Can verify files before running **Disadvantages:** - Uses local disk space - Extra copy step --- ### Method 3: Remote Execution (Advanced) **From management computer, deploy to multiple PCs:** ```powershell # List of target PCs $targetPCs = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -First 5 # Your credentials $cred = Get-Credential -Message "Enter domain admin credentials" # Deploy to each PC foreach ($hostname in $targetPCs) { Write-Host "Deploying to $hostname..." -ForegroundColor Yellow try { # Copy files to remote PC $remotePath = "\\$hostname\C$\Temp\WinRM-Setup" New-Item -Path $remotePath -ItemType Directory -Force Copy-Item "C:\Deployment\WinRM-HTTPS\*" -Destination $remotePath -Recurse # Execute remotely Invoke-Command -ComputerName $hostname -Credential $cred -ScriptBlock { Set-Location "C:\Temp\WinRM-Setup" # Run PowerShell script directly $certPath = "C:\Temp\WinRM-Setup\wildcard-logon-ds-ge-com-20251017.pfx" $certPass = ConvertTo-SecureString "XqHuyaLZSyCYEcpsMz6h5" -AsPlainText -Force & "C:\Temp\WinRM-Setup\Setup-WinRM-HTTPS.ps1" ` -CertificatePath $certPath ` -CertificatePassword $certPass ` -Domain "logon.ds.ge.com" } Write-Host "[OK] $hostname - Deployment complete" -ForegroundColor Green } catch { Write-Host "[FAIL] $hostname - $($_.Exception.Message)" -ForegroundColor Red } } ``` **Advantages:** - Deploy to many PCs from one location - No physical access needed - Can run overnight/batch **Disadvantages:** - Requires existing remote access (WinRM or admin shares) - More complex - Password visible in script (use secure credential management) --- ### Method 4: Group Policy Startup Script **For domain-joined computers:** 1. **Copy files to NETLOGON share:** ``` \\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\ ``` 2. **Create GPO:** - Open Group Policy Management - Create new GPO: "Deploy WinRM HTTPS" - Edit GPO 3. **Add Startup Script:** - Computer Configuration Policies Windows Settings Scripts - Startup Add - Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat` 4. **Link GPO to OU:** - Link to Shopfloor Computers OU - PCs will run script on next reboot **Advantages:** - Automated deployment - Centrally managed - Runs with SYSTEM privileges **Disadvantages:** - Requires domain environment - Requires restart - Password handling more complex --- ## Security Considerations ### Certificate Password **Problem:** The batch file and scripts need the certificate password. **Solutions:** **Option 1: Interactive Prompt (Recommended for Manual)** ```batch REM Batch file prompts user Deploy-WinRM-HTTPS.bat REM User types password when prompted ``` **Option 2: Encrypted File (Recommended for Automation)** ```powershell # One-time setup: Store password encrypted $certPass = Read-Host "Enter cert password" -AsSecureString $certPass | Export-Clixml -Path "\\SERVER\WinRM-HTTPS\cert-password.xml" # Modify Deploy-WinRM-HTTPS.bat to use: # -CertificatePasswordFile ".\cert-password.xml" ``` **Option 3: Environment Variable (Less Secure)** ```batch REM Set on each PC or via GPO setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M ``` ** Never:** - Hardcode password in batch file on network share (readable by everyone) - Email password in plaintext - Store password in unencrypted text file ### Share Permissions **Recommended permissions:** - **Read:** Authenticated Users or Shopfloor Computers group - **Change/Full Control:** IT Admins only ```powershell # Set proper permissions Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\Domain Computers" -AccessRight Read -Force Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -AccessRight Full -Force ``` ### Certificate Protection The certificate PFX file contains the private key. Protect it: 1. **Use share permissions** to restrict access 2. **Use certificate password** (you did ) 3. **Monitor access** to the share 4. **Delete from share** after deployment complete --- ## Deployment Workflow ### Recommended Workflow **Phase 1: Prepare (One Time)** ``` 1. Create network share: \\SERVER\WinRM-HTTPS 2. Copy all deployment files 3. Test from one PC 4. Document password securely ``` **Phase 2: Test Deployment (3-5 PCs)** ``` For each test PC: 1. Navigate to \\SERVER\WinRM-HTTPS 2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator 3. Enter password when prompted 4. Verify success 5. Test connection from management server ``` **Phase 3: Full Deployment (All 175 PCs)** ``` Option A: Manual - Visit each PC or send instructions to users - Run Deploy-WinRM-HTTPS.bat Option B: Remote - Use remote execution script - Deploy in batches of 20 Option C: Automated - Use GPO startup script - Schedule during maintenance window ``` **Phase 4: Verification** ``` 1. Run connection test: .\Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections 2. Check logs for failures 3. Remediate failed PCs ``` **Phase 5: Cleanup** ``` 1. Remove certificate from network share 2. Store password in secure vault 3. Document deployed PCs 4. Update asset inventory ``` --- ## Example: Complete Deployment Session ### Step 1: Setup Share ```powershell # On management server $deployPath = "C:\Deployment\WinRM-HTTPS" New-Item -Path $deployPath -ItemType Directory -Force # Copy files Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath # Share New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -ReadAccess "Everyone" Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS" ``` ### Step 2: Test on One PC **On test PC (G1JJVH63ESF):** 1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS` 2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator 3. Enter password: `XqHuyaLZSyCYEcpsMz6h5` 4. Wait for completion ### Step 3: Verify **From management server:** ```powershell # Test connection Test-WSMan -ComputerName "G1JJVH63ESF.logon.ds.ge.com" -UseSSL -Port 5986 # If successful, create session $cred = Get-Credential $session = New-PSSession -ComputerName "G1JJVH63ESF.logon.ds.ge.com" ` -UseSSL -Port 5986 -Credential $cred # Test command Invoke-Command -Session $session -ScriptBlock { $env:COMPUTERNAME } # Cleanup Remove-PSSession $session ``` ### Step 4: Deploy to Next Batch ```powershell # Deploy to next 5 PCs $nextBatch = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -Skip 1 -First 5 foreach ($hostname in $nextBatch) { Write-Host "`nDeploying to $hostname..." -ForegroundColor Cyan # Instructions for manual deployment Write-Host "1. RDP/physically access: $hostname" -ForegroundColor Yellow Write-Host "2. Open: \\MANAGEMENT-SERVER\WinRM-HTTPS" -ForegroundColor Yellow Write-Host "3. Run: Deploy-WinRM-HTTPS.bat (as Administrator)" -ForegroundColor Yellow Write-Host "4. Password: XqHuyaLZSyCYEcpsMz6h5" -ForegroundColor Yellow $continue = Read-Host "`nPress Enter when complete (or S to skip)" if ($continue -eq 'S') { continue } # Test after deployment try { Test-WSMan -ComputerName "$hostname.logon.ds.ge.com" -UseSSL -Port 5986 -ErrorAction Stop Write-Host "[OK] $hostname - WinRM HTTPS working" -ForegroundColor Green } catch { Write-Host "[FAIL] $hostname - Could not connect" -ForegroundColor Red } } ``` --- ## Troubleshooting Network Share Deployment ### Problem: "Cannot access network share" **Check:** ```powershell # Test connectivity Test-NetConnection -ComputerName SERVER -Port 445 # Test share access Test-Path "\\SERVER\WinRM-HTTPS" # List shares Get-SmbShare -CimSession SERVER # Check permissions Get-SmbShareAccess -Name "WinRM-HTTPS" ``` **Solution:** - Verify share exists - Check firewall (port 445) - Verify user has Read access - Try with UNC path: `\\SERVER.domain.com\WinRM-HTTPS` --- ### Problem: "Access Denied" running batch file **Solution:** - Right-click Run as Administrator - User must be local admin on PC - Check UAC settings --- ### Problem: Certificate password prompt fails **Solution:** - Modify batch file to read from file - Use encrypted credential file - Or hardcode temporarily for testing (remove after) --- ## Creating README for Network Share ```text # WinRM HTTPS Deployment This folder contains files to deploy WinRM HTTPS to shopfloor PCs. ## Quick Start 1. Right-click Deploy-WinRM-HTTPS.bat 2. Select "Run as Administrator" 3. Enter certificate password when prompted 4. Wait for completion ## Password Contact IT Support for the certificate password. ## Files - Deploy-WinRM-HTTPS.bat - Main deployment script - Setup-WinRM-HTTPS.ps1 - PowerShell setup script - wildcard-*.pfx - Certificate (DO NOT DELETE) ## Support For issues, contact: IT Support / Extension: XXXX ``` Save as `README.txt` in the share. --- ## Summary **Best Practice for Your Scenario:** 1. Create network share: `\\SERVER\WinRM-HTTPS` 2. Include: - `Deploy-WinRM-HTTPS.bat` - `Setup-WinRM-HTTPS.ps1` - `wildcard-logon-ds-ge-com-20251017.pfx` 3. Deploy to 3-5 test PCs manually 4. Verify each deployment 5. Deploy to remaining PCs in batches 6. Remove certificate from share when done **Certificate Password Storage:** - Store in password manager - Share only with authorized personnel - Use encrypted files for automation **The batch files handle:** - Administrator check - File verification - Error handling - User feedback