ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/deployment-package/NETWORK_SHARE_DEPLOYMENT.md
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

537 lines
13 KiB
Markdown
Raw Blame History

# Network Share Deployment Guide
This guide explains how to deploy WinRM HTTPS to shopfloor PCs using a network share.
## Overview
Instead of manually copying files to each PC, you can:
1. Place all files on a network share
2. Access the share from each PC
3. Run a batch file to install
This is faster and ensures all PCs get the same configuration.
## Setup Network Share
### Step 1: Create Network Share
**On your file server or management computer:**
```powershell
# Create deployment folder
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force
# Copy all required files to deployment folder
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath -Recurse
# Share the folder
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
```
**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder → Properties → Sharing → Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)
### Step 2: Verify Share Access
**From another computer:**
```powershell
# Test access (replace SERVER with your server name)
Test-Path "\\SERVER\WinRM-HTTPS"
# List files
Get-ChildItem "\\SERVER\WinRM-HTTPS"
```
Expected files:
-`Deploy-WinRM-HTTPS.bat`
-`Setup-WinRM-HTTPS.ps1`
-`wildcard-logon-ds-ge-com-20251017.pfx`
- ✅ Other PS1 scripts
---
## Required Files for Deployment
### Minimal Deployment Package
For basic deployment, you need:
```
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat (NEW - Main deployment script)
├── Setup-WinRM-HTTPS.ps1 (WinRM HTTPS setup)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED)
└── README.txt (Optional - Instructions)
```
### Complete Package (Recommended)
Include everything for troubleshooting:
```
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat (Deployment batch file)
├── Test-WinRM-HTTPS.bat (Test batch file)
├── Setup-WinRM-HTTPS.ps1 (WinRM setup script)
├── Test-WinRM-HTTPS-Setup.ps1 (Test script)
├── Generate-WildcardCert.ps1 (Certificate generator - optional)
├── Generate-WildcardCert-Alternative.ps1 (Alternative generator)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED!)
├── README.md (Documentation)
├── GETTING_STARTED.md (User guide)
├── NETWORK_SHARE_DEPLOYMENT.md (This file)
└── TROUBLESHOOTING_CERTIFICATE_GENERATION.md
```
---
## Deployment Methods
### Method 1: User Runs from Network Share (Simplest)
**On each shopfloor PC:**
1. Open Windows Explorer
2. Navigate to: `\\SERVER\WinRM-HTTPS`
3. Right-click `Deploy-WinRM-HTTPS.bat`
4. Select "Run as Administrator"
5. Enter certificate password when prompted
6. Wait for completion
**Advantages:**
- ✅ Simple - no copying needed
- ✅ Always uses latest files
- ✅ No local disk space used
**Disadvantages:**
- ⚠️ Requires network connectivity during install
- ⚠️ Slower if network is congested
---
### Method 2: Copy to Local Then Run (Recommended)
**On each shopfloor PC:**
```powershell
# Copy files locally first
New-Item -Path "C:\Temp\WinRM-Setup" -ItemType Directory -Force
Copy-Item "\\SERVER\WinRM-HTTPS\*" -Destination "C:\Temp\WinRM-Setup\" -Recurse
# Run locally
cd C:\Temp\WinRM-Setup
.\Deploy-WinRM-HTTPS.bat
```
**Or using batch file:**
```batch
@echo off
echo Copying deployment files...
xcopy "\\SERVER\WinRM-HTTPS\*" "C:\Temp\WinRM-Setup\" /E /Y
cd /d C:\Temp\WinRM-Setup
Deploy-WinRM-HTTPS.bat
```
**Advantages:**
- ✅ Faster execution
- ✅ Works if network connection lost
- ✅ Can verify files before running
**Disadvantages:**
- ⚠️ Uses local disk space
- ⚠️ Extra copy step
---
### Method 3: Remote Execution (Advanced)
**From management computer, deploy to multiple PCs:**
```powershell
# List of target PCs
$targetPCs = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -First 5
# Your credentials
$cred = Get-Credential -Message "Enter domain admin credentials"
# Deploy to each PC
foreach ($hostname in $targetPCs) {
Write-Host "Deploying to $hostname..." -ForegroundColor Yellow
try {
# Copy files to remote PC
$remotePath = "\\$hostname\C$\Temp\WinRM-Setup"
New-Item -Path $remotePath -ItemType Directory -Force
Copy-Item "C:\Deployment\WinRM-HTTPS\*" -Destination $remotePath -Recurse
# Execute remotely
Invoke-Command -ComputerName $hostname -Credential $cred -ScriptBlock {
Set-Location "C:\Temp\WinRM-Setup"
# Run PowerShell script directly
$certPath = "C:\Temp\WinRM-Setup\wildcard-logon-ds-ge-com-20251017.pfx"
$certPass = ConvertTo-SecureString "XqHuyaLZSyCYEcpsMz6h5" -AsPlainText -Force
& "C:\Temp\WinRM-Setup\Setup-WinRM-HTTPS.ps1" `
-CertificatePath $certPath `
-CertificatePassword $certPass `
-Domain "logon.ds.ge.com"
}
Write-Host "[OK] $hostname - Deployment complete" -ForegroundColor Green
}
catch {
Write-Host "[FAIL] $hostname - $($_.Exception.Message)" -ForegroundColor Red
}
}
```
**Advantages:**
- ✅ Deploy to many PCs from one location
- ✅ No physical access needed
- ✅ Can run overnight/batch
**Disadvantages:**
- ⚠️ Requires existing remote access (WinRM or admin shares)
- ⚠️ More complex
- ⚠️ Password visible in script (use secure credential management)
---
### Method 4: Group Policy Startup Script
**For domain-joined computers:**
1. **Copy files to NETLOGON share:**
```
\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\
```
2. **Create GPO:**
- Open Group Policy Management
- Create new GPO: "Deploy WinRM HTTPS"
- Edit GPO
3. **Add Startup Script:**
- Computer Configuration → Policies → Windows Settings → Scripts
- Startup → Add
- Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`
4. **Link GPO to OU:**
- Link to Shopfloor Computers OU
- PCs will run script on next reboot
**Advantages:**
- ✅ Automated deployment
- ✅ Centrally managed
- ✅ Runs with SYSTEM privileges
**Disadvantages:**
- ⚠️ Requires domain environment
- ⚠️ Requires restart
- ⚠️ Password handling more complex
---
## Security Considerations
### Certificate Password
**Problem:** The batch file and scripts need the certificate password.
**Solutions:**
**Option 1: Interactive Prompt (Recommended for Manual)**
```batch
REM Batch file prompts user
Deploy-WinRM-HTTPS.bat
REM User types password when prompted
```
**Option 2: Encrypted File (Recommended for Automation)**
```powershell
# One-time setup: Store password encrypted
$certPass = Read-Host "Enter cert password" -AsSecureString
$certPass | Export-Clixml -Path "\\SERVER\WinRM-HTTPS\cert-password.xml"
# Modify Deploy-WinRM-HTTPS.bat to use:
# -CertificatePasswordFile ".\cert-password.xml"
```
**Option 3: Environment Variable (Less Secure)**
```batch
REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```
**⚠️ Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
### Share Permissions
**Recommended permissions:**
- **Read:** Authenticated Users or Shopfloor Computers group
- **Change/Full Control:** IT Admins only
```powershell
# Set proper permissions
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\Domain Computers" -AccessRight Read -Force
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -AccessRight Full -Force
```
### Certificate Protection
The certificate PFX file contains the private key. Protect it:
1. **Use share permissions** to restrict access
2. **Use certificate password** (you did ✅)
3. **Monitor access** to the share
4. **Delete from share** after deployment complete
---
## Deployment Workflow
### Recommended Workflow
**Phase 1: Prepare (One Time)**
```
1. Create network share: \\SERVER\WinRM-HTTPS
2. Copy all deployment files
3. Test from one PC
4. Document password securely
```
**Phase 2: Test Deployment (3-5 PCs)**
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat → Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
```
**Phase 3: Full Deployment (All 175 PCs)**
```
Option A: Manual
- Visit each PC or send instructions to users
- Run Deploy-WinRM-HTTPS.bat
Option B: Remote
- Use remote execution script
- Deploy in batches of 20
Option C: Automated
- Use GPO startup script
- Schedule during maintenance window
```
**Phase 4: Verification**
```
1. Run connection test:
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections
2. Check logs for failures
3. Remediate failed PCs
```
**Phase 5: Cleanup**
```
1. Remove certificate from network share
2. Store password in secure vault
3. Document deployed PCs
4. Update asset inventory
```
---
## Example: Complete Deployment Session
### Step 1: Setup Share
```powershell
# On management server
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force
# Copy files
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath
# Share
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -ReadAccess "Everyone"
Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
```
### Step 2: Test on One PC
**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat` → Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion
### Step 3: Verify
**From management server:**
```powershell
# Test connection
Test-WSMan -ComputerName "G1JJVH63ESF.logon.ds.ge.com" -UseSSL -Port 5986
# If successful, create session
$cred = Get-Credential
$session = New-PSSession -ComputerName "G1JJVH63ESF.logon.ds.ge.com" `
-UseSSL -Port 5986 -Credential $cred
# Test command
Invoke-Command -Session $session -ScriptBlock { $env:COMPUTERNAME }
# Cleanup
Remove-PSSession $session
```
### Step 4: Deploy to Next Batch
```powershell
# Deploy to next 5 PCs
$nextBatch = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -Skip 1 -First 5
foreach ($hostname in $nextBatch) {
Write-Host "`nDeploying to $hostname..." -ForegroundColor Cyan
# Instructions for manual deployment
Write-Host "1. RDP/physically access: $hostname" -ForegroundColor Yellow
Write-Host "2. Open: \\MANAGEMENT-SERVER\WinRM-HTTPS" -ForegroundColor Yellow
Write-Host "3. Run: Deploy-WinRM-HTTPS.bat (as Administrator)" -ForegroundColor Yellow
Write-Host "4. Password: XqHuyaLZSyCYEcpsMz6h5" -ForegroundColor Yellow
$continue = Read-Host "`nPress Enter when complete (or S to skip)"
if ($continue -eq 'S') { continue }
# Test after deployment
try {
Test-WSMan -ComputerName "$hostname.logon.ds.ge.com" -UseSSL -Port 5986 -ErrorAction Stop
Write-Host "[OK] $hostname - WinRM HTTPS working" -ForegroundColor Green
}
catch {
Write-Host "[FAIL] $hostname - Could not connect" -ForegroundColor Red
}
}
```
---
## Troubleshooting Network Share Deployment
### Problem: "Cannot access network share"
**Check:**
```powershell
# Test connectivity
Test-NetConnection -ComputerName SERVER -Port 445
# Test share access
Test-Path "\\SERVER\WinRM-HTTPS"
# List shares
Get-SmbShare -CimSession SERVER
# Check permissions
Get-SmbShareAccess -Name "WinRM-HTTPS"
```
**Solution:**
- Verify share exists
- Check firewall (port 445)
- Verify user has Read access
- Try with UNC path: `\\SERVER.domain.com\WinRM-HTTPS`
---
### Problem: "Access Denied" running batch file
**Solution:**
- Right-click → Run as Administrator
- User must be local admin on PC
- Check UAC settings
---
### Problem: Certificate password prompt fails
**Solution:**
- Modify batch file to read from file
- Use encrypted credential file
- Or hardcode temporarily for testing (remove after)
---
## Creating README for Network Share
```text
# WinRM HTTPS Deployment
This folder contains files to deploy WinRM HTTPS to shopfloor PCs.
## Quick Start
1. Right-click Deploy-WinRM-HTTPS.bat
2. Select "Run as Administrator"
3. Enter certificate password when prompted
4. Wait for completion
## Password
Contact IT Support for the certificate password.
## Files
- Deploy-WinRM-HTTPS.bat - Main deployment script
- Setup-WinRM-HTTPS.ps1 - PowerShell setup script
- wildcard-*.pfx - Certificate (DO NOT DELETE)
## Support
For issues, contact: IT Support / Extension: XXXX
```
Save as `README.txt` in the share.
---
## Summary
**Best Practice for Your Scenario:**
1. ✅ Create network share: `\\SERVER\WinRM-HTTPS`
2. ✅ Include:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
3. ✅ Deploy to 3-5 test PCs manually
4. ✅ Verify each deployment
5. ✅ Deploy to remaining PCs in batches
6. ✅ Remove certificate from share when done
**Certificate Password Storage:**
- Store in password manager
- Share only with authorized personnel
- Use encrypted files for automation
**The batch files handle:**
- ✅ Administrator check
- ✅ File verification
- ✅ Error handling
- ✅ User feedback
Reference in New Issue View Git Blame Copy Permalink