ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/winrm-ca-scripts/NETWORK-SHARE-DEPLOYMENT.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

308 lines
10 KiB
Plaintext
Raw Blame History

================================================================================
NETWORK SHARE DEPLOYMENT GUIDE
================================================================================
Network Share Location: S:\dt\adata\script\deploy\pc-certificates
This guide shows how to deploy certificates from the network share to PCs.
================================================================================
SETUP (One Time)
================================================================================
STEP 1: Create CA and Sign Certificates (On Management Computer)
-----------------------------------------------------------------
cd C:\path\to\winrm-ca-scripts
# Create CA
.\Create-CA-Simple.ps1
# Install CA on your computer
Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
# Sign all 175 certificates
.\Sign-BulkCertificates.ps1
STEP 2: Copy Certificates to Network Share
-------------------------------------------
# Copy the entire batch folder to network share
Copy-Item "pc-certificates\batch-*" `
-Destination "S:\dt\adata\script\deploy\pc-certificates\" `
-Recurse
STEP 3: Copy Deployment Scripts to Network Share
-------------------------------------------------
# Copy deployment scripts to network share
Copy-Item "Deploy-PCCertificate.ps1" `
-Destination "S:\dt\adata\script\deploy\"
Copy-Item "Deploy-PCCertificate.bat" `
-Destination "S:\dt\adata\script\deploy\"
STEP 4: Set Network Share Permissions
--------------------------------------
- Grant "Domain Computers" READ access to:
S:\dt\adata\script\deploy\pc-certificates\
S:\dt\adata\script\deploy\Deploy-PCCertificate.*
- Grant "Domain Computers" WRITE access to:
S:\dt\adata\script\deploy\LOGS\
================================================================================
NETWORK SHARE STRUCTURE
================================================================================
S:\dt\adata\script\deploy\
├── Deploy-PCCertificate.ps1 # Deployment script
├── Deploy-PCCertificate.bat # Batch wrapper
├── pc-certificates\ # Certificate folder
│ └── batch-TIMESTAMP\ # Batch of certificates
│ ├── G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
│ ├── G1JJVH63ESF-logon.ds.ge.com-*.pfx
│ ├── ... (175 certificates total)
│ ├── certificate-list.csv
│ └── SUMMARY.txt
└── LOGS\ # Log files
└── HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt
================================================================================
DEPLOYMENT TO EACH PC (Method 1: Manual)
================================================================================
On each PC:
1. Navigate to: S:\dt\adata\script\deploy\
2. Right-click: Deploy-PCCertificate.bat
3. Select: "Run as Administrator"
4. Enter certificate password: PCCert2025!
5. Wait for SUCCESS message
6. Done!
The script will:
✓ Find the certificate for this PC automatically
✓ Import it to Local Machine certificate store
✓ Configure WinRM HTTPS listener
✓ Create firewall rule
✓ Log everything to S:\dt\adata\script\deploy\LOGS\
================================================================================
DEPLOYMENT TO EACH PC (Method 2: Remote PowerShell)
================================================================================
From management computer, deploy to multiple PCs:
$pcs = Get-Content "shopfloor-hostnames.txt"
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
foreach ($pc in $pcs) {
Write-Host "Deploying to $pc..." -ForegroundColor Yellow
# Copy scripts to PC (if not using network share)
# OR just invoke from network share
Invoke-Command -ComputerName $pc -ScriptBlock {
& "S:\dt\adata\script\deploy\Deploy-PCCertificate.bat"
}
Write-Host "$pc complete!" -ForegroundColor Green
}
================================================================================
WHAT HAPPENS DURING DEPLOYMENT
================================================================================
1. Script checks network share access
→ S:\dt\adata\script\deploy\pc-certificates
2. Script finds certificate for this PC
→ Searches for: HOSTNAME-*.pfx
3. Script imports certificate
→ To: Cert:\LocalMachine\My
4. Script configures WinRM HTTPS
→ Listener on port 5986
→ Uses imported certificate
5. Script creates firewall rule
→ Allow inbound TCP 5986
6. Script logs everything
→ To: S:\dt\adata\script\deploy\LOGS\HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt
================================================================================
VERIFYING DEPLOYMENT
================================================================================
On the PC (after deployment):
# Check certificate
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*$env:COMPUTERNAME*"
}
# Check WinRM listener
winrm enumerate winrm/config/listener
# Check firewall rule
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
# Check port listening
netstat -an | findstr :5986
From Management Computer:
# Test connection
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Create session
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
================================================================================
DEPLOYMENT LOG EXAMPLE
================================================================================
Log file: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
============================================================================
PC Certificate Deployment Log
============================================================================
Hostname: G9KN7PZ3ESF
Date/Time: 10/17/2025 14:30:22
Log File: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
============================================================================
[2025-10-17 14:30:22] Computer: G9KN7PZ3ESF
[2025-10-17 14:30:22] FQDN: g9kn7pz3esf.logon.ds.ge.com
[2025-10-17 14:30:22] Checking network share access...
[2025-10-17 14:30:22] [OK] Network share accessible
[2025-10-17 14:30:22] Looking for certificate for G9KN7PZ3ESF...
[2025-10-17 14:30:23] [OK] Found certificate: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
[2025-10-17 14:30:23] Importing certificate to Local Machine store...
[2025-10-17 14:30:24] [OK] Certificate imported successfully
[2025-10-17 14:30:24] Subject: CN=g9kn7pz3esf.logon.ds.ge.com
[2025-10-17 14:30:24] Thumbprint: ABC123...
[2025-10-17 14:30:24] Issuer: CN=Shopfloor WinRM CA
[2025-10-17 14:30:24] Configuring WinRM service...
[2025-10-17 14:30:25] [OK] WinRM service configured
[2025-10-17 14:30:25] Creating WinRM HTTPS listener...
[2025-10-17 14:30:26] [OK] HTTPS listener created successfully
[2025-10-17 14:30:26] Configuring Windows Firewall...
[2025-10-17 14:30:27] [OK] Firewall rule created
============================================================================
[SUCCESS] Certificate Deployment Complete
============================================================================
================================================================================
TROUBLESHOOTING
================================================================================
Problem: "Cannot access network share"
Solution:
- Verify S:\dt\adata\script\deploy\ is accessible from the PC
- Check network connectivity
- Verify permissions (Domain Computers should have READ access)
Problem: "Certificate not found for HOSTNAME"
Solution:
- Verify certificate exists in S:\dt\adata\script\deploy\pc-certificates\batch-*\
- Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
- Run Sign-BulkCertificates.ps1 if certificates weren't created
Problem: "Wrong password"
Solution:
- Default password is: PCCert2025!
- If you used different password, use that instead
Problem: "Port 5986 not listening after deployment"
Solution:
- Check deployment log in S:\dt\adata\script\deploy\LOGS\
- Run Test-RemotePC-Debug.bat on the PC
- Check for errors in listener creation
Problem: "Cannot connect from management computer"
Solution:
- Verify CA certificate is installed on management computer:
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
- Test port: Test-NetConnection -ComputerName HOSTNAME -Port 5986
- Check firewall on both computers
================================================================================
BATCH DEPLOYMENT
================================================================================
To deploy to all 175 PCs at once:
Option 1: Group Policy (Recommended for large deployments)
- Create GPO that runs Deploy-PCCertificate.bat at startup
- Assign to OU containing shopfloor PCs
- PCs will deploy on next reboot
Option 2: PowerShell Remote Execution
- Use Invoke-Command to run deployment on multiple PCs
- Requires existing WinRM access (HTTP on 5985)
Option 3: Manual in Batches
- Deploy to 10-20 PCs at a time
- Verify each batch before continuing
- Track progress in spreadsheet
================================================================================
ADVANTAGES OF THIS APPROACH
================================================================================
✓ Centralized certificate storage (network share)
✓ Automatic certificate detection (finds correct cert for each PC)
✓ Self-contained deployment (one script does everything)
✓ Comprehensive logging (every deployment logged)
✓ Easy to deploy (just run the .bat file)
✓ Secure (each PC gets unique certificate)
✓ Clean connections (no -SessionOption needed)
================================================================================
SUMMARY
================================================================================
1. Sign certificates (once)
2. Copy to network share: S:\dt\adata\script\deploy\pc-certificates\
3. On each PC: Run Deploy-PCCertificate.bat
4. Connect cleanly from management computer
Simple and effective!
================================================================================
Reference in New Issue View Git Blame Copy Permalink