13 KiB
13 KiB
Network Share Deployment Guide
This guide explains how to deploy WinRM HTTPS to shopfloor PCs using a network share.
Overview
Instead of manually copying files to each PC, you can:
- Place all files on a network share
- Access the share from each PC
- Run a batch file to install
This is faster and ensures all PCs get the same configuration.
Setup Network Share
Step 1: Create Network Share
On your file server or management computer:
# Create deployment folder
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force
# Copy all required files to deployment folder
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath -Recurse
# Share the folder
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
Or manually:
- Create folder:
C:\Deployment\WinRM-HTTPS - Copy all files from
winrm-httpsfolder - Right-click folder Properties Sharing Advanced Sharing
- Check "Share this folder"
- Share name:
WinRM-HTTPS - Permissions: Give "Everyone" Read access (or specific security group)
Step 2: Verify Share Access
From another computer:
# Test access (replace SERVER with your server name)
Test-Path "\\SERVER\WinRM-HTTPS"
# List files
Get-ChildItem "\\SERVER\WinRM-HTTPS"
Expected files:
Deploy-WinRM-HTTPS.batSetup-WinRM-HTTPS.ps1wildcard-logon-ds-ge-com-20251017.pfx- Other PS1 scripts
Required Files for Deployment
Minimal Deployment Package
For basic deployment, you need:
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat (NEW - Main deployment script)
├── Setup-WinRM-HTTPS.ps1 (WinRM HTTPS setup)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED)
└── README.txt (Optional - Instructions)
Complete Package (Recommended)
Include everything for troubleshooting:
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat (Deployment batch file)
├── Test-WinRM-HTTPS.bat (Test batch file)
├── Setup-WinRM-HTTPS.ps1 (WinRM setup script)
├── Test-WinRM-HTTPS-Setup.ps1 (Test script)
├── Generate-WildcardCert.ps1 (Certificate generator - optional)
├── Generate-WildcardCert-Alternative.ps1 (Alternative generator)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED!)
├── README.md (Documentation)
├── GETTING_STARTED.md (User guide)
├── NETWORK_SHARE_DEPLOYMENT.md (This file)
└── TROUBLESHOOTING_CERTIFICATE_GENERATION.md
Deployment Methods
Method 1: User Runs from Network Share (Simplest)
On each shopfloor PC:
- Open Windows Explorer
- Navigate to:
\\SERVER\WinRM-HTTPS - Right-click
Deploy-WinRM-HTTPS.bat - Select "Run as Administrator"
- Enter certificate password when prompted
- Wait for completion
Advantages:
- Simple - no copying needed
- Always uses latest files
- No local disk space used
Disadvantages:
- Requires network connectivity during install
- Slower if network is congested
Method 2: Copy to Local Then Run (Recommended)
On each shopfloor PC:
# Copy files locally first
New-Item -Path "C:\Temp\WinRM-Setup" -ItemType Directory -Force
Copy-Item "\\SERVER\WinRM-HTTPS\*" -Destination "C:\Temp\WinRM-Setup\" -Recurse
# Run locally
cd C:\Temp\WinRM-Setup
.\Deploy-WinRM-HTTPS.bat
Or using batch file:
@echo off
echo Copying deployment files...
xcopy "\\SERVER\WinRM-HTTPS\*" "C:\Temp\WinRM-Setup\" /E /Y
cd /d C:\Temp\WinRM-Setup
Deploy-WinRM-HTTPS.bat
Advantages:
- Faster execution
- Works if network connection lost
- Can verify files before running
Disadvantages:
- Uses local disk space
- Extra copy step
Method 3: Remote Execution (Advanced)
From management computer, deploy to multiple PCs:
# List of target PCs
$targetPCs = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -First 5
# Your credentials
$cred = Get-Credential -Message "Enter domain admin credentials"
# Deploy to each PC
foreach ($hostname in $targetPCs) {
Write-Host "Deploying to $hostname..." -ForegroundColor Yellow
try {
# Copy files to remote PC
$remotePath = "\\$hostname\C$\Temp\WinRM-Setup"
New-Item -Path $remotePath -ItemType Directory -Force
Copy-Item "C:\Deployment\WinRM-HTTPS\*" -Destination $remotePath -Recurse
# Execute remotely
Invoke-Command -ComputerName $hostname -Credential $cred -ScriptBlock {
Set-Location "C:\Temp\WinRM-Setup"
# Run PowerShell script directly
$certPath = "C:\Temp\WinRM-Setup\wildcard-logon-ds-ge-com-20251017.pfx"
$certPass = ConvertTo-SecureString "XqHuyaLZSyCYEcpsMz6h5" -AsPlainText -Force
& "C:\Temp\WinRM-Setup\Setup-WinRM-HTTPS.ps1" `
-CertificatePath $certPath `
-CertificatePassword $certPass `
-Domain "logon.ds.ge.com"
}
Write-Host "[OK] $hostname - Deployment complete" -ForegroundColor Green
}
catch {
Write-Host "[FAIL] $hostname - $($_.Exception.Message)" -ForegroundColor Red
}
}
Advantages:
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
Disadvantages:
- Requires existing remote access (WinRM or admin shares)
- More complex
- Password visible in script (use secure credential management)
Method 4: Group Policy Startup Script
For domain-joined computers:
-
Copy files to NETLOGON share:
\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\ -
Create GPO:
- Open Group Policy Management
- Create new GPO: "Deploy WinRM HTTPS"
- Edit GPO
-
Add Startup Script:
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Script:
\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat
-
Link GPO to OU:
- Link to Shopfloor Computers OU
- PCs will run script on next reboot
Advantages:
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
Disadvantages:
- Requires domain environment
- Requires restart
- Password handling more complex
Security Considerations
Certificate Password
Problem: The batch file and scripts need the certificate password.
Solutions:
Option 1: Interactive Prompt (Recommended for Manual)
REM Batch file prompts user
Deploy-WinRM-HTTPS.bat
REM User types password when prompted
Option 2: Encrypted File (Recommended for Automation)
# One-time setup: Store password encrypted
$certPass = Read-Host "Enter cert password" -AsSecureString
$certPass | Export-Clixml -Path "\\SERVER\WinRM-HTTPS\cert-password.xml"
# Modify Deploy-WinRM-HTTPS.bat to use:
# -CertificatePasswordFile ".\cert-password.xml"
Option 3: Environment Variable (Less Secure)
REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
** Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
Share Permissions
Recommended permissions:
- Read: Authenticated Users or Shopfloor Computers group
- Change/Full Control: IT Admins only
# Set proper permissions
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\Domain Computers" -AccessRight Read -Force
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -AccessRight Full -Force
Certificate Protection
The certificate PFX file contains the private key. Protect it:
- Use share permissions to restrict access
- Use certificate password (you did )
- Monitor access to the share
- Delete from share after deployment complete
Deployment Workflow
Recommended Workflow
Phase 1: Prepare (One Time)
1. Create network share: \\SERVER\WinRM-HTTPS
2. Copy all deployment files
3. Test from one PC
4. Document password securely
Phase 2: Test Deployment (3-5 PCs)
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
Phase 3: Full Deployment (All 175 PCs)
Option A: Manual
- Visit each PC or send instructions to users
- Run Deploy-WinRM-HTTPS.bat
Option B: Remote
- Use remote execution script
- Deploy in batches of 20
Option C: Automated
- Use GPO startup script
- Schedule during maintenance window
Phase 4: Verification
1. Run connection test:
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections
2. Check logs for failures
3. Remediate failed PCs
Phase 5: Cleanup
1. Remove certificate from network share
2. Store password in secure vault
3. Document deployed PCs
4. Update asset inventory
Example: Complete Deployment Session
Step 1: Setup Share
# On management server
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force
# Copy files
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath
# Share
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -ReadAccess "Everyone"
Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
Step 2: Test on One PC
On test PC (G1JJVH63ESF):
- Open Explorer:
\\MANAGEMENT-SERVER\WinRM-HTTPS - Right-click
Deploy-WinRM-HTTPS.batRun as Administrator - Enter password:
XqHuyaLZSyCYEcpsMz6h5 - Wait for completion
Step 3: Verify
From management server:
# Test connection
Test-WSMan -ComputerName "G1JJVH63ESF.logon.ds.ge.com" -UseSSL -Port 5986
# If successful, create session
$cred = Get-Credential
$session = New-PSSession -ComputerName "G1JJVH63ESF.logon.ds.ge.com" `
-UseSSL -Port 5986 -Credential $cred
# Test command
Invoke-Command -Session $session -ScriptBlock { $env:COMPUTERNAME }
# Cleanup
Remove-PSSession $session
Step 4: Deploy to Next Batch
# Deploy to next 5 PCs
$nextBatch = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -Skip 1 -First 5
foreach ($hostname in $nextBatch) {
Write-Host "`nDeploying to $hostname..." -ForegroundColor Cyan
# Instructions for manual deployment
Write-Host "1. RDP/physically access: $hostname" -ForegroundColor Yellow
Write-Host "2. Open: \\MANAGEMENT-SERVER\WinRM-HTTPS" -ForegroundColor Yellow
Write-Host "3. Run: Deploy-WinRM-HTTPS.bat (as Administrator)" -ForegroundColor Yellow
Write-Host "4. Password: XqHuyaLZSyCYEcpsMz6h5" -ForegroundColor Yellow
$continue = Read-Host "`nPress Enter when complete (or S to skip)"
if ($continue -eq 'S') { continue }
# Test after deployment
try {
Test-WSMan -ComputerName "$hostname.logon.ds.ge.com" -UseSSL -Port 5986 -ErrorAction Stop
Write-Host "[OK] $hostname - WinRM HTTPS working" -ForegroundColor Green
}
catch {
Write-Host "[FAIL] $hostname - Could not connect" -ForegroundColor Red
}
}
Troubleshooting Network Share Deployment
Problem: "Cannot access network share"
Check:
# Test connectivity
Test-NetConnection -ComputerName SERVER -Port 445
# Test share access
Test-Path "\\SERVER\WinRM-HTTPS"
# List shares
Get-SmbShare -CimSession SERVER
# Check permissions
Get-SmbShareAccess -Name "WinRM-HTTPS"
Solution:
- Verify share exists
- Check firewall (port 445)
- Verify user has Read access
- Try with UNC path:
\\SERVER.domain.com\WinRM-HTTPS
Problem: "Access Denied" running batch file
Solution:
- Right-click Run as Administrator
- User must be local admin on PC
- Check UAC settings
Problem: Certificate password prompt fails
Solution:
- Modify batch file to read from file
- Use encrypted credential file
- Or hardcode temporarily for testing (remove after)
Creating README for Network Share
# WinRM HTTPS Deployment
This folder contains files to deploy WinRM HTTPS to shopfloor PCs.
## Quick Start
1. Right-click Deploy-WinRM-HTTPS.bat
2. Select "Run as Administrator"
3. Enter certificate password when prompted
4. Wait for completion
## Password
Contact IT Support for the certificate password.
## Files
- Deploy-WinRM-HTTPS.bat - Main deployment script
- Setup-WinRM-HTTPS.ps1 - PowerShell setup script
- wildcard-*.pfx - Certificate (DO NOT DELETE)
## Support
For issues, contact: IT Support / Extension: XXXX
Save as README.txt in the share.
Summary
Best Practice for Your Scenario:
- Create network share:
\\SERVER\WinRM-HTTPS - Include:
Deploy-WinRM-HTTPS.batSetup-WinRM-HTTPS.ps1wildcard-logon-ds-ge-com-20251017.pfx
- Deploy to 3-5 test PCs manually
- Verify each deployment
- Deploy to remaining PCs in batches
- Remove certificate from share when done
Certificate Password Storage:
- Store in password manager
- Share only with authorized personnel
- Use encrypted files for automation
The batch files handle:
- Administrator check
- File verification
- Error handling
- User feedback