powershell-scripts/winrm-https/NETWORK_SHARE_DEPLOYMENT.md

# Network Share Deployment Guide

This guide explains how to deploy WinRM HTTPS to shopfloor PCs using a network share.

## Overview

Instead of manually copying files to each PC, you can:
1. Place all files on a network share
2. Access the share from each PC
3. Run a batch file to install

This is faster and ensures all PCs get the same configuration.

## Setup Network Share

### Step 1: Create Network Share

**On your file server or management computer:**

```powershell
# Create deployment folder
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force

# Copy all required files to deployment folder
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath -Recurse

# Share the folder
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
```

**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder  Properties  Sharing  Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)

### Step 2: Verify Share Access

**From another computer:**
```powershell
# Test access (replace SERVER with your server name)
Test-Path "\\SERVER\WinRM-HTTPS"

# List files
Get-ChildItem "\\SERVER\WinRM-HTTPS"
```

Expected files:
-  `Deploy-WinRM-HTTPS.bat`
-  `Setup-WinRM-HTTPS.ps1`
-  `wildcard-logon-ds-ge-com-20251017.pfx`
-  Other PS1 scripts

---

## Required Files for Deployment

### Minimal Deployment Package

For basic deployment, you need:

```
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat              (NEW - Main deployment script)
├── Setup-WinRM-HTTPS.ps1               (WinRM HTTPS setup)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED)
└── README.txt                          (Optional - Instructions)
```

### Complete Package (Recommended)

Include everything for troubleshooting:

```
\\SERVER\WinRM-HTTPS\
├── Deploy-WinRM-HTTPS.bat              (Deployment batch file)
├── Test-WinRM-HTTPS.bat                (Test batch file)
├── Setup-WinRM-HTTPS.ps1               (WinRM setup script)
├── Test-WinRM-HTTPS-Setup.ps1          (Test script)
├── Generate-WildcardCert.ps1           (Certificate generator - optional)
├── Generate-WildcardCert-Alternative.ps1 (Alternative generator)
├── wildcard-logon-ds-ge-com-20251017.pfx (Certificate - REQUIRED!)
├── README.md                           (Documentation)
├── GETTING_STARTED.md                  (User guide)
├── NETWORK_SHARE_DEPLOYMENT.md         (This file)
└── TROUBLESHOOTING_CERTIFICATE_GENERATION.md
```

---

## Deployment Methods

### Method 1: User Runs from Network Share (Simplest)

**On each shopfloor PC:**

1. Open Windows Explorer
2. Navigate to: `\\SERVER\WinRM-HTTPS`
3. Right-click `Deploy-WinRM-HTTPS.bat`
4. Select "Run as Administrator"
5. Enter certificate password when prompted
6. Wait for completion

**Advantages:**
-  Simple - no copying needed
-  Always uses latest files
-  No local disk space used

**Disadvantages:**
-  Requires network connectivity during install
-  Slower if network is congested

---

### Method 2: Copy to Local Then Run (Recommended)

**On each shopfloor PC:**

```powershell
# Copy files locally first
New-Item -Path "C:\Temp\WinRM-Setup" -ItemType Directory -Force
Copy-Item "\\SERVER\WinRM-HTTPS\*" -Destination "C:\Temp\WinRM-Setup\" -Recurse

# Run locally
cd C:\Temp\WinRM-Setup
.\Deploy-WinRM-HTTPS.bat
```

**Or using batch file:**
```batch
@echo off
echo Copying deployment files...
xcopy "\\SERVER\WinRM-HTTPS\*" "C:\Temp\WinRM-Setup\" /E /Y
cd /d C:\Temp\WinRM-Setup
Deploy-WinRM-HTTPS.bat
```

**Advantages:**
-  Faster execution
-  Works if network connection lost
-  Can verify files before running

**Disadvantages:**
-  Uses local disk space
-  Extra copy step

---

### Method 3: Remote Execution (Advanced)

**From management computer, deploy to multiple PCs:**

```powershell
# List of target PCs
$targetPCs = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -First 5

# Your credentials
$cred = Get-Credential -Message "Enter domain admin credentials"

# Deploy to each PC
foreach ($hostname in $targetPCs) {
    Write-Host "Deploying to $hostname..." -ForegroundColor Yellow

    try {
        # Copy files to remote PC
        $remotePath = "\\$hostname\C$\Temp\WinRM-Setup"
        New-Item -Path $remotePath -ItemType Directory -Force
        Copy-Item "C:\Deployment\WinRM-HTTPS\*" -Destination $remotePath -Recurse

        # Execute remotely
        Invoke-Command -ComputerName $hostname -Credential $cred -ScriptBlock {
            Set-Location "C:\Temp\WinRM-Setup"

            # Run PowerShell script directly
            $certPath = "C:\Temp\WinRM-Setup\wildcard-logon-ds-ge-com-20251017.pfx"
            $certPass = ConvertTo-SecureString "XqHuyaLZSyCYEcpsMz6h5" -AsPlainText -Force

            & "C:\Temp\WinRM-Setup\Setup-WinRM-HTTPS.ps1" `
                -CertificatePath $certPath `
                -CertificatePassword $certPass `
                -Domain "logon.ds.ge.com"
        }

        Write-Host "[OK] $hostname - Deployment complete" -ForegroundColor Green
    }
    catch {
        Write-Host "[FAIL] $hostname - $($_.Exception.Message)" -ForegroundColor Red
    }
}
```

**Advantages:**
-  Deploy to many PCs from one location
-  No physical access needed
-  Can run overnight/batch

**Disadvantages:**
-  Requires existing remote access (WinRM or admin shares)
-  More complex
-  Password visible in script (use secure credential management)

---

### Method 4: Group Policy Startup Script

**For domain-joined computers:**

1. **Copy files to NETLOGON share:**
   ```
   \\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\
   ```

2. **Create GPO:**
   - Open Group Policy Management
   - Create new GPO: "Deploy WinRM HTTPS"
   - Edit GPO

3. **Add Startup Script:**
   - Computer Configuration  Policies  Windows Settings  Scripts
   - Startup  Add
   - Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`

4. **Link GPO to OU:**
   - Link to Shopfloor Computers OU
   - PCs will run script on next reboot

**Advantages:**
-  Automated deployment
-  Centrally managed
-  Runs with SYSTEM privileges

**Disadvantages:**
-  Requires domain environment
-  Requires restart
-  Password handling more complex

---

## Security Considerations

### Certificate Password

**Problem:** The batch file and scripts need the certificate password.

**Solutions:**

**Option 1: Interactive Prompt (Recommended for Manual)**
```batch
REM Batch file prompts user
Deploy-WinRM-HTTPS.bat
REM User types password when prompted
```

**Option 2: Encrypted File (Recommended for Automation)**
```powershell
# One-time setup: Store password encrypted
$certPass = Read-Host "Enter cert password" -AsSecureString
$certPass | Export-Clixml -Path "\\SERVER\WinRM-HTTPS\cert-password.xml"

# Modify Deploy-WinRM-HTTPS.bat to use:
# -CertificatePasswordFile ".\cert-password.xml"
```

**Option 3: Environment Variable (Less Secure)**
```batch
REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```

** Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file

### Share Permissions

**Recommended permissions:**

- **Read:** Authenticated Users or Shopfloor Computers group
- **Change/Full Control:** IT Admins only

```powershell
# Set proper permissions
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\Domain Computers" -AccessRight Read -Force
Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -AccessRight Full -Force
```

### Certificate Protection

The certificate PFX file contains the private key. Protect it:

1. **Use share permissions** to restrict access
2. **Use certificate password** (you did )
3. **Monitor access** to the share
4. **Delete from share** after deployment complete

---

## Deployment Workflow

### Recommended Workflow

**Phase 1: Prepare (One Time)**
```
1. Create network share: \\SERVER\WinRM-HTTPS
2. Copy all deployment files
3. Test from one PC
4. Document password securely
```

**Phase 2: Test Deployment (3-5 PCs)**
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat  Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
```

**Phase 3: Full Deployment (All 175 PCs)**
```
Option A: Manual
- Visit each PC or send instructions to users
- Run Deploy-WinRM-HTTPS.bat

Option B: Remote
- Use remote execution script
- Deploy in batches of 20

Option C: Automated
- Use GPO startup script
- Schedule during maintenance window
```

**Phase 4: Verification**
```
1. Run connection test:
   .\Invoke-RemoteAssetCollection-HTTPS.ps1 -TestConnections

2. Check logs for failures

3. Remediate failed PCs
```

**Phase 5: Cleanup**
```
1. Remove certificate from network share
2. Store password in secure vault
3. Document deployed PCs
4. Update asset inventory
```

---

## Example: Complete Deployment Session

### Step 1: Setup Share

```powershell
# On management server
$deployPath = "C:\Deployment\WinRM-HTTPS"
New-Item -Path $deployPath -ItemType Directory -Force

# Copy files
Copy-Item "C:\users\570005354\Downloads\winrm-https\*" -Destination $deployPath

# Share
New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -ReadAccess "Everyone"

Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
```

### Step 2: Test on One PC

**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat`  Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion

### Step 3: Verify

**From management server:**
```powershell
# Test connection
Test-WSMan -ComputerName "G1JJVH63ESF.logon.ds.ge.com" -UseSSL -Port 5986

# If successful, create session
$cred = Get-Credential
$session = New-PSSession -ComputerName "G1JJVH63ESF.logon.ds.ge.com" `
    -UseSSL -Port 5986 -Credential $cred

# Test command
Invoke-Command -Session $session -ScriptBlock { $env:COMPUTERNAME }

# Cleanup
Remove-PSSession $session
```

### Step 4: Deploy to Next Batch

```powershell
# Deploy to next 5 PCs
$nextBatch = Get-Content ".\shopfloor-hostnames.txt" | Select-Object -Skip 1 -First 5

foreach ($hostname in $nextBatch) {
    Write-Host "`nDeploying to $hostname..." -ForegroundColor Cyan

    # Instructions for manual deployment
    Write-Host "1. RDP/physically access: $hostname" -ForegroundColor Yellow
    Write-Host "2. Open: \\MANAGEMENT-SERVER\WinRM-HTTPS" -ForegroundColor Yellow
    Write-Host "3. Run: Deploy-WinRM-HTTPS.bat (as Administrator)" -ForegroundColor Yellow
    Write-Host "4. Password: XqHuyaLZSyCYEcpsMz6h5" -ForegroundColor Yellow

    $continue = Read-Host "`nPress Enter when complete (or S to skip)"
    if ($continue -eq 'S') { continue }

    # Test after deployment
    try {
        Test-WSMan -ComputerName "$hostname.logon.ds.ge.com" -UseSSL -Port 5986 -ErrorAction Stop
        Write-Host "[OK] $hostname - WinRM HTTPS working" -ForegroundColor Green
    }
    catch {
        Write-Host "[FAIL] $hostname - Could not connect" -ForegroundColor Red
    }
}
```

---

## Troubleshooting Network Share Deployment

### Problem: "Cannot access network share"

**Check:**
```powershell
# Test connectivity
Test-NetConnection -ComputerName SERVER -Port 445

# Test share access
Test-Path "\\SERVER\WinRM-HTTPS"

# List shares
Get-SmbShare -CimSession SERVER

# Check permissions
Get-SmbShareAccess -Name "WinRM-HTTPS"
```

**Solution:**
- Verify share exists
- Check firewall (port 445)
- Verify user has Read access
- Try with UNC path: `\\SERVER.domain.com\WinRM-HTTPS`

---

### Problem: "Access Denied" running batch file

**Solution:**
- Right-click  Run as Administrator
- User must be local admin on PC
- Check UAC settings

---

### Problem: Certificate password prompt fails

**Solution:**
- Modify batch file to read from file
- Use encrypted credential file
- Or hardcode temporarily for testing (remove after)

---

## Creating README for Network Share

```text
# WinRM HTTPS Deployment

This folder contains files to deploy WinRM HTTPS to shopfloor PCs.

## Quick Start

1. Right-click Deploy-WinRM-HTTPS.bat
2. Select "Run as Administrator"
3. Enter certificate password when prompted
4. Wait for completion

## Password

Contact IT Support for the certificate password.

## Files

- Deploy-WinRM-HTTPS.bat - Main deployment script
- Setup-WinRM-HTTPS.ps1 - PowerShell setup script
- wildcard-*.pfx - Certificate (DO NOT DELETE)

## Support

For issues, contact: IT Support / Extension: XXXX
```

Save as `README.txt` in the share.

---

## Summary

**Best Practice for Your Scenario:**

1.  Create network share: `\\SERVER\WinRM-HTTPS`
2.  Include:
   - `Deploy-WinRM-HTTPS.bat`
   - `Setup-WinRM-HTTPS.ps1`
   - `wildcard-logon-ds-ge-com-20251017.pfx`
3.  Deploy to 3-5 test PCs manually
4.  Verify each deployment
5.  Deploy to remaining PCs in batches
6.  Remove certificate from share when done

**Certificate Password Storage:**
- Store in password manager
- Share only with authorized personnel
- Use encrypted files for automation

**The batch files handle:**
-  Administrator check
-  File verification
-  Error handling
-  User feedback