Windows - Configuration - Copy File From Payload

What the payload file distributor does

This Automox Worklet™ distributes a file you upload to the Worklet payload to a destination directory on Windows endpoints. You upload the file once on the Automox console, set two PowerShell variables in the Worklet scripts, and the Worklet places the file on every targeted endpoint without RDP, SMB, or a remote session.

Both scripts read two parameters at the top: $filename (the exact name of the uploaded payload, for example payload.txt) and $filepath (the destination directory on the endpoint, for example C:\ProgramData\YourApp\). At policy run time, the Automox agent extracts the payload into $PWD on the endpoint, and the remediation script copies it from there to the target path.

The Worklet handles three states cleanly: the destination directory is missing, the directory exists but the file does not, or the file is already in place from a prior run. Each path writes a status line to the Automox activity log and exits 0, so a single bad endpoint cannot stall a fleet-wide policy.

Why push files through a Worklet instead of GPO or a share

Application teams routinely ship a small file alongside an installer: a licensing key, a custom .ini, a CA certificate, a tenant-scoped configuration, or a one-off PowerShell script that another policy will call. The file has to land on the endpoint before the next reboot, agent check-in, or user login, and it has to land on every endpoint in scope without an admin clicking through a share permission dialog on each host.

SMB shares and Group Policy file deployments only reach domain-joined endpoints inside the corporate network. The remote workers, contractor laptops, and servers in segmented zones that most often need the file are exactly the endpoints those tools miss. This Worklet rides the same Automox channel as your patching policies, so the payload arrives on off-domain laptops, endpoints on hotel Wi-Fi, and servers behind a firewall without depending on an SMB path the endpoint may not be able to resolve.

How payload file distribution works

1. Evaluation phase: The evaluation script reads $filename and $filepath and runs Test-Path -Path $filepath\$filename. If the file is present, the script writes "File already exists. Now exiting." and exits 0, marking the endpoint compliant. If the file is absent, the script writes "File does not exist." and exits 1, which triggers remediation.

2. Remediation phase: The remediation script runs Test-Path -Path $filepath against the destination directory. When the directory exists, it runs Copy-Item "$PWD\$filename" -Destination "$filepath" -Force to copy the payload out of the Worklet working directory. When the directory is missing, the script creates it with New-Item -ItemType Directory -Path $filepath -Force and then runs the same Copy-Item call. Every branch is wrapped in try/catch and exits 0 on failure, so an ACL or path error on one host does not block the rest of the fleet.

Payload distribution requirements

• Windows 7 SP1 or later (workstation) or Windows Server 2008 R2 or later, with PowerShell 3.0 or later on the endpoint.

• The Automox agent installed and checked in. The agent runs as SYSTEM, so it already has write access to most paths under C:\Windows, C:\ProgramData, and C:\Program Files.

• The target file uploaded to the Worklet payload section in the Automox console before the policy runs. Upload the file from the same Worklet edit screen where you paste the evaluation and remediation scripts.

• Set $filename in both evaluation.ps1 and remediation.ps1 to the exact uploaded filename, including the extension.

• Set $filepath in both scripts to the destination directory on the endpoint. Include a trailing backslash (for example C:\ProgramData\YourApp\) so the evaluation script joins the path cleanly with $filename.

• For destinations under per-user profiles or other protected paths, confirm the ACL allows write access from the SYSTEM account. The Worklet does not elevate beyond the agent's existing context.

Expected endpoint state after the file copy

After remediation, the uploaded payload file exists at $filepath\$filename on each remediated endpoint, with the contents and byte size of the original upload. The next evaluation run finds the file present, exits 0, and reports the endpoint as compliant without re-copying. Schedule this Worklet on a recurring policy and any endpoint that loses the file (manual deletion, reimage, drift) self-heals at the next check-in.

Verify on a pilot endpoint by running Test-Path C:\ProgramData\YourApp\payload.txt against the destination path you configured. Compare Get-FileHash $filepath\$filename on the endpoint against the hash of the source file on your build workstation to confirm bit-for-bit integrity.