Initial commit: Organized PowerShell scripts for ShopDB asset collection

Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

winrm-https/WILDCARD-VS-CA-COMPARISON.txt

@@ -0,0 +1,357 @@
+================================================================================
+WILDCARD CERTIFICATE vs CERTIFICATE AUTHORITY - COMPARISON
+================================================================================
+
+QUICK ANSWER: CA approach is BETTER - more secure AND easier to use!
+
+================================================================================
+SIDE-BY-SIDE COMPARISON
+================================================================================
+
+┌──────────────────────────────────────────────────────────────────────────┐
+│                       WILDCARD CERTIFICATE                                │
+│                        (Current Approach)                                 │
+└──────────────────────────────────────────────────────────────────────────┘
+
+SETUP:
+  1. Generate ONE wildcard certificate (*.logon.ds.ge.com)
+  2. Deploy SAME certificate to all 175 PCs
+  3. Each PC gets exact same cert with CN=*.logon.ds.ge.com
+
+CONNECTING FROM YOUR COMPUTER:
+  # Always need to skip certificate validation!
+  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
+
+  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 `
+      -SessionOption $sessionOption  ← REQUIRED!
+
+  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
+      -Credential $cred -UseSSL -Port 5986 `
+      -SessionOption $sessionOption  ← REQUIRED!
+
+ISSUES WE HIT:
+  ✗ Certificate CN mismatch error (had to fix with wildcard hostname)
+  ✗ Certificate not trusted (must bypass validation)
+  ✗ Security warning every time
+  ✗ Same cert on all PCs (if compromised, all PCs affected)
+
+SECURITY LEVEL: ⚠ Medium
+  - Certificate validation bypassed
+  - Same certificate on all systems
+  - No way to revoke for individual PC
+
+
+┌──────────────────────────────────────────────────────────────────────────┐
+│                     CERTIFICATE AUTHORITY                                 │
+│                      (Recommended Approach)                               │
+└──────────────────────────────────────────────────────────────────────────┘
+
+SETUP:
+  1. Generate ONE Certificate Authority
+  2. Use CA to sign 175 INDIVIDUAL certificates (one per PC)
+  3. Each PC gets its own cert with CN=hostname.logon.ds.ge.com
+  4. Install CA public certificate on YOUR computer
+
+CONNECTING FROM YOUR COMPUTER:
+  # Clean and simple - no special options needed!
+
+  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
+  # That's it! No -SessionOption!
+
+  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
+      -Credential $cred -UseSSL -Port 5986
+  # That's it! No -SessionOption!
+
+BENEFITS:
+  ✓ No certificate CN mismatch (proper hostname in each cert)
+  ✓ Certificate automatically trusted (CA is trusted)
+  ✓ No security warnings
+  ✓ Each PC has unique cert (compromised cert only affects one PC)
+  ✓ Can revoke individual certificates
+
+SECURITY LEVEL: ✓ High
+  - Full certificate validation
+  - Unique certificate per system
+  - Individual certificate revocation possible
+
+================================================================================
+DETAILED COMPARISON TABLE
+================================================================================
+
+Feature                  Wildcard Cert         CA Approach
+─────────────────────────────────────────────────────────────────────────────
+Initial Setup Time       5 minutes            15 minutes
+Certificates to Create   1                    175
+Certificate on Each PC   Same                 Unique
+Certificate Validation   Bypassed             Enforced
+Security Warnings        Yes (always)         No
+-SessionOption Required  YES                  NO
+Connection Command       Long (with options)  Short (clean)
+CN in Certificate        *.logon.ds.ge.com    hostname.logon.ds.ge.com
+If One Cert Compromised  All 175 PCs at risk  Only 1 PC affected
+Individual Revocation    Not possible         Possible
+Professional Approach    No                   Yes
+Enterprise Standard      No                   Yes
+Recommended by Microsoft No                   Yes
+
+================================================================================
+WHAT YOU TYPE WHEN CONNECTING
+================================================================================
+
+WILDCARD APPROACH (Current):
+────────────────────────────────────────────────────────────────────────────
+PS> $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
+PS> $cred = Get-Credential
+PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
+        -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption
+
+WARNING: Certificate validation was bypassed!
+[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
+
+
+CA APPROACH (Recommended):
+────────────────────────────────────────────────────────────────────────────
+PS> $cred = Get-Credential
+PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
+        -Credential $cred -UseSSL -Port 5986
+
+[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
+
+
+DIFFERENCE:
+  - Wildcard: 4 lines, security bypass, warnings
+  - CA:       2 lines, clean, secure
+
+================================================================================
+TIME INVESTMENT
+================================================================================
+
+WILDCARD CERTIFICATE:
+────────────────────────────────────────────────────────────────────────────
+One-time setup:       5 minutes   (generate wildcard cert)
+Per PC deployment:    3 minutes   (copy and import same cert)
+Total for 175 PCs:    ~9 hours    (5 min + 175 × 3 min)
+
+Every connection:     Extra typing for -SessionOption
+Every connection:     Security warnings
+
+
+CERTIFICATE AUTHORITY:
+────────────────────────────────────────────────────────────────────────────
+One-time setup:       15 minutes  (create CA, sign 175 certs, install CA)
+Per PC deployment:    3 minutes   (copy and import unique cert)
+Total for 175 PCs:    ~9 hours    (15 min + 175 × 3 min)
+
+Every connection:     Clean, simple
+Every connection:     No security warnings
+
+
+CONCLUSION: Same deployment time, but CA is cleaner to use forever!
+
+================================================================================
+SECURITY COMPARISON
+================================================================================
+
+SCENARIO: One certificate is compromised
+────────────────────────────────────────────────────────────────────────────
+
+WILDCARD APPROACH:
+  ✗ ALL 175 PCs are compromised (same certificate)
+  ✗ Must generate NEW wildcard certificate
+  ✗ Must redeploy to ALL 175 PCs
+  ✗ Major security incident
+
+CA APPROACH:
+  ✓ Only ONE PC is compromised (unique certificate)
+  ✓ Revoke that one certificate
+  ✓ Generate new certificate for that one PC
+  ✓ Redeploy to only ONE PC
+  ✓ Other 174 PCs unaffected
+  ✓ Minor security incident
+
+
+SCENARIO: Certificate expires
+────────────────────────────────────────────────────────────────────────────
+
+WILDCARD APPROACH:
+  - Generate new wildcard certificate
+  - Redeploy to ALL 175 PCs
+
+CA APPROACH:
+  - CA valid for 10 years
+  - Sign 175 new certificates (5 minutes)
+  - Redeploy to all 175 PCs
+  - OR: Deploy in rolling fashion (25 PCs per month)
+
+
+SCENARIO: Add 10 new PCs
+────────────────────────────────────────────────────────────────────────────
+
+WILDCARD APPROACH:
+  - Deploy existing wildcard cert to 10 new PCs
+  - Same cert as other 175 PCs
+
+CA APPROACH:
+  - Sign 10 new certificates (1 minute)
+  - Deploy to 10 new PCs
+  - Each PC gets unique certificate
+  - Automatically trusted (CA already installed)
+
+================================================================================
+REAL-WORLD USAGE
+================================================================================
+
+SCENARIO: Daily remote management
+────────────────────────────────────────────────────────────────────────────
+
+WILDCARD APPROACH:
+  Every single connection:
+
+  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
+  Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL `
+      -Port 5986 -SessionOption $sessionOption
+
+  Gets old fast!
+
+
+CA APPROACH:
+  Every single connection:
+
+  Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL -Port 5986
+
+  Clean and simple!
+
+
+SCENARIO: Scripting automation
+────────────────────────────────────────────────────────────────────────────
+
+WILDCARD APPROACH:
+  Every script must include:
+
+  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
+  Invoke-Command -ComputerName $computers -SessionOption $sessionOption ...
+
+
+CA APPROACH:
+  Clean script:
+
+  Invoke-Command -ComputerName $computers -UseSSL -Port 5986 ...
+
+  No special options needed!
+
+================================================================================
+CERTIFICATE INFORMATION
+================================================================================
+
+WILDCARD CERTIFICATE:
+────────────────────────────────────────────────────────────────────────────
+Subject:    CN=*.logon.ds.ge.com
+Issuer:     CN=*.logon.ds.ge.com (self-signed)
+Valid For:  *.logon.ds.ge.com (all subdomains)
+Trusted By: Nobody (must bypass validation)
+Used By:    All 175 PCs (same certificate)
+
+
+CA-SIGNED CERTIFICATES:
+────────────────────────────────────────────────────────────────────────────
+Certificate Authority:
+  Subject:  CN=Shopfloor WinRM CA
+  Issuer:   CN=Shopfloor WinRM CA (self-signed)
+  Trusted By: All management computers
+
+Individual PC Certificate (example):
+  Subject:  CN=g9kn7pz3esf.logon.ds.ge.com
+  Issuer:   CN=Shopfloor WinRM CA
+  Valid For: g9kn7pz3esf.logon.ds.ge.com (specific hostname)
+  Trusted By: Any computer that trusts Shopfloor WinRM CA
+  Used By:  Only G9KN7PZ3ESF (unique certificate)
+
+================================================================================
+MIGRATION PATH
+================================================================================
+
+If you already deployed wildcard certificates, you can migrate:
+
+STEP 1: Create CA and sign certificates
+  .\Create-CertificateAuthority.ps1
+  .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
+
+STEP 2: Install CA on management computers
+  Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root
+
+STEP 3: Replace certificates on PCs (one at a time or in batches)
+  - Import new CA-signed certificate
+  - Reconfigure WinRM listener
+  - Remove old wildcard certificate
+  - Test connection
+
+STEP 4: Clean up
+  - Remove wildcard certificate from management computers
+  - Update documentation
+  - Securely store CA private key
+
+================================================================================
+RECOMMENDATION
+================================================================================
+
+RECOMMENDED: Certificate Authority Approach
+
+WHY?
+  1. MORE SECURE: Individual certificates, proper validation
+  2. EASIER TO USE: No -SessionOption needed, cleaner commands
+  3. ENTERPRISE STANDARD: Proper PKI infrastructure
+  4. BETTER ISOLATION: Compromised cert only affects one PC
+  5. SCALABLE: Easy to add new PCs
+  6. PROFESSIONAL: Industry best practice
+
+WHEN TO USE WILDCARD?
+  - Quick testing only
+  - Non-production environments
+  - Temporary setups
+  - When you're in a hurry and will fix it later
+
+FOR PRODUCTION (175 PCs):
+  ✓ Use Certificate Authority
+  ✓ Sign individual certificates
+  ✓ Proper certificate validation
+  ✓ No security bypasses
+
+================================================================================
+SUMMARY
+================================================================================
+
+                           Wildcard    CA
+──────────────────────────────────────────
+Setup Complexity           Low         Medium
+Long-term Usability        Poor        Excellent
+Security                   Medium      High
+Certificate Validation     Bypassed    Enforced
+Connection Simplicity      Complex     Simple
+Enterprise Ready           No          Yes
+Recommended for 175 PCs    No          Yes
+
+BOTTOM LINE:
+  CA approach is slightly more setup work, but MUCH better for daily use
+  and significantly more secure. For 175 production PCs, CA is the right choice.
+
+================================================================================
+NEXT STEPS
+================================================================================
+
+TO SWITCH TO CA APPROACH:
+
+1. Read: CA-APPROACH-GUIDE.md (detailed walkthrough)
+2. Run: .\Create-CertificateAuthority.ps1
+3. Run: .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
+4. Install CA on your management computer
+5. Deploy individual certificates to PCs
+6. Enjoy clean, secure connections!
+
+TO CONTINUE WITH WILDCARD:
+
+1. Re-run deployment with fixed wildcard script
+2. Continue using -SessionOption for all connections
+3. Accept security bypass warnings
+4. Plan to migrate to CA later
+
+================================================================================