Initial commit: Organized PowerShell scripts for ShopDB asset collection

Structure: - asset-collection/: Local PC data collection scripts - remote-execution/: WinRM remote execution scripts - setup-utilities/: Configuration and testing utilities - registry-backup/: GE registry backup scripts - winrm-https/: WinRM HTTPS certificate setup - docs/: Complete documentation Each folder includes a README with detailed documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00
commit 62c0c7bb06
102 changed files with 28017 additions and 0 deletions
--- a/winrm-https/deployment-package/WILDCARD-CERT-FIX.txt
+++ b/winrm-https/deployment-package/WILDCARD-CERT-FIX.txt
@@ -0,0 +1,236 @@
+================================================================================
+WILDCARD CERTIFICATE FIX - IMPORTANT TECHNICAL DETAIL
+================================================================================
+
+Date: 2025-10-17
+Issue: Certificate CN mismatch error during HTTPS listener creation
+
+================================================================================
+PROBLEM
+================================================================================
+
+When deploying WinRM HTTPS with wildcard certificate, received error:
+
+  "The WinRM client cannot process the request. The certificate CN and
+   the hostname that were provided do not match."
+
+Error Number: -2144108311 (0x803380E9)
+
+================================================================================
+ROOT CAUSE
+================================================================================
+
+WinRM HTTPS listener creation requires the hostname parameter to EXACTLY match
+the certificate's Common Name (CN).
+
+Certificate Details:
+  - Subject: CN=*.logon.ds.ge.com
+  - CN: *.logon.ds.ge.com (wildcard format)
+
+Previous (Incorrect) Approach:
+  - Passed specific PC FQDN to listener: g9kn7pz3esf.logon.ds.ge.com
+  - WinRM compared: "*.logon.ds.ge.com" (cert CN) vs "g9kn7pz3esf.logon.ds.ge.com" (hostname)
+  - Result: MISMATCH → Error
+
+================================================================================
+SOLUTION
+================================================================================
+
+The listener hostname parameter must use the EXACT CN from the certificate,
+which is the wildcard format: *.logon.ds.ge.com
+
+Fixed Code (Setup-WinRM-HTTPS.ps1):
+
+  # Extract the CN value from certificate subject
+  if ($certSubject -match 'CN=([^,]+)') {
+      $certCN = $matches[1]  # This captures "*.logon.ds.ge.com"
+  }
+
+  # Use the certificate CN (wildcard) for listener hostname
+  $listenerHostname = $certCN  # "*.logon.ds.ge.com"
+
+  # Create listener with wildcard hostname
+  winrm create winrm/config/Listener?Address=*+Transport=HTTPS
+    @{Hostname="*.logon.ds.ge.com";CertificateThumbprint="...";Port="5986"}
+
+================================================================================
+HOW IT WORKS
+================================================================================
+
+Listener Configuration:
+  - Listener Hostname: *.logon.ds.ge.com (wildcard)
+  - Certificate CN: *.logon.ds.ge.com (wildcard)
+  - Match: ✓ SUCCESS
+
+Client Connection:
+  - Clients still connect using specific FQDN: g9kn7pz3esf.logon.ds.ge.com
+  - WinRM matches this against the wildcard: *.logon.ds.ge.com
+  - Certificate validation succeeds because wildcard covers all subdomains
+
+Example:
+  # Client connects using specific hostname
+  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
+
+  # Server listener accepts because:
+  #   - Listener hostname: *.logon.ds.ge.com
+  #   - Client hostname: g9kn7pz3esf.logon.ds.ge.com
+  #   - Wildcard match: ✓ (g9kn7pz3esf matches *)
+
+================================================================================
+TECHNICAL DETAILS
+================================================================================
+
+WinRM Listener Hostname Validation:
+  1. WinRM creates listener with hostname="*.logon.ds.ge.com"
+  2. Certificate CN must match listener hostname EXACTLY
+  3. Wildcard CN "*.logon.ds.ge.com" = Listener hostname "*.logon.ds.ge.com" ✓
+  4. Listener accepts connections from any hostname matching *.logon.ds.ge.com
+
+Certificate Validation During Connection:
+  1. Client connects to: g9kn7pz3esf.logon.ds.ge.com:5986
+  2. Server presents certificate with CN: *.logon.ds.ge.com
+  3. Client validates: Does "g9kn7pz3esf.logon.ds.ge.com" match "*.logon.ds.ge.com"?
+  4. Wildcard validation: ✓ YES (wildcard * matches "g9kn7pz3esf")
+  5. Connection succeeds
+
+================================================================================
+WHAT CHANGED IN THE SCRIPT
+================================================================================
+
+File: Setup-WinRM-HTTPS.ps1
+Function: New-WinRMHTTPSListener
+
+Changes:
+  1. Extract certificate CN from Subject field
+  2. Use certificate CN (wildcard) as listener hostname
+  3. Added logging to show both FQDN and listener hostname
+  4. Added explanatory notes in output
+
+Before:
+  $winrmArgs = "create ... @{Hostname=`"$Hostname`";..."
+  # Where $Hostname = "g9kn7pz3esf.logon.ds.ge.com"
+
+After:
+  $listenerHostname = $certCN  # "*.logon.ds.ge.com"
+  $winrmArgs = "create ... @{Hostname=`"$listenerHostname`";..."
+
+================================================================================
+TESTING THE FIX
+================================================================================
+
+On Target PC:
+  # Check listener configuration
+  winrm enumerate winrm/config/listener
+
+  # Should show:
+  Listener
+      Address = *
+      Transport = HTTPS
+      Port = 5986
+      Hostname = *.logon.ds.ge.com  ← WILDCARD FORMAT
+      ...
+
+From Management Server:
+  # Test connection using specific hostname
+  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
+
+  # Should succeed because:
+  #   - Server listener: *.logon.ds.ge.com
+  #   - Client request: g9kn7pz3esf.logon.ds.ge.com
+  #   - Wildcard match: ✓
+
+================================================================================
+APPLIES TO ALL PCS
+================================================================================
+
+This fix applies to ALL 175 shopfloor PCs:
+  - All use the same wildcard certificate
+  - All listeners configured with: Hostname=*.logon.ds.ge.com
+  - All clients connect with specific FQDN: hostname.logon.ds.ge.com
+  - Wildcard matching works for all PCs
+
+Example PCs:
+  - g1jjvh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
+  - g1jjxh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
+  - g9kn7pz3esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
+  - ... (all 175 PCs match)
+
+================================================================================
+VERIFICATION COMMANDS
+================================================================================
+
+Check Listener Configuration:
+  winrm enumerate winrm/config/listener
+
+  # Look for:
+  Hostname = *.logon.ds.ge.com  ← Must be wildcard!
+
+Check Certificate:
+  Get-ChildItem Cert:\LocalMachine\My |
+    Where-Object {$_.Subject -like "*logon.ds.ge.com*"} |
+    Select-Object Subject, Thumbprint, NotAfter
+
+Test Connection (from management server):
+  Test-WSMan -ComputerName HOSTNAME.logon.ds.ge.com -UseSSL -Port 5986
+
+Create Remote Session:
+  $cred = Get-Credential
+  Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
+    -Credential $cred -UseSSL -Port 5986
+
+================================================================================
+STATUS
+================================================================================
+
+Fix Applied: ✓ YES
+File Updated: Setup-WinRM-HTTPS.ps1
+Ready for Testing: ✓ YES
+
+Next Step: Re-run deployment on test PC (G9KN7PZ3ESF)
+
+================================================================================
+EXPECTED RESULTS
+================================================================================
+
+After running updated deployment script:
+
+1. Certificate import: ✓ SUCCESS
+   Subject: CN=*.logon.ds.ge.com
+
+2. Listener creation: ✓ SUCCESS
+   Hostname: *.logon.ds.ge.com (wildcard)
+
+3. Test connection: ✓ SUCCESS
+   Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL
+
+4. Remote session: ✓ SUCCESS
+   Enter-PSSession with -UseSSL flag
+
+================================================================================
+ADDITIONAL NOTES
+================================================================================
+
+- This is standard behavior for wildcard certificates with WinRM
+- The listener hostname MUST match the certificate CN exactly
+- Clients use specific FQDNs; wildcard matching happens automatically
+- This approach is documented in Microsoft's WinRM HTTPS documentation
+- No changes needed on client side (management server)
+
+================================================================================
+REFERENCES
+================================================================================
+
+WinRM Configuration:
+  - Listener Address: * (all IP addresses)
+  - Transport: HTTPS
+  - Port: 5986
+  - Hostname: *.logon.ds.ge.com (must match cert CN)
+  - Certificate Thumbprint: C1412765B2839E9081FCEA77BB1E6D8840203509
+
+Wildcard Certificate:
+  - Subject: CN=*.logon.ds.ge.com
+  - Valid for: All subdomains of logon.ds.ge.com
+  - Valid until: 2027-10-17
+  - Key Size: 2048-bit RSA
+
+================================================================================