Initial commit: Organized PowerShell scripts for ShopDB asset collection

Structure: - asset-collection/: Local PC data collection scripts - remote-execution/: WinRM remote execution scripts - setup-utilities/: Configuration and testing utilities - registry-backup/: GE registry backup scripts - winrm-https/: WinRM HTTPS certificate setup - docs/: Complete documentation Each folder includes a README with detailed documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00
commit 62c0c7bb06
102 changed files with 28017 additions and 0 deletions
--- a/winrm-https/winrm-ca-scripts/NETWORK-SHARE-DEPLOYMENT.txt
+++ b/winrm-https/winrm-ca-scripts/NETWORK-SHARE-DEPLOYMENT.txt
@@ -0,0 +1,307 @@
+================================================================================
+NETWORK SHARE DEPLOYMENT GUIDE
+================================================================================
+
+Network Share Location: S:\dt\adata\script\deploy\pc-certificates
+
+This guide shows how to deploy certificates from the network share to PCs.
+
+================================================================================
+SETUP (One Time)
+================================================================================
+
+STEP 1: Create CA and Sign Certificates (On Management Computer)
+-----------------------------------------------------------------
+
+  cd C:\path\to\winrm-ca-scripts
+
+  # Create CA
+  .\Create-CA-Simple.ps1
+
+  # Install CA on your computer
+  Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
+      -CertStoreLocation Cert:\LocalMachine\Root
+
+  # Sign all 175 certificates
+  .\Sign-BulkCertificates.ps1
+
+
+STEP 2: Copy Certificates to Network Share
+-------------------------------------------
+
+  # Copy the entire batch folder to network share
+  Copy-Item "pc-certificates\batch-*" `
+      -Destination "S:\dt\adata\script\deploy\pc-certificates\" `
+      -Recurse
+
+
+STEP 3: Copy Deployment Scripts to Network Share
+-------------------------------------------------
+
+  # Copy deployment scripts to network share
+  Copy-Item "Deploy-PCCertificate.ps1" `
+      -Destination "S:\dt\adata\script\deploy\"
+
+  Copy-Item "Deploy-PCCertificate.bat" `
+      -Destination "S:\dt\adata\script\deploy\"
+
+
+STEP 4: Set Network Share Permissions
+--------------------------------------
+
+  - Grant "Domain Computers" READ access to:
+    S:\dt\adata\script\deploy\pc-certificates\
+    S:\dt\adata\script\deploy\Deploy-PCCertificate.*
+
+  - Grant "Domain Computers" WRITE access to:
+    S:\dt\adata\script\deploy\LOGS\
+
+
+================================================================================
+NETWORK SHARE STRUCTURE
+================================================================================
+
+S:\dt\adata\script\deploy\
+├── Deploy-PCCertificate.ps1          # Deployment script
+├── Deploy-PCCertificate.bat          # Batch wrapper
+├── pc-certificates\                  # Certificate folder
+│   └── batch-TIMESTAMP\              # Batch of certificates
+│       ├── G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
+│       ├── G1JJVH63ESF-logon.ds.ge.com-*.pfx
+│       ├── ... (175 certificates total)
+│       ├── certificate-list.csv
+│       └── SUMMARY.txt
+└── LOGS\                             # Log files
+    └── HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt
+
+
+================================================================================
+DEPLOYMENT TO EACH PC (Method 1: Manual)
+================================================================================
+
+On each PC:
+
+1. Navigate to: S:\dt\adata\script\deploy\
+
+2. Right-click: Deploy-PCCertificate.bat
+
+3. Select: "Run as Administrator"
+
+4. Enter certificate password: PCCert2025!
+
+5. Wait for SUCCESS message
+
+6. Done!
+
+
+The script will:
+  ✓ Find the certificate for this PC automatically
+  ✓ Import it to Local Machine certificate store
+  ✓ Configure WinRM HTTPS listener
+  ✓ Create firewall rule
+  ✓ Log everything to S:\dt\adata\script\deploy\LOGS\
+
+
+================================================================================
+DEPLOYMENT TO EACH PC (Method 2: Remote PowerShell)
+================================================================================
+
+From management computer, deploy to multiple PCs:
+
+  $pcs = Get-Content "shopfloor-hostnames.txt"
+  $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
+
+  foreach ($pc in $pcs) {
+      Write-Host "Deploying to $pc..." -ForegroundColor Yellow
+
+      # Copy scripts to PC (if not using network share)
+      # OR just invoke from network share
+
+      Invoke-Command -ComputerName $pc -ScriptBlock {
+          & "S:\dt\adata\script\deploy\Deploy-PCCertificate.bat"
+      }
+
+      Write-Host "$pc complete!" -ForegroundColor Green
+  }
+
+
+================================================================================
+WHAT HAPPENS DURING DEPLOYMENT
+================================================================================
+
+1. Script checks network share access
+   → S:\dt\adata\script\deploy\pc-certificates
+
+2. Script finds certificate for this PC
+   → Searches for: HOSTNAME-*.pfx
+
+3. Script imports certificate
+   → To: Cert:\LocalMachine\My
+
+4. Script configures WinRM HTTPS
+   → Listener on port 5986
+   → Uses imported certificate
+
+5. Script creates firewall rule
+   → Allow inbound TCP 5986
+
+6. Script logs everything
+   → To: S:\dt\adata\script\deploy\LOGS\HOSTNAME-TIMESTAMP-CERT-DEPLOY.txt
+
+
+================================================================================
+VERIFYING DEPLOYMENT
+================================================================================
+
+On the PC (after deployment):
+
+  # Check certificate
+  Get-ChildItem Cert:\LocalMachine\My | Where-Object {
+      $_.Subject -like "*$env:COMPUTERNAME*"
+  }
+
+  # Check WinRM listener
+  winrm enumerate winrm/config/listener
+
+  # Check firewall rule
+  Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
+
+  # Check port listening
+  netstat -an | findstr :5986
+
+
+From Management Computer:
+
+  # Test connection
+  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
+
+  # Create session
+  $cred = Get-Credential
+  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
+      -Credential $cred -UseSSL -Port 5986
+
+
+================================================================================
+DEPLOYMENT LOG EXAMPLE
+================================================================================
+
+Log file: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
+
+============================================================================
+PC Certificate Deployment Log
+============================================================================
+Hostname: G9KN7PZ3ESF
+Date/Time: 10/17/2025 14:30:22
+Log File: S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\G9KN7PZ3ESF-20251017-143022-CERT-DEPLOY.txt
+============================================================================
+
+[2025-10-17 14:30:22] Computer: G9KN7PZ3ESF
+[2025-10-17 14:30:22] FQDN: g9kn7pz3esf.logon.ds.ge.com
+
+[2025-10-17 14:30:22] Checking network share access...
+[2025-10-17 14:30:22] [OK] Network share accessible
+
+[2025-10-17 14:30:22] Looking for certificate for G9KN7PZ3ESF...
+[2025-10-17 14:30:23] [OK] Found certificate: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
+
+[2025-10-17 14:30:23] Importing certificate to Local Machine store...
+[2025-10-17 14:30:24] [OK] Certificate imported successfully
+[2025-10-17 14:30:24]      Subject: CN=g9kn7pz3esf.logon.ds.ge.com
+[2025-10-17 14:30:24]      Thumbprint: ABC123...
+[2025-10-17 14:30:24]      Issuer: CN=Shopfloor WinRM CA
+
+[2025-10-17 14:30:24] Configuring WinRM service...
+[2025-10-17 14:30:25] [OK] WinRM service configured
+
+[2025-10-17 14:30:25] Creating WinRM HTTPS listener...
+[2025-10-17 14:30:26] [OK] HTTPS listener created successfully
+
+[2025-10-17 14:30:26] Configuring Windows Firewall...
+[2025-10-17 14:30:27] [OK] Firewall rule created
+
+============================================================================
+[SUCCESS] Certificate Deployment Complete
+============================================================================
+
+
+================================================================================
+TROUBLESHOOTING
+================================================================================
+
+Problem: "Cannot access network share"
+Solution:
+  - Verify S:\dt\adata\script\deploy\ is accessible from the PC
+  - Check network connectivity
+  - Verify permissions (Domain Computers should have READ access)
+
+Problem: "Certificate not found for HOSTNAME"
+Solution:
+  - Verify certificate exists in S:\dt\adata\script\deploy\pc-certificates\batch-*\
+  - Check filename matches: HOSTNAME-logon.ds.ge.com-*.pfx
+  - Run Sign-BulkCertificates.ps1 if certificates weren't created
+
+Problem: "Wrong password"
+Solution:
+  - Default password is: PCCert2025!
+  - If you used different password, use that instead
+
+Problem: "Port 5986 not listening after deployment"
+Solution:
+  - Check deployment log in S:\dt\adata\script\deploy\LOGS\
+  - Run Test-RemotePC-Debug.bat on the PC
+  - Check for errors in listener creation
+
+Problem: "Cannot connect from management computer"
+Solution:
+  - Verify CA certificate is installed on management computer:
+    Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
+  - Test port: Test-NetConnection -ComputerName HOSTNAME -Port 5986
+  - Check firewall on both computers
+
+
+================================================================================
+BATCH DEPLOYMENT
+================================================================================
+
+To deploy to all 175 PCs at once:
+
+Option 1: Group Policy (Recommended for large deployments)
+  - Create GPO that runs Deploy-PCCertificate.bat at startup
+  - Assign to OU containing shopfloor PCs
+  - PCs will deploy on next reboot
+
+Option 2: PowerShell Remote Execution
+  - Use Invoke-Command to run deployment on multiple PCs
+  - Requires existing WinRM access (HTTP on 5985)
+
+Option 3: Manual in Batches
+  - Deploy to 10-20 PCs at a time
+  - Verify each batch before continuing
+  - Track progress in spreadsheet
+
+
+================================================================================
+ADVANTAGES OF THIS APPROACH
+================================================================================
+
+✓ Centralized certificate storage (network share)
+✓ Automatic certificate detection (finds correct cert for each PC)
+✓ Self-contained deployment (one script does everything)
+✓ Comprehensive logging (every deployment logged)
+✓ Easy to deploy (just run the .bat file)
+✓ Secure (each PC gets unique certificate)
+✓ Clean connections (no -SessionOption needed)
+
+
+================================================================================
+SUMMARY
+================================================================================
+
+1. Sign certificates (once)
+2. Copy to network share: S:\dt\adata\script\deploy\pc-certificates\
+3. On each PC: Run Deploy-PCCertificate.bat
+4. Connect cleanly from management computer
+
+Simple and effective!
+
+================================================================================