Initial commit: Organized PowerShell scripts for ShopDB asset collection

Structure: - asset-collection/: Local PC data collection scripts - remote-execution/: WinRM remote execution scripts - setup-utilities/: Configuration and testing utilities - registry-backup/: GE registry backup scripts - winrm-https/: WinRM HTTPS certificate setup - docs/: Complete documentation Each folder includes a README with detailed documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00
commit 62c0c7bb06
102 changed files with 28017 additions and 0 deletions
--- a/winrm-https/winrm-ca-scripts/SUBNET-CONFIGURATION.txt
+++ b/winrm-https/winrm-ca-scripts/SUBNET-CONFIGURATION.txt
@@ -0,0 +1,214 @@
+================================================================================
+SUBNET CONFIGURATION FOR WINRM HTTPS
+================================================================================
+
+The deployment scripts have been updated to allow specific subnets for WinRM
+HTTPS access, addressing cross-subnet firewall restrictions.
+
+================================================================================
+DEFAULT CONFIGURATION
+================================================================================
+
+Management Subnet: 10.48.130.0/23
+Shopfloor Subnet:  10.134.48.0/24
+
+By default, the firewall rule allows connections from: 10.48.130.0/23
+
+
+================================================================================
+HOW IT WORKS
+================================================================================
+
+The Deploy-PCCertificate.ps1 script now has an -AllowedSubnets parameter:
+
+Default (built into batch file):
+  -AllowedSubnets "10.48.130.0/23"
+
+This creates a firewall rule that ONLY allows connections from your
+management subnet (10.48.130.0/23).
+
+
+================================================================================
+CONFIGURATION OPTIONS
+================================================================================
+
+Option 1: Single Subnet (Default - Most Secure)
+────────────────────────────────────────────────────────────────
+Deploy-PCCertificate.bat automatically uses:
+  -AllowedSubnets "10.48.130.0/23"
+
+Only your management subnet can connect.
+
+
+Option 2: Multiple Subnets
+────────────────────────────────────────────────────────────────
+Edit Deploy-PCCertificate.bat, line 80:
+  -AllowedSubnets "10.48.130.0/23,10.134.48.0/24"
+
+Allows both management and shopfloor subnets.
+
+
+Option 3: Allow All Subnets
+────────────────────────────────────────────────────────────────
+Edit Deploy-PCCertificate.bat, line 80:
+  -AllowedSubnets "Any"
+
+Allows connections from any IP address (less secure).
+
+
+Option 4: Manual PowerShell Deployment
+────────────────────────────────────────────────────────────────
+If running PowerShell directly:
+
+  .\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23"
+
+  .\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23,10.50.0.0/16"
+
+  .\Deploy-PCCertificate.ps1 -AllowedSubnets "Any"
+
+
+================================================================================
+FIXING G9KN7PZ3ESF (Already Deployed)
+================================================================================
+
+Since G9KN7PZ3ESF was deployed before this update, fix the firewall rule:
+
+On G9KN7PZ3ESF:
+
+  Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
+
+Or to allow any:
+
+  Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any
+
+
+================================================================================
+VERIFYING THE CONFIGURATION
+================================================================================
+
+On the PC (after deployment):
+
+  Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" |
+      Get-NetFirewallAddressFilter |
+      Select-Object RemoteAddress
+
+Expected Output:
+  RemoteAddress
+  -------------
+  10.48.130.0/23
+
+
+From Management Computer:
+
+  Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
+
+Expected:
+  TcpTestSucceeded : True
+
+
+================================================================================
+SUBNET NOTATION (CIDR)
+================================================================================
+
+Examples:
+
+  10.48.130.0/23
+    - Network: 10.48.130.0
+    - Netmask: 255.255.254.0
+    - Range: 10.48.130.0 - 10.48.131.255
+    - 512 IP addresses
+
+  10.134.48.0/24
+    - Network: 10.134.48.0
+    - Netmask: 255.255.255.0
+    - Range: 10.134.48.0 - 10.134.48.255
+    - 256 IP addresses
+
+  10.0.0.0/8
+    - Entire 10.x.x.x private network
+    - All Class A private addresses
+
+
+================================================================================
+SECURITY RECOMMENDATIONS
+================================================================================
+
+Best Practice: Use Specific Subnets
+  ✓ Only allow known management subnets
+  ✓ Reduces attack surface
+  ✓ Prevents unauthorized access from other networks
+
+Acceptable: Multiple Known Subnets
+  ✓ Allow management subnet + shopfloor subnet
+  ✓ Useful for PC-to-PC communication on shopfloor
+  ✓ Still restricted to known networks
+
+Not Recommended: "Any"
+  ❌ Allows connections from anywhere
+  ❌ Higher security risk
+  ❌ Only use for testing or isolated networks
+
+
+================================================================================
+DEPLOYING TO ALL 175 PCs
+================================================================================
+
+Since Deploy-PCCertificate.bat now includes -AllowedSubnets "10.48.130.0/23":
+
+1. Copy updated Deploy-PCCertificate.bat to network share:
+   S:\dt\adata\script\deploy\Deploy-PCCertificate.bat
+
+2. Copy updated Deploy-PCCertificate.ps1 to network share:
+   S:\dt\adata\script\deploy\Deploy-PCCertificate.ps1
+
+3. On each PC, run:
+   S:\dt\adata\script\deploy\Deploy-PCCertificate.bat
+
+The firewall rule will automatically allow your management subnet.
+
+
+================================================================================
+TROUBLESHOOTING
+================================================================================
+
+Problem: TcpTestSucceeded = False after deployment
+Solution:
+  1. Check firewall rule on PC:
+     Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Get-NetFirewallAddressFilter
+
+  2. Verify your IP is in allowed subnet:
+     On your computer: ipconfig /all
+     Compare with allowed subnet
+
+  3. Update firewall rule if needed:
+     Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "your-subnet/mask"
+
+
+Problem: Need to add another subnet
+Solution:
+  On PC:
+    Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress @("10.48.130.0/23", "10.50.0.0/16")
+
+  Or update Deploy-PCCertificate.bat for future deployments
+
+
+Problem: Accidentally blocked management access
+Solution:
+  1. Physically access the PC
+  2. Run: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
+  3. Or temporarily allow all: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any
+
+
+================================================================================
+SUMMARY
+================================================================================
+
+✓ Deploy-PCCertificate.ps1 now supports -AllowedSubnets parameter
+✓ Default: 10.48.130.0/23 (your management subnet)
+✓ Can specify multiple subnets: "subnet1,subnet2,subnet3"
+✓ Can allow all: "Any"
+✓ Built into Deploy-PCCertificate.bat for automatic deployment
+✓ More secure than allowing all subnets
+✓ Solves cross-subnet firewall restriction issues
+
+================================================================================