Initial commit: Organized PowerShell scripts for ShopDB asset collection

Structure: - asset-collection/: Local PC data collection scripts - remote-execution/: WinRM remote execution scripts - setup-utilities/: Configuration and testing utilities - registry-backup/: GE registry backup scripts - winrm-https/: WinRM HTTPS certificate setup - docs/: Complete documentation Each folder includes a README with detailed documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00
commit 62c0c7bb06
102 changed files with 28017 additions and 0 deletions
--- a/winrm-https/winrm-ca-scripts/TROUBLESHOOT-CONNECTION.txt
+++ b/winrm-https/winrm-ca-scripts/TROUBLESHOOT-CONNECTION.txt
@@ -0,0 +1,317 @@
+================================================================================
+TROUBLESHOOTING CONNECTION ISSUES
+================================================================================
+
+Error: "WinRM cannot complete the operation. Verify that the specified
+       computer name is valid, that the computer is accessible over the
+       network..."
+
+This means WinRM can't reach the remote PC. Follow these steps:
+
+================================================================================
+STEP 1: VERIFY NETWORK CONNECTIVITY
+================================================================================
+
+On YOUR computer (H2PRFM94):
+
+A. Test DNS Resolution
+──────────────────────────────────────────────────────────────
+PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com
+
+Expected: Should return IP address (e.g., 10.134.48.255)
+
+If fails:
+  - Try with just hostname: Resolve-DnsName G9KN7PZ3ESF
+  - Try with IP directly: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
+
+
+B. Test Basic Ping
+──────────────────────────────────────────────────────────────
+PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2
+
+Expected: Should get replies
+
+If fails:
+  - PC might be blocking ICMP (that's OK, continue)
+  - Try: Test-Connection G9KN7PZ3ESF
+  - Try IP: Test-Connection 10.134.48.255
+
+
+C. Test Port 5986 Connectivity
+──────────────────────────────────────────────────────────────
+PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
+
+Expected:
+  ComputerName     : g9kn7pz3esf.logon.ds.ge.com
+  RemoteAddress    : 10.134.48.255
+  RemotePort       : 5986
+  InterfaceAlias   : Ethernet
+  SourceAddress    : 10.x.x.x
+  TcpTestSucceeded : True
+
+If TcpTestSucceeded = False:
+  - Port 5986 is blocked by firewall
+  - Continue to STEP 2
+
+
+================================================================================
+STEP 2: CHECK FIREWALL ON REMOTE PC (G9KN7PZ3ESF)
+================================================================================
+
+ON THE REMOTE PC (G9KN7PZ3ESF):
+
+A. Check Windows Firewall Rule
+──────────────────────────────────────────────────────────────
+PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Format-List
+
+Expected:
+  DisplayName : WinRM HTTPS-In
+  Enabled     : True
+  Direction   : Inbound
+  Action      : Allow
+
+If Enabled = False:
+  PS> Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In"
+
+
+B. Check Firewall Profile
+──────────────────────────────────────────────────────────────
+PS> Get-NetFirewallProfile | Select-Object Name, Enabled
+
+If firewall is ON for Public profile, the rule might not apply.
+
+Fix:
+  PS> Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
+
+
+C. Verify Port 5986 is Listening
+──────────────────────────────────────────────────────────────
+PS> netstat -an | findstr :5986
+
+Expected:
+  TCP    0.0.0.0:5986           0.0.0.0:0              LISTENING
+  TCP    [::]:5986              [::]:0                 LISTENING
+
+If not listening:
+  - WinRM listener not created properly
+  - Re-run Deploy-PCCertificate.bat
+
+
+D. Check WinRM Service
+──────────────────────────────────────────────────────────────
+PS> Get-Service WinRM | Select-Object Status, StartType
+
+Expected:
+  Status  : Running
+  StartType : Automatic
+
+If not running:
+  PS> Start-Service WinRM
+  PS> Set-Service WinRM -StartupType Automatic
+
+
+================================================================================
+STEP 3: CHECK NETWORK FIREWALL (Between PCs)
+================================================================================
+
+If local firewalls are OK but still can't connect:
+
+A. Check if Corporate Firewall Blocks Port 5986
+──────────────────────────────────────────────────────────────
+Some networks block high ports or only allow specific ports.
+
+Test from YOUR computer:
+  PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
+
+If TcpTestSucceeded = False:
+  - Network firewall is blocking port 5986
+  - Contact network admin to allow TCP 5986 between management PC and shopfloor PCs
+
+
+B. Check if Same Subnet
+──────────────────────────────────────────────────────────────
+WinRM public profile default only allows same subnet.
+
+On YOUR computer:
+  PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'}
+
+On REMOTE PC:
+  PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'}
+
+Compare:
+  - Your IP: 10.x.y.z
+  - Remote IP: 10.134.48.255
+
+If different subnets and Public profile:
+  - Either change network profile to Private/Domain
+  - Or configure firewall to allow remote subnet
+
+
+================================================================================
+STEP 4: ALTERNATIVE - USE IP ADDRESS INSTEAD OF FQDN
+================================================================================
+
+Sometimes DNS or certificate CN issues prevent FQDN connections.
+
+From YOUR computer, try with IP:
+──────────────────────────────────────────────────────────────
+
+PS> Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
+
+If this works but FQDN doesn't:
+  - DNS issue, use IP address for now
+  - Certificate CN might not match (but should work with proper CA)
+
+
+================================================================================
+STEP 5: CHECK YOUR COMPUTER'S WINRM CLIENT
+================================================================================
+
+On YOUR computer (H2PRFM94):
+
+A. Enable WinRM Client
+──────────────────────────────────────────────────────────────
+PS> Enable-PSRemoting -Force
+
+This configures YOUR computer as WinRM client.
+
+
+B. Check WinRM Service on YOUR Computer
+──────────────────────────────────────────────────────────────
+PS> Get-Service WinRM
+
+Expected: Running
+
+If not:
+  PS> Start-Service WinRM
+
+
+C. Set Trusted Hosts (if needed)
+──────────────────────────────────────────────────────────────
+Only needed if not using HTTPS with proper certificates.
+
+Check current:
+  PS> Get-Item WSMan:\localhost\Client\TrustedHosts
+
+If blank and having issues:
+  PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.logon.ds.ge.com" -Force
+
+
+================================================================================
+STEP 6: VERIFY CA CERTIFICATE ON YOUR COMPUTER
+================================================================================
+
+On YOUR computer (H2PRFM94):
+
+A. Check if CA is Installed
+──────────────────────────────────────────────────────────────
+PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
+    $_.Subject -like "*Shopfloor*"
+}
+
+Expected: Should show "CN=Shopfloor WinRM CA"
+
+If NOT found:
+  PS> Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" `
+          -CertStoreLocation Cert:\LocalMachine\Root
+
+
+B. Verify Certificate is Trusted
+──────────────────────────────────────────────────────────────
+PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
+    $_.Subject -like "*Shopfloor*"
+} | Format-List Subject, Thumbprint, NotAfter
+
+Make sure:
+  - Subject matches: CN=Shopfloor WinRM CA
+  - NotAfter is in the future
+  - No errors
+
+
+================================================================================
+STEP 7: DIAGNOSTIC COMMANDS CHECKLIST
+================================================================================
+
+Run these in order on YOUR computer:
+
+1. Test DNS:
+   PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com
+
+2. Test Ping:
+   PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2
+
+3. Test Port:
+   PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
+
+4. Check CA installed:
+   PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}
+
+5. Test WinRM:
+   PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
+
+
+Run these on REMOTE PC (G9KN7PZ3ESF):
+
+1. Check firewall:
+   PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
+
+2. Check port listening:
+   PS> netstat -an | findstr :5986
+
+3. Check service:
+   PS> Get-Service WinRM
+
+4. Check listener:
+   PS> winrm enumerate winrm/config/listener
+
+
+================================================================================
+COMMON SOLUTIONS
+================================================================================
+
+Issue: TcpTestSucceeded = False
+Solution:
+  1. On remote PC: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
+  2. On remote PC: Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In"
+  3. Contact network admin if corporate firewall blocks port 5986
+
+Issue: Certificate errors
+Solution:
+  1. Install CA on your computer: Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root
+  2. Verify CA is in Trusted Root
+
+Issue: DNS not resolving
+Solution:
+  1. Use IP address: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
+  2. Or use short hostname: Test-WSMan -ComputerName G9KN7PZ3ESF -UseSSL -Port 5986
+
+Issue: Different subnets
+Solution:
+  1. Change firewall rule profile: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
+  2. Or configure firewall to allow your management PC's IP
+
+================================================================================
+QUICK FIX COMMANDS
+================================================================================
+
+On REMOTE PC (G9KN7PZ3ESF):
+──────────────────────────────────────────────────────────────
+# Enable firewall rule for all profiles
+Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any -Enabled True
+
+# Restart WinRM service
+Restart-Service WinRM
+
+
+On YOUR computer (H2PRFM94):
+──────────────────────────────────────────────────────────────
+# Enable WinRM client
+Enable-PSRemoting -Force
+
+# Install CA certificate (if not already)
+Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root
+
+# Test connection
+Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
+
+================================================================================