ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove all emojis from markdown documentation

Browse Source 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2025-12-10 11:03:45 -05:00
parent fc6be8a876
commit 96cb1dd946
22 changed files with 256 additions and 256 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
DEPLOYMENT-CLEAN.md
View File

@@ -5,7 +5,7 @@ The original deployment scripts contained Unicode box-drawing characters that ca
## Clean Scripts Available
### 1. Deploy-Simple.bat **RECOMMENDED**
### 1. Deploy-Simple.bat **RECOMMENDED**
- **Clean ASCII only** - No Unicode characters
- **Minimal output** - Easy to read
- **Essential functionality** - Just copies files efficiently

2
DEPLOYMENT_DUALPATH.md
View File

@@ -84,7 +84,7 @@ mysql -u your_user -p shopdb < dualpath_migration.sql
### /home/camp/asset_data/fin/Update-PC-CompleteAsset.ps1
**Changes:**
- Fixed Unicode arrow character ( to ->)
- Fixed Unicode arrow character ( to ->)
- Integrated application detection for shopfloor PCs
### /home/camp/asset_data/fin/Get-ShopfloorConfig.ps1

30
PRODUCTION_URL_UPDATE.md
View File

@@ -1,7 +1,7 @@
# PowerShell Scripts - Production URL Configuration
**Date:** 2025-11-21
**Status:** Updated for Production
**Status:** Updated for Production
**Target Server:** https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp
---
@@ -57,11 +57,11 @@ xcopy /Y /E "\\fileserver\shares\IT\PowerShell\*.*" "C:\Apps\PowerShell\"
**GPO Path:**
```
Computer Configuration
Policies
Windows Settings
Scripts (Startup/Shutdown)
Startup
Add: deploy-powershell-scripts.bat
Policies
Windows Settings
Scripts (Startup/Shutdown)
Startup
Add: deploy-powershell-scripts.bat
```
#### Option B: Manual Copy via Network Share
@@ -107,10 +107,10 @@ Run with highest privileges: Yes
**GPO Scheduled Task:**
```
Computer Configuration
Preferences
Control Panel Settings
Scheduled Tasks
New Scheduled Task (Windows 7+)
Preferences
Control Panel Settings
Scheduled Tasks
New Scheduled Task (Windows 7+)
```
**Settings:**
@@ -389,11 +389,11 @@ Remove-Item "S:\dt\cameron\scan\logs\test.txt"
## Production Readiness Status
**Scripts Updated:** Both .bat and .ps1 files configured for production URL
**Documentation:** Complete deployment guide created
**Testing Plan:** 3-tier testing (Standard, Shopfloor, Engineer)
**Monitoring:** API logs and PowerShell logs configured
**Rollback Plan:** DEV URL reversion documented
**Scripts Updated:** Both .bat and .ps1 files configured for production URL
**Documentation:** Complete deployment guide created
**Testing Plan:** 3-tier testing (Standard, Shopfloor, Engineer)
**Monitoring:** API logs and PowerShell logs configured
**Rollback Plan:** DEV URL reversion documented
**Ready for Deployment:** YES

8
README.md
View File

@@ -14,21 +14,21 @@ This repository contains PowerShell scripts designed to collect detailed system
## Key Features
### 🏭 Manufacturing-Specific Data Collection
### Manufacturing-Specific Data Collection
- **DNC Configuration**: Extracts GE Aircraft Engines registry settings
- **DualPath Detection**: Identifies Path1Name/Path2Name for dual communication paths
- **Registry Architecture Analysis**: Tracks 32-bit vs 64-bit service locations per DNC service
- **Machine Network Detection**: Automatically identifies 192.168.*.* networks
- **GE Machine Number Extraction**: Derives machine numbers from hostname patterns
### 📊 Comprehensive System Analysis
### Comprehensive System Analysis
- Hardware specifications (manufacturer, model, serial, memory)
- Operating system details and user information
- Network interface configurations with DHCP detection
- Serial port configurations for machine communication
- PC type classification based on environment characteristics
### 🔧 Local Deployment
### Local Deployment
- Dashboard API integration for centralized data storage
- Individual PC execution and data collection
- Error handling and graceful degradation
@@ -94,7 +94,7 @@ All collected data is transmitted to a centralized dashboard API for storage in
## Architecture
```
PowerShell Scripts Proxy Server (warranty APIs) Dashboard API MySQL Database
PowerShell Scripts Proxy Server (warranty APIs) Dashboard API MySQL Database
↘ ↗
Dashboard API (direct storage)
```

6
docs/API_INTEGRATION.md
View File

@@ -102,7 +102,7 @@ $postData.dncConfig = {
} | ConvertTo-Json -Compress
```
#### GE Registry Architecture Data **New in v3.0**
#### GE Registry Architecture Data **New in v3.0**
```powershell
# DualPath Communication Settings
$postData.dncDualPathEnabled = $true # Boolean: DualPath enabled
@@ -204,7 +204,7 @@ UPDATE pc SET
WHERE pcid = ?
```
#### `pc_dnc_config` Table (Manufacturing Configuration) **Enhanced in v3.0**
#### `pc_dnc_config` Table (Manufacturing Configuration) **Enhanced in v3.0**
```sql
INSERT INTO pc_dnc_config (
pcid, site, cnc, ncif, machinenumber, hosttype,
@@ -217,7 +217,7 @@ INSERT INTO pc_dnc_config (
ON DUPLICATE KEY UPDATE ...
```
#### `machines` Table (Auto-Population) **New in v3.2**
#### `machines` Table (Auto-Population) **New in v3.2**
```sql
-- Machine records created from PC data
INSERT INTO machines (

6
docs/API_KEY_INTEGRATION.md
View File

@@ -219,9 +219,9 @@ echo Creating configuration file...
## Security Best Practices
### 1. Never Hardcode API Keys
- Don't put API keys directly in scripts
- Use environment variables or config files
- Add `dashboard-config.json` to `.gitignore`
- Don't put API keys directly in scripts
- Use environment variables or config files
- Add `dashboard-config.json` to `.gitignore`
### 2. Secure Storage on Client PCs
```powershell

2
docs/DATA_COLLECTION_REFERENCE.md
View File

@@ -63,7 +63,7 @@ foreach ($interface in $networkInterfaces) {
---
## 🏭 Manufacturing/Shopfloor Configuration
## Manufacturing/Shopfloor Configuration
### DNC (Direct Numerical Control) System Data
| Field | Source | Type | Description |

6
docs/DEPLOYMENT_GUIDE.md
View File

@@ -107,7 +107,7 @@ Deploy-With-PsExec.bat
#### Group Policy Deployment
1. **Copy Scripts**: Place in network share accessible to all target computers
2. **Create GPO**: New Group Policy Object for computer configuration
3. **Add Startup Script**: Computer Configuration Policies Windows Settings Scripts Startup
3. **Add Startup Script**: Computer Configuration Policies Windows Settings Scripts Startup
4. **Configure Path**: Point to network share location of `Update-PC-CompleteAsset.bat`
5. **Apply to OUs**: Link GPO to appropriate Organizational Units
@@ -221,7 +221,7 @@ Register-ScheduledTask -TaskName "GE Asset Collection" -Action $action -Trigger
### Startup Script Integration
```batch
REM Add to computer startup scripts
REM Computer Configuration Policies Windows Settings Scripts Startup
REM Computer Configuration Policies Windows Settings Scripts Startup
@echo off
timeout 60 >nul 2>&1
@@ -307,7 +307,7 @@ Update-PC-CompleteAsset.ps1 -TestConnections
whoami /priv
# Run as administrator
Right-click "Run as administrator"
Right-click "Run as administrator"
# Service account configuration
# Configure service account with:

8
docs/FUNCTION_REFERENCE.md
View File

@@ -80,8 +80,8 @@ function Get-PCType {
- `$Hostname` (string) - Computer hostname
**Pattern Matching**:
- `H###` patterns `M###` (H123 M123)
- `G###` patterns `M###` (G456 M456)
- `H###` patterns `M###` (H123 M123)
- `G###` patterns `M###` (G456 M456)
- Regex: `[HG](\d{3})`
**Returns**: `[string]` - Formatted machine number or `$null`
@@ -162,7 +162,7 @@ $response = Invoke-RestMethod -Uri $uri -Method Get -TimeoutSec 30
**Payload Construction**: Creates comprehensive HTTP POST payload with structured data
**Manufacturing Data Handling** **Enhanced in v3.0**:
**Manufacturing Data Handling** **Enhanced in v3.0**:
```powershell
# DualPath and Registry Architecture Data
$postData.dncDualPathEnabled = $geInfo.DualPathEnabled
@@ -258,7 +258,7 @@ $dncConfig = @{
---
#### `Get-GERegistryInfo` **New in v3.0**
#### `Get-GERegistryInfo` **New in v3.0**
**Purpose**: Comprehensive GE Aircraft Engines registry architecture analysis with DualPath detection
**Returns**: `[hashtable]` - Complete registry architecture and DualPath configuration

4
docs/README.md
View File

@@ -31,7 +31,7 @@ This directory contains comprehensive technical documentation for the GE Manufac
- Error handling patterns and best practices
- Code examples and usage patterns
### 🚀 [DEPLOYMENT_GUIDE.md](DEPLOYMENT_GUIDE.md)
### [DEPLOYMENT_GUIDE.md](DEPLOYMENT_GUIDE.md)
**Enterprise deployment strategies and procedures**
- Single PC and multiple PC deployment methods
- Enterprise integration (Group Policy, SCCM, Tanium)
@@ -117,4 +117,4 @@ When updating scripts or functionality:
---
**📚 Comprehensive documentation for enterprise manufacturing asset management**
** Comprehensive documentation for enterprise manufacturing asset management**

2
docs/SCRIPTS_REFERENCE.md
View File

@@ -443,7 +443,7 @@ Located in `winrm-https/` folder. These scripts configure secure WinRM over HTTP
┌─────────────────────────────────────────────────────────────────┐
│ ShopDB API Server │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ api.asp (IIS) MySQL Database │ │
│ │ api.asp (IIS) MySQL Database │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
```

24
docs/TECHNICAL_ARCHITECTURE.md
View File

@@ -86,7 +86,7 @@ The GE Manufacturing Asset Management System is a comprehensive PowerShell-based
- Gateway and subnet mapping
```
#### `Get-GERegistryInfo` **New in v3.0**
#### `Get-GERegistryInfo` **New in v3.0**
```powershell
# Dual registry architecture analysis
- 32-bit registry path: HKLM:\SOFTWARE\GE Aircraft Engines
@@ -109,7 +109,7 @@ The GE Manufacturing Asset Management System is a comprehensive PowerShell-based
### Phase 1: System Discovery
```
PC Environment System Info Collection Classification Engine
PC Environment System Info Collection Classification Engine
├─ Hardware Identification (WMI/CIM)
├─ Operating System Analysis
@@ -119,7 +119,7 @@ PC Environment → System Info Collection → Classification Engine
### Phase 2: Manufacturing Intelligence
```
Registry Analysis Manufacturing Config Service Architecture
Registry Analysis Manufacturing Config Service Architecture
├─ GE Aircraft Engines Detection (32-bit/64-bit)
├─ DualPath Configuration Analysis
@@ -129,7 +129,7 @@ Registry Analysis → Manufacturing Config → Service Architecture
### Phase 3: Network Topology
```
Network Interfaces Machine Network Detection Communication Analysis
Network Interfaces Machine Network Detection Communication Analysis
├─ Active Interface Enumeration
├─ Machine Network Identification (192.168.*.*)
@@ -139,7 +139,7 @@ Network Interfaces → Machine Network Detection → Communication Analysis
### Phase 4: Data Consolidation
```
Collected Data JSON Serialization API Payload Construction
Collected Data JSON Serialization API Payload Construction
├─ System Information Packaging
├─ Manufacturing Configuration JSON
@@ -149,7 +149,7 @@ Collected Data → JSON Serialization → API Payload Construction
### Phase 5: Centralized Storage
```
Dashboard API Database Normalization Relational Storage
Dashboard API Database Normalization Relational Storage
├─ PC Table (Basic System Information)
├─ PC_DNC_Config Table (Manufacturing Settings + Registry Architecture)
@@ -158,9 +158,9 @@ Dashboard API → Database Normalization → Relational Storage
└─ Machines Table (Auto-populated from PC machine numbers)
```
### Phase 6: Machine Auto-Population **New in v3.2**
### Phase 6: Machine Auto-Population **New in v3.2**
```
PC Data Collection Machine Number Extraction Automated Machine Creation
PC Data Collection Machine Number Extraction Automated Machine Creation
│ │ │
├─ Registry Scan ├─ Hostname Patterns ├─ Machine Records
├─ DNC Detection ├─ GE Machine Numbers ├─ PC Relationships
@@ -190,12 +190,12 @@ function Get-GEMachineNumber {
# Pattern matching for GE hostname conventions
if ($Hostname -match '[HG](\d{3})') {
$machineNum = $Matches[1]
return "M$machineNum" # Convert H123/G123 M123
return "M$machineNum" # Convert H123/G123 M123
}
}
```
### Machine Auto-Population Architecture **New in v3.2**
### Machine Auto-Population Architecture **New in v3.2**
The system automatically creates machine records from shopfloor PC data using a multi-phase approach:
@@ -210,7 +210,7 @@ function Get-GEMachineNumber {
# Priority 2: Hostname pattern matching
if ($Hostname -match '[HG](\d{3})') {
return "M$($Matches[1])" # H3103 M3103
return "M$($Matches[1])" # H3103 M3103
}
}
```
@@ -260,7 +260,7 @@ END
- **Multiple PC Handling**: Machine 0615 has 5 connected PCs
- **Role Classification**: Control, HMI, Engineering, Backup PCs identified
### Dual Registry Architecture Handling **New in v3.0**
### Dual Registry Architecture Handling **New in v3.0**
```powershell
# Intelligent priority system prevents data overwrites
if ($geInfo.DualPathEnabled -eq $null) {

32
winrm-https/CA-APPROACH-GUIDE.md
View File

@@ -113,7 +113,7 @@ Your Computer Remote PC
│ CN=*.logon.ds.ge.com │
│ Self-signed (untrusted) │
│ │
├─ ERROR: Untrusted certificate │
├─ ERROR: Untrusted certificate │
│ │
└─ Must use -SessionOption
to skip validation
@@ -136,7 +136,7 @@ Your Computer Remote PC
├─ Checks issuer: Shopfloor WinRM CA │
├─ Do I trust this issuer? │
├─ YES! (CA is in Trusted Root) │
├─ Certificate trusted │
├─ Certificate trusted │
│ │
└─ Connection succeeds! ◄─────────────┘
No -SessionOption needed!
@@ -230,7 +230,7 @@ $cert = Import-PfxCertificate `
# Test basic connectivity - NO -SessionOption needed!
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Works! No certificate errors!
# Works! No certificate errors!
# Get credentials
$cred = Get-Credential
@@ -238,7 +238,7 @@ $cred = Get-Credential
# Interactive session - NO -SessionOption needed!
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# Connected! No certificate warnings!
# Connected! No certificate warnings!
# Run remote command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
@@ -265,10 +265,10 @@ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
```
**Problems:**
- Certificate validation bypassed (insecure)
- Same certificate on all 175 PCs
- If compromised, affects all PCs
- Certificate CN mismatch errors
- Certificate validation bypassed (insecure)
- Same certificate on all 175 PCs
- If compromised, affects all PCs
- Certificate CN mismatch errors
---
@@ -281,12 +281,12 @@ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
```
**Benefits:**
- Proper certificate validation (secure)
- Each PC has its own certificate
- If one compromised, only affects one PC
- Proper hostname in certificate (no CN mismatch)
- Easy to revoke individual certificates
- Professional enterprise approach
- Proper certificate validation (secure)
- Each PC has its own certificate
- If one compromised, only affects one PC
- Proper hostname in certificate (no CN mismatch)
- Easy to revoke individual certificates
- Professional enterprise approach
---
@@ -380,9 +380,9 @@ When you connect, Windows automatically validates:
4. YES! Found in Cert:\LocalMachine\Root
5. Certificate trusted
5. Certificate trusted
6. Connection allowed
6. Connection allowed
```
---

16
winrm-https/GETTING_STARTED.md
View File

@@ -128,7 +128,7 @@ STEP 3: Verify WinRM Configuration
STEP 4: Test Local HTTPS Connection
[OK] Local HTTPS connection successful
Test setup complete!
Test setup complete!
```
**If you see errors:**
@@ -175,7 +175,7 @@ CsName OsName WindowsVersion
YOUR-PC Microsoft Windows 11 Pro 10.0.22631
```
** Success!** If this works, you're ready to move to the next phase.
** Success!** If this works, you're ready to move to the next phase.
---
@@ -338,7 +338,7 @@ Failed: 0
Collection completed. Success: 3, Failed: 0
```
** Success!** If this works, you're ready for full deployment.
** Success!** If this works, you're ready for full deployment.
---
@@ -754,14 +754,14 @@ Get-Content .\logs\remote-collection-https.log -Tail 50
Follow these phases:
1. **Phase 1:** Test on single device (your computer)
2. **Phase 2:** Test on 3-5 shopfloor PCs
3. **Phase 3:** Deploy to all 175 PCs in batches
4. **Daily Ops:** Run automated collection
1. **Phase 1:** Test on single device (your computer)
2. **Phase 2:** Test on 3-5 shopfloor PCs
3. **Phase 3:** Deploy to all 175 PCs in batches
4. **Daily Ops:** Run automated collection
**Total Time:**
- Phase 1: 15-30 minutes
- Phase 2: 1-2 hours
- Phase 3: 4-8 hours (depending on method)
**Good luck with your deployment!** 🚀
**Good luck with your deployment!**

88
winrm-https/NETWORK_SHARE_DEPLOYMENT.md
View File

@@ -32,7 +32,7 @@ New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder Properties Sharing Advanced Sharing
3. Right-click folder Properties Sharing Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)
@@ -49,10 +49,10 @@ Get-ChildItem "\\SERVER\WinRM-HTTPS"
```
Expected files:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
---
@@ -105,13 +105,13 @@ Include everything for troubleshooting:
6. Wait for completion
**Advantages:**
- Simple - no copying needed
- Always uses latest files
- No local disk space used
- Simple - no copying needed
- Always uses latest files
- No local disk space used
**Disadvantages:**
- ⚠️ Requires network connectivity during install
- ⚠️ Slower if network is congested
- Requires network connectivity during install
- Slower if network is congested
---
@@ -139,13 +139,13 @@ Deploy-WinRM-HTTPS.bat
```
**Advantages:**
- Faster execution
- Works if network connection lost
- Can verify files before running
- Faster execution
- Works if network connection lost
- Can verify files before running
**Disadvantages:**
- ⚠️ Uses local disk space
- ⚠️ Extra copy step
- Uses local disk space
- Extra copy step
---
@@ -193,14 +193,14 @@ foreach ($hostname in $targetPCs) {
```
**Advantages:**
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
**Disadvantages:**
- ⚠️ Requires existing remote access (WinRM or admin shares)
- ⚠️ More complex
- ⚠️ Password visible in script (use secure credential management)
- Requires existing remote access (WinRM or admin shares)
- More complex
- Password visible in script (use secure credential management)
---
@@ -219,8 +219,8 @@ foreach ($hostname in $targetPCs) {
- Edit GPO
3. **Add Startup Script:**
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`
4. **Link GPO to OU:**
@@ -228,14 +228,14 @@ foreach ($hostname in $targetPCs) {
- PCs will run script on next reboot
**Advantages:**
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
**Disadvantages:**
- ⚠️ Requires domain environment
- ⚠️ Requires restart
- ⚠️ Password handling more complex
- Requires domain environment
- Requires restart
- Password handling more complex
---
@@ -270,7 +270,7 @@ REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```
**⚠️ Never:**
** Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
@@ -293,7 +293,7 @@ Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -Access
The certificate PFX file contains the private key. Protect it:
1. **Use share permissions** to restrict access
2. **Use certificate password** (you did )
2. **Use certificate password** (you did )
3. **Monitor access** to the share
4. **Delete from share** after deployment complete
@@ -315,7 +315,7 @@ The certificate PFX file contains the private key. Protect it:
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
@@ -378,7 +378,7 @@ Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion
@@ -462,7 +462,7 @@ Get-SmbShareAccess -Name "WinRM-HTTPS"
### Problem: "Access Denied" running batch file
**Solution:**
- Right-click Run as Administrator
- Right-click Run as Administrator
- User must be local admin on PC
- Check UAC settings
@@ -514,15 +514,15 @@ Save as `README.txt` in the share.
**Best Practice for Your Scenario:**
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
**Certificate Password Storage:**
- Store in password manager
@@ -530,7 +530,7 @@ Save as `README.txt` in the share.
- Use encrypted files for automation
**The batch files handle:**
- Administrator check
- File verification
- Error handling
- User feedback
- Administrator check
- File verification
- Error handling
- User feedback

102
winrm-https/PROJECT-SUMMARY.md
View File

@@ -4,7 +4,7 @@
**Objective**: Deploy secure WinRM over HTTPS to 175 shopfloor PCs using a wildcard certificate for `*.logon.ds.ge.com`
**Status**: READY FOR TESTING
**Status**: READY FOR TESTING
**Certificate Generated**: `wildcard-logon-ds-ge-com-20251017.pfx`
**Certificate Password**: `XqHuyaLZSyCYEcpsMz6h5`
@@ -45,13 +45,13 @@
## Key Features Implemented
### Certificate Generation
### Certificate Generation
- Self-signed wildcard certificate for `*.logon.ds.ge.com`
- Alternative generation methods to avoid smart card conflicts
- 2048-bit RSA with SHA256
- Valid for 2 years (expires 2027-10-17)
### Deployment Scripts
### Deployment Scripts
- **Two deployment methods**:
- `Deploy-WinRM-HTTPS.bat` - Secure (prompts for password)
- `Deploy-WinRM-HTTPS-AutoPassword.bat` - Testing (auto-password)
@@ -60,7 +60,7 @@
- Execution policy bypass (`-ExecutionPolicy Bypass`)
- Network share compatible
### Comprehensive Logging
### Comprehensive Logging
- **Log Location**: `S:\DT\ADATA\SCRIPT\DEPLOY\LOGS\`
- **Log Format**: `HOSTNAME-YYYYMMDD-HHMMSS.txt`
- **Logged Information**:
@@ -72,7 +72,7 @@
- Success/failure status
- All error messages
### WinRM HTTPS Configuration
### WinRM HTTPS Configuration
- Creates HTTPS listener on port 5986
- Uses wildcard certificate for all PCs
- Constructs FQDN: `hostname.logon.ds.ge.com`
@@ -80,13 +80,13 @@
- Enables certificate authentication
- Maintains HTTP listener (port 5985)
### Testing & Validation
### Testing & Validation
- Test scripts for connectivity verification
- Log viewer with filtering capabilities
- Summary report generation
- Remote connection examples
### Documentation
### Documentation
- Quick start guides
- Detailed deployment instructions
- Security best practices
@@ -139,17 +139,17 @@ PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
### 1. Smart Card Device Error
**Problem**: Certificate generation failed with "smart card device is read-only"
**Solution**: Created alternative script using `certreq.exe` with fallback methods
**Status**: Resolved - Certificate generated successfully
**Status**: Resolved - Certificate generated successfully
### 2. LogFile Parameter Not Found
**Problem**: Batch file tried to pass `-LogFile` parameter that didn't exist
**Solution**: Added `-LogFile` parameter to `Setup-WinRM-HTTPS.ps1` param block
**Status**: Resolved - Logging now works correctly
**Status**: Resolved - Logging now works correctly
### 3. WinRM HTTPS Listener Creation Failed (First Issue)
**Problem**: Listener creation failed due to PowerShell string escaping issues
**Solution**: Changed from `Invoke-Expression` to `cmd.exe /c` execution
**Status**: Resolved - Command execution fixed
**Status**: Resolved - Command execution fixed
### 4. Certificate CN Mismatch Error (Critical Fix)
**Problem**: Listener creation failed with error "The certificate CN and the hostname that were provided do not match"
@@ -177,23 +177,23 @@ winrm create ... @{Hostname="*.logon.ds.ge.com";...}
- WinRM matches specific hostname against wildcard pattern
- Certificate validation succeeds for all subdomains
**Status**: Resolved - Wildcard matching now works correctly
**Status**: Resolved - Wildcard matching now works correctly
**Documentation**: See `WILDCARD-CERT-FIX.txt` for detailed explanation
### 5. Plaintext Password in Examples
**Problem**: Security concern with plaintext passwords in documentation
**Solution**: Created `SECURE_CREDENTIAL_MANAGEMENT.md` and updated all examples
**Status**: Resolved - All examples use secure methods
**Status**: Resolved - All examples use secure methods
---
## Deployment Workflow
### Phase 1: Preparation (CURRENT PHASE)
1. Generate wildcard certificate
2. Create deployment scripts
3. Setup logging infrastructure
4. Create documentation
1. Generate wildcard certificate
2. Create deployment scripts
3. Setup logging infrastructure
4. Create documentation
5. ⏳ Copy certificate to deployment-package folder
6. ⏳ Copy deployment-package to network share
7. ⏳ Set permissions on network share
@@ -230,9 +230,9 @@ winrm create ... @{Hostname="*.logon.ds.ge.com";...}
**Hostname List**: `shopfloor-hostnames.txt`
**Example Hostnames**:
- G1JJVH63ESF g1jjvh63esf.logon.ds.ge.com
- G1JJXH63ESF g1jjxh63esf.logon.ds.ge.com
- G9KN7PZ3ESF g9kn7pz3esf.logon.ds.ge.com (test PC)
- G1JJVH63ESF g1jjvh63esf.logon.ds.ge.com
- G1JJXH63ESF g1jjxh63esf.logon.ds.ge.com
- G9KN7PZ3ESF g9kn7pz3esf.logon.ds.ge.com (test PC)
- ... (172 more)
---
@@ -279,24 +279,24 @@ Get-Service WinRM | Select-Object Name, Status, StartType
## Security Considerations
### Certificate Security
- Self-signed certificate (appropriate for internal use)
- Private key marked as exportable (for backup purposes)
- Stored in Local Machine certificate store
- 2048-bit RSA encryption
- ⚠️ Certificate password stored in deployment scripts (testing only)
- Self-signed certificate (appropriate for internal use)
- Private key marked as exportable (for backup purposes)
- Stored in Local Machine certificate store
- 2048-bit RSA encryption
- Certificate password stored in deployment scripts (testing only)
### Deployment Security
- Two versions: secure (production) and auto-password (testing)
- Documentation emphasizes deleting auto-password version
- Network share requires proper permissions
- Administrator privileges required for deployment
- All examples use secure credential methods
- Two versions: secure (production) and auto-password (testing)
- Documentation emphasizes deleting auto-password version
- Network share requires proper permissions
- Administrator privileges required for deployment
- All examples use secure credential methods
### Credential Management
- Documented 5 secure methods in `SECURE_CREDENTIAL_MANAGEMENT.md`
- No plaintext passwords in production examples
- Recommendations for Azure Key Vault integration
- Windows Credential Manager integration documented
- Documented 5 secure methods in `SECURE_CREDENTIAL_MANAGEMENT.md`
- No plaintext passwords in production examples
- Recommendations for Azure Key Vault integration
- Windows Credential Manager integration documented
---
@@ -348,8 +348,8 @@ Executing WinRM HTTPS setup...
## Files Ready for Deployment
### Required Files (Must Copy to Network Share)
- `deployment-package/` folder (all contents)
- ⚠️ `wildcard-logon-ds-ge-com-20251017.pfx` (MUST ADD to deployment-package!)
- `deployment-package/` folder (all contents)
- `wildcard-logon-ds-ge-com-20251017.pfx` (MUST ADD to deployment-package!)
### Network Share Setup
```
@@ -405,25 +405,25 @@ Executing WinRM HTTPS setup...
## Success Criteria
### Deployment Success
- Certificate imported to Local Machine store
- HTTPS listener created on port 5986
- Firewall rule "WinRM HTTPS-In" created
- WinRM service running and set to automatic
- Log file created with SUCCESS status
- No errors in log file
- Certificate imported to Local Machine store
- HTTPS listener created on port 5986
- Firewall rule "WinRM HTTPS-In" created
- WinRM service running and set to automatic
- Log file created with SUCCESS status
- No errors in log file
### Connectivity Success
- `Test-WSMan` succeeds from management server
- Can create remote PSSession with `-UseSSL`
- Can execute remote commands via HTTPS
- Certificate validation passes
- `Test-WSMan` succeeds from management server
- Can create remote PSSession with `-UseSSL`
- Can execute remote commands via HTTPS
- Certificate validation passes
### Project Success
- All 175 PCs deployed successfully
- All deployments logged
- Remote connectivity verified
- Asset inventory updated
- Documentation complete
- All 175 PCs deployed successfully
- All deployments logged
- Remote connectivity verified
- Asset inventory updated
- Documentation complete
---
@@ -503,4 +503,4 @@ The WinRM HTTPS deployment project is **complete and ready for testing**. All sc
**Document Version**: 1.0
**Last Updated**: 2025-10-17
**Status**: READY FOR TESTING
**Status**: READY FOR TESTING

6
winrm-https/README.md
View File

@@ -31,7 +31,7 @@ This folder contains scripts and documentation for setting up secure WinRM over
|------|-------------|
| **WINRM_HTTPS_DEPLOYMENT_GUIDE.md** | Complete deployment guide with troubleshooting |
## 🚀 Quick Start
## Quick Start
### 1. Generate Certificate (Testing)
@@ -84,14 +84,14 @@ $certPass = ConvertTo-SecureString "YourPassword" -AsPlainText -Force
- Protect the PFX file password
- Use `-SkipCertificateCheck` only for testing
## 📊 Shopfloor PCs
## Shopfloor PCs
- **Total PCs**: 175
- **Source**: Database query filtered by `pctypeid = 3` (Shopfloor type)
- **FQDN Format**: `{hostname}.logon.ds.ge.com`
- **Example**: `G1JJVH63ESF.logon.ds.ge.com`
## 🔧 Workflow
## Workflow
1. **Generate/Obtain Certificate**
- Use `Generate-WildcardCert.ps1` for testing

40
winrm-https/SECURE_CREDENTIAL_MANAGEMENT.md
View File

@@ -2,7 +2,7 @@
This guide covers secure methods for handling passwords and credentials in PowerShell, avoiding plaintext passwords in scripts and command history.
## ⚠️ Never Do This
## Never Do This
```powershell
# BAD - Password visible in script and command history
@@ -18,7 +18,7 @@ $certPass = ConvertTo-SecureString "MyPassword123!" -AsPlainText -Force
---
## Secure Methods
## Secure Methods
### Method 1: Interactive Prompt (Most Secure for Manual Use)
@@ -92,10 +92,10 @@ $certPass = Import-Clixml -Path "C:\Secure\cert-password.xml"
```
**Important notes:**
- Encrypted files can ONLY be decrypted by the same user on the same computer
- Safe to store in version control (but not recommended)
- ⚠️ Won't work if script runs as different user (e.g., scheduled task with service account)
- ⚠️ Won't work on different computer
- Encrypted files can ONLY be decrypted by the same user on the same computer
- Safe to store in version control (but not recommended)
- Won't work if script runs as different user (e.g., scheduled task with service account)
- Won't work on different computer
---
@@ -131,10 +131,10 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
```
**Advantages:**
- Works with scheduled tasks
- Can be used by service accounts
- Centralized management
- Encrypted by Windows
- Works with scheduled tasks
- Can be used by service accounts
- Centralized management
- Encrypted by Windows
---
@@ -152,7 +152,7 @@ $env:WINRM_CERT_PATH = "C:\Certs\wildcard.pfx"
-Domain $env:WINRM_DOMAIN
```
**⚠️ Do NOT use for passwords:**
** Do NOT use for passwords:**
```powershell
# BAD - Environment variables are not secure for passwords
$env:CERT_PASSWORD = "MyPassword" # DON'T DO THIS
@@ -350,7 +350,7 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
## 🛡️ Security Best Practices
### Do's
### Do's
1. **Always use SecureString for passwords**
```powershell
@@ -386,7 +386,7 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
[System.GC]::Collect()
```
### Don'ts
### Don'ts
1. **Never hardcode passwords**
```powershell
@@ -420,7 +420,7 @@ $cred = Get-StoredCredential -Target "ShopfloorAdmin"
---
## 🔧 Setting Up Secure Credential Storage
## Setting Up Secure Credential Storage
### Step 1: Create Secure Directory
@@ -543,15 +543,15 @@ $cred = Get-DomainCredential
---
## 📊 Summary Comparison
## Summary Comparison
| Method | Security | Ease of Use | Automation | Cross-User | Enterprise |
|--------|----------|-------------|------------|------------|------------|
| Interactive Prompt | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | | | |
| Encrypted File | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | | | |
| Credential Manager | ⭐⭐⭐⭐ | ⭐⭐⭐ | | | ⭐⭐⭐ |
| Azure Key Vault | ⭐⭐⭐⭐⭐ | ⭐⭐ | | | ⭐⭐⭐⭐⭐ |
| Plaintext (DON'T) | | ⭐⭐⭐⭐⭐ | | | |
| Interactive Prompt | | | | | |
| Encrypted File | | | | | |
| Credential Manager | | | | | |
| Azure Key Vault | | | | | |
| Plaintext (DON'T) | | | | | |
---

14
winrm-https/TEST-REMOTE-CONNECTION-GUIDE.md
View File

@@ -503,13 +503,13 @@ Remove-PSSession $session
## Next Steps
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
---

12
winrm-https/TROUBLESHOOTING_CERTIFICATE_GENERATION.md
View File

@@ -137,7 +137,7 @@ If the above methods don't work, generate the certificate on a computer without
**Solution:**
```powershell
# Run PowerShell as Administrator
# Right-click PowerShell Run as Administrator
# Right-click PowerShell Run as Administrator
# Verify admin rights
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
@@ -413,11 +413,11 @@ If none of these solutions work:
**Recommended approach when you see smart card error:**
1. Try `Generate-WildcardCert-Alternative.ps1` (uses certreq)
2. Try disabling smart card service temporarily
3. Try different crypto provider
4. Generate on different computer without restrictions
5. Request certificate from your organization's CA
1. Try `Generate-WildcardCert-Alternative.ps1` (uses certreq)
2. Try disabling smart card service temporarily
3. Try different crypto provider
4. Generate on different computer without restrictions
5. Request certificate from your organization's CA
**For production deployment:**
- Always get certificates from trusted Certificate Authority

88
winrm-https/deployment-package/NETWORK_SHARE_DEPLOYMENT.md
View File

@@ -32,7 +32,7 @@ New-SmbShare -Name "WinRM-HTTPS" -Path $deployPath -FullAccess "Everyone"
**Or manually:**
1. Create folder: `C:\Deployment\WinRM-HTTPS`
2. Copy all files from `winrm-https` folder
3. Right-click folder Properties Sharing Advanced Sharing
3. Right-click folder Properties Sharing Advanced Sharing
4. Check "Share this folder"
5. Share name: `WinRM-HTTPS`
6. Permissions: Give "Everyone" Read access (or specific security group)
@@ -49,10 +49,10 @@ Get-ChildItem "\\SERVER\WinRM-HTTPS"
```
Expected files:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
- Other PS1 scripts
---
@@ -105,13 +105,13 @@ Include everything for troubleshooting:
6. Wait for completion
**Advantages:**
- Simple - no copying needed
- Always uses latest files
- No local disk space used
- Simple - no copying needed
- Always uses latest files
- No local disk space used
**Disadvantages:**
- ⚠️ Requires network connectivity during install
- ⚠️ Slower if network is congested
- Requires network connectivity during install
- Slower if network is congested
---
@@ -139,13 +139,13 @@ Deploy-WinRM-HTTPS.bat
```
**Advantages:**
- Faster execution
- Works if network connection lost
- Can verify files before running
- Faster execution
- Works if network connection lost
- Can verify files before running
**Disadvantages:**
- ⚠️ Uses local disk space
- ⚠️ Extra copy step
- Uses local disk space
- Extra copy step
---
@@ -193,14 +193,14 @@ foreach ($hostname in $targetPCs) {
```
**Advantages:**
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
- Deploy to many PCs from one location
- No physical access needed
- Can run overnight/batch
**Disadvantages:**
- ⚠️ Requires existing remote access (WinRM or admin shares)
- ⚠️ More complex
- ⚠️ Password visible in script (use secure credential management)
- Requires existing remote access (WinRM or admin shares)
- More complex
- Password visible in script (use secure credential management)
---
@@ -219,8 +219,8 @@ foreach ($hostname in $targetPCs) {
- Edit GPO
3. **Add Startup Script:**
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Computer Configuration Policies Windows Settings Scripts
- Startup Add
- Script: `\\DOMAIN\NETLOGON\Scripts\WinRM-HTTPS\Deploy-WinRM-HTTPS.bat`
4. **Link GPO to OU:**
@@ -228,14 +228,14 @@ foreach ($hostname in $targetPCs) {
- PCs will run script on next reboot
**Advantages:**
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
- Automated deployment
- Centrally managed
- Runs with SYSTEM privileges
**Disadvantages:**
- ⚠️ Requires domain environment
- ⚠️ Requires restart
- ⚠️ Password handling more complex
- Requires domain environment
- Requires restart
- Password handling more complex
---
@@ -270,7 +270,7 @@ REM Set on each PC or via GPO
setx WINRM_CERT_PASS "XqHuyaLZSyCYEcpsMz6h5" /M
```
**⚠️ Never:**
** Never:**
- Hardcode password in batch file on network share (readable by everyone)
- Email password in plaintext
- Store password in unencrypted text file
@@ -293,7 +293,7 @@ Grant-SmbShareAccess -Name "WinRM-HTTPS" -AccountName "DOMAIN\IT Admins" -Access
The certificate PFX file contains the private key. Protect it:
1. **Use share permissions** to restrict access
2. **Use certificate password** (you did )
2. **Use certificate password** (you did )
3. **Monitor access** to the share
4. **Delete from share** after deployment complete
@@ -315,7 +315,7 @@ The certificate PFX file contains the private key. Protect it:
```
For each test PC:
1. Navigate to \\SERVER\WinRM-HTTPS
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
2. Right-click Deploy-WinRM-HTTPS.bat Run as Administrator
3. Enter password when prompted
4. Verify success
5. Test connection from management server
@@ -378,7 +378,7 @@ Write-Host "Share created: \\$env:COMPUTERNAME\WinRM-HTTPS"
**On test PC (G1JJVH63ESF):**
1. Open Explorer: `\\MANAGEMENT-SERVER\WinRM-HTTPS`
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
2. Right-click `Deploy-WinRM-HTTPS.bat` Run as Administrator
3. Enter password: `XqHuyaLZSyCYEcpsMz6h5`
4. Wait for completion
@@ -462,7 +462,7 @@ Get-SmbShareAccess -Name "WinRM-HTTPS"
### Problem: "Access Denied" running batch file
**Solution:**
- Right-click Run as Administrator
- Right-click Run as Administrator
- User must be local admin on PC
- Check UAC settings
@@ -514,15 +514,15 @@ Save as `README.txt` in the share.
**Best Practice for Your Scenario:**
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
1. Create network share: `\\SERVER\WinRM-HTTPS`
2. Include:
- `Deploy-WinRM-HTTPS.bat`
- `Setup-WinRM-HTTPS.ps1`
- `wildcard-logon-ds-ge-com-20251017.pfx`
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
3. Deploy to 3-5 test PCs manually
4. Verify each deployment
5. Deploy to remaining PCs in batches
6. Remove certificate from share when done
**Certificate Password Storage:**
- Store in password manager
@@ -530,7 +530,7 @@ Save as `README.txt` in the share.
- Use encrypted files for automation
**The batch files handle:**
- Administrator check
- File verification
- Error handling
- User feedback
- Administrator check
- File verification
- Error handling
- User feedback

14
winrm-https/deployment-package/TEST-REMOTE-CONNECTION-GUIDE.md
View File

@@ -503,13 +503,13 @@ Remove-PSSession $session
## Next Steps
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
1. Run the updated deployment on test PC (with wildcard CN fix)
2. Use these commands to test connectivity
3. Verify remote commands work correctly
4. If successful, deploy to 3-5 more PCs
5. Test connectivity to all deployed PCs
6. Document any issues in deployment logs
7. Proceed with production rollout
---