# Invoke-RemoteMaintenance.ps1 Remote maintenance toolkit for executing maintenance tasks on shopfloor PCs via WinRM. ## Table of Contents - [Overview](#overview) - [First-Time Setup](#first-time-setup) - [API Integration](#api-integration) - [Prerequisites](#prerequisites) - [Quick Start](#quick-start) - [Parameters Reference](#parameters-reference) - [Available Tasks](#available-tasks) - [Software Deployment Mechanism](#software-deployment-mechanism) - [How-To Guides](#how-to-guides) - [System Repair](#how-to-repair-system-files) - [Disk Optimization](#how-to-optimize-disks) - [Service Management](#how-to-manage-services) - [Time Synchronization](#how-to-fix-time-sync-issues) - [DNC Configuration](#how-to-update-dnc-configurations) - [File Deployment](#how-to-deploy-files) - [Registry Import](#how-to-import-registry-files) - [Software Deployment](#how-to-deploy-software) - [Batch Operations](#how-to-run-batch-operations) - [Targeting Strategies](#targeting-strategies) - [Troubleshooting](#troubleshooting) - [Best Practices](#best-practices) --- ## Overview This script provides a comprehensive remote maintenance toolkit for managing shopfloor PCs. It executes maintenance tasks via WinRM (Windows Remote Management) and can target PCs individually, by type, by business unit, or all at once. **Location:** `S:\dt\shopfloor\scripts\remote-execution\Invoke-RemoteMaintenance.ps1` **Key Features:** - 22 maintenance tasks available - General-purpose file deployment (`CopyFile`) and registry import (`ImportReg`) tasks - Registry imports run as logged-in user via scheduled task (HKCU support) - Optional post-copy commands via scheduled task (service/app restarts) - Multiple targeting options (by name, type, business unit, or all) - Concurrent execution with configurable throttling - Integration with ShopDB for PC discovery --- ## First-Time Setup Before running this script for the first time, you must allow PowerShell script execution and unblock the script file. ### Step 1: Allow PowerShell Script Execution Open PowerShell **as Administrator** and run: ```powershell Set-ExecutionPolicy RemoteSigned -Scope CurrentUser ``` When prompted, type `Y` and press Enter. This allows locally-created scripts to run and requires downloaded scripts to be signed or unblocked. > **Note:** You only need to do this once per user account. `RemoteSigned` is the recommended policy — it allows local scripts while still protecting against untrusted downloads. ### Step 2: Unblock the Script File Files downloaded from a network share or the internet are marked as "blocked" by Windows. You must unblock the script before it can run. **Option A — File Explorer (GUI):** 1. Navigate to `S:\dt\shopfloor\scripts\remote-execution\` 2. Right-click `Invoke-RemoteMaintenance.ps1` and select **Properties** 3. At the bottom of the General tab, check the **Unblock** checkbox 4. Click **Apply**, then **OK** **Option B — PowerShell:** ```powershell Unblock-File -Path "S:\dt\shopfloor\scripts\remote-execution\Invoke-RemoteMaintenance.ps1" ``` > **Important:** If you skip this step, you will get a security error when trying to run the script: *"cannot be loaded because running scripts is disabled on this system"* or *"cannot be loaded. The file is not digitally signed."* --- ## API Integration When using `-All`, `-PcType`, or `-BusinessUnit` targeting, the script retrieves PC lists from the ShopDB API: ``` GET /api.asp?action=getShopfloorPCs GET /api.asp?action=getShopfloorPCs&pctypeid=2 # CMM PCs only GET /api.asp?action=getShopfloorPCs&businessunitid=1 # Specific business unit ``` **PC Type IDs:** | ID | Type | ID | Type | |----|------|----|------| | 1 | Standard | 7 | Keyence | | 2 | Engineer | 8 | Genspect | | 3 | Shopfloor | 9 | Heat Treat | | 4 | Uncategorized | 10 | Inspection | | 5 | CMM | 11 | Dashboard | | 6 | Wax / Trace | 12 | Lobby Display | **See:** [ShopDB API Reference](ShopDB-API.html) for complete API documentation. --- ## Prerequisites ### On Your Workstation 1. **PowerShell 5.1 or higher** 2. **Network access to target PCs** (TCP port 5985) 3. **Admin credentials** for target PCs ### On Target PCs 1. **WinRM enabled** (`Enable-PSRemoting -Force`) 2. **Firewall rules** allowing WinRM traffic ### Verify Connectivity ```powershell # Test WinRM connectivity Test-WSMan -ComputerName "SHOPFLOOR-PC01" # Test with credentials $cred = Get-Credential Test-WSMan -ComputerName "SHOPFLOOR-PC01" -Credential $cred ``` --- ## Quick Start ### Step 1: Get Credentials ```powershell $cred = Get-Credential -Message "Enter domain admin credentials" ``` ### Step 2: Run a Simple Task ```powershell # Flush DNS on a single PC .\Invoke-RemoteMaintenance.ps1 -ComputerName "SHOPFLOOR-PC01" -Task FlushDNS -Credential $cred ``` ### Step 3: Check Results The script outputs status for each PC: ``` [SHOPFLOOR-PC01] FlushDNS: SUCCESS DNS Resolver Cache flushed successfully ``` --- ## Parameters Reference ### Targeting Parameters (Mutually Exclusive) | Parameter | Type | Description | |-----------|------|-------------| | `-ComputerName` | string[] | One or more computer names or IPs | | `-ComputerListFile` | string | Path to text file with hostnames | | `-All` | switch | Target all shopfloor PCs from ShopDB | | `-PcType` | string | Target by PC type (see PC Types) | | `-BusinessUnit` | string | Target by business unit (see Business Units) | ### Task Parameter (Required) | Parameter | Type | Description | |-----------|------|-------------| | `-Task` | string | Maintenance task to execute | ### File Deployment Parameters (CopyFile / ImportReg) | Parameter | Type | Description | |-----------|------|-------------| | `-SourcePath` | string | Source file path (local or UNC). Required for CopyFile and ImportReg | | `-DestinationPath` | string | Destination file path on remote PCs. Required for CopyFile | | `-RunCommand` | string | Command to run after CopyFile. Runs as logged-in user by default (via scheduled task) | | `-AsSystem` | switch | Run ImportReg and -RunCommand in the WinRM session (SYSTEM context) instead of as logged-in user | ### Optional Parameters | Parameter | Type | Default | Description | |-----------|------|---------|-------------| | `-Credential` | PSCredential | Prompt | Remote authentication | | `-ApiUrl` | string | Production | ShopDB API endpoint | | `-ThrottleLimit` | int | 5 | Max concurrent sessions | | `-DnsSuffix` | string | logon.ds.ge.com | DNS suffix for FQDN resolution | | `-LogFile` | switch | Off | Enable transcript logging to `logs/` directory | ### PC Types ``` Standard, Engineer, Shopfloor, CMM, Wax / Trace, Keyence, Genspect, Heat Treat, Inspection, Dashboard, Lobby Display, Uncategorized ``` ### Business Units ``` TBD, Blisk, HPT, Spools, Inspection, Venture, Turn/Burn, DT ``` --- ## Available Tasks ### Repair Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `DISM` | Repair Windows component store | 15-60 min | Low | | `SFC` | System File Checker scan | 10-30 min | Low | ### Optimization Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `OptimizeDisk` | TRIM (SSD) or Defrag (HDD) | 5-60 min | Medium | | `DiskCleanup` | Remove temp files, updates | 5-15 min | Low | | `ClearUpdateCache` | Clear Windows Update cache | 1-2 min | Low | | `ClearBrowserCache` | Clear Chrome/Edge cache | 1-2 min | Low | ### Service Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `RestartSpooler` | Restart Print Spooler | <1 min | Low | | `FlushDNS` | Clear DNS cache | <1 min | None | | `RestartWinRM` | Restart WinRM service | <1 min | Temp disconnect | ### Time/Date Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `SetTimezone` | Set to Eastern Time | <1 min | None | | `SyncTime` | Force time sync with DC | <1 min | None | ### DNC Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `UpdateDNCMXHosts` | Update FtpHostPrimary/Secondary in DNC\MX registry | <1 min | None | | `AuditDNCConfig` | Compare DNC registry vs UDC backup JSON, export CSV | 1-5 min | None | | `CheckDefectTracker` | Check if Defect_Tracker.exe is running, export CSV | 1-5 min | None | ### File Deployment Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `CopyFile` | Copy file from `-SourcePath` to `-DestinationPath` on remote PCs | 1-2 min | Low | | `ImportReg` | Copy `.reg` file and import via scheduled task as logged-in user | 1-2 min | Low | ### System Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `GPUpdate` | Force Group Policy refresh (`gpupdate /force`) | <1 min | Low | | `Reboot` | Restart PC (30s delay) | 2-5 min | High | ### Software Deployment Tasks | Task | Description | Duration | Impact | |------|-------------|----------|--------| | `InstallDashboard` | Install GE Dashboard app | 2-5 min | Medium | | `InstallLobbyDisplay` | Install Lobby Display app | 2-5 min | Medium | | `UninstallDashboard` | Remove GE Dashboard | 1-2 min | Low | | `UninstallLobbyDisplay` | Remove Lobby Display | 1-2 min | Low | --- ## Software Deployment Mechanism ### Source File Locations Deployment tasks require source files to be available before execution: | Task | Source File Path | |------|------------------| | `InstallDashboard` | `\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\scripts\Dashboard\GEAerospaceDashboardSetup.exe` | | `InstallLobbyDisplay` | `\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\scripts\LobbyDisplay\GEAerospaceLobbyDisplaySetup.exe` | | `CopyFile` | Any file - specified via `-SourcePath` parameter | | `ImportReg` | Any `.reg` file - specified via `-SourcePath` parameter | ### How Deployment Works 1. **Pre-flight Check:** Script verifies source file exists 2. **WinRM Session:** Opens remote session to target PC 3. **File Push:** Copies source file to `C:\Windows\Temp\` on remote PC 4. **Execution:** Runs install/copy/import task using pushed file 5. **Post-action:** Optionally runs command as logged-in user via scheduled task 6. **Cleanup:** Removes temp file from remote PC ``` +---------------------+ WinRM +---------------------+ | Your Workstation | ------------> | Target PC | | | | | | Source Files: | Push File | Temp Location: | | - Setup.exe | ------------> | C:\Windows\Temp | | - config.json | | | | - settings.reg | Execute | Final Location: | | (any path/UNC) | ------------> | -DestinationPath | | | | | | | Sched. Task | Logged-in User: | | | ------------> | - regedit /s | | | | - RunCommand | +---------------------+ +---------------------+ ``` ### CopyFile Details The `CopyFile` task: 1. **Source:** Any file specified via `-SourcePath` (local or UNC path) 2. **Destination:** Specified via `-DestinationPath` 3. **Backup:** Existing file is backed up as `-old-.` 4. **Post-action:** If `-RunCommand` is specified, runs as the logged-in user via a one-shot scheduled task (same pattern as Dashboard/Lobby kiosk relaunch) ### ImportReg Details The `ImportReg` task: 1. **Source:** `.reg` file specified via `-SourcePath` 2. **Import method:** `regedit.exe /s` via one-shot scheduled task as logged-in user 3. **HKCU support:** Runs as the logged-in user, so both HKLM and HKCU keys apply correctly 4. **Fallback:** If no user is logged in, runs `regedit.exe /s` directly (HKLM only) 5. **Cleanup:** Temp `.reg` file removed after import ### Dashboard/Lobby Display Install Details Both kiosk app installers: 1. **Installer type:** Inno Setup (supports `/VERYSILENT`) 2. **Pre-install:** Kills running Edge kiosk via `PrepareToInstall` in Inno Setup 3. **Execution:** Silent install with no user prompts (120-second timeout) 4. **Post-install:** Creates a one-shot scheduled task to relaunch Edge in kiosk mode as the logged-in user (e.g. `lg044513sd`), then auto-deletes the task 5. **Cleanup:** Installer removed from temp after execution 6. **Connectivity:** Offline PCs are skipped with a ping check before connecting **Uninstall GUIDs:** - Dashboard: `{9D9EEE25-4D24-422D-98AF-2ADEDA4745ED}` - Lobby Display: `{42FFB952-0B72-493F-8869-D957344CA305}` ### Adding New Deployable Applications To add a new application for deployment, edit the script in two places: **Step 1: Add to `$KioskAppConfig` hashtable** ```powershell $KioskAppConfig = @{ # Existing entries... # Add new application 'InstallNewApp' = @{ Action = 'Install' InstallerPath = '\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\scripts\NewApp\NewAppSetup.exe' InstallerName = 'NewAppSetup.exe' AppName = 'New Application Name' UninstallGuid = '{YOUR-GUID-HERE}' # Find in registry after manual install KioskUrl = 'https://tsgwp00525.wjs.geaerospace.net/shopdb/your-page/' # Optional: relaunch Edge kiosk after install } 'UninstallNewApp' = @{ Action = 'Uninstall' InstallerName = 'NewAppSetup.exe' AppName = 'New Application Name' UninstallGuid = '{YOUR-GUID-HERE}' } } ``` **Step 2: Add task names to ValidateSet (~line 142)** ```powershell [ValidateSet( 'DISM', 'SFC', 'OptimizeDisk', 'DiskCleanup', 'ClearUpdateCache', 'RestartSpooler', 'FlushDNS', 'RestartWinRM', 'ClearBrowserCache', 'SetTimezone', 'SyncTime', 'UpdateEMxAuthToken', 'DeployUDCWebServerConfig', 'Reboot', 'InstallDashboard', 'InstallLobbyDisplay', 'UninstallDashboard', 'UninstallLobbyDisplay', 'InstallNewApp', 'UninstallNewApp' # Add new tasks here )] [string]$Task ``` **Step 3: Place installer on network share** ``` \\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\scripts\NewApp\NewAppSetup.exe ``` **Finding the Uninstall GUID:** After manually installing the application on a test PC, find the GUID in registry: ```powershell # Search for app in registry Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" | Get-ItemProperty | Where-Object { $_.DisplayName -like "*AppName*" } | Select-Object DisplayName, PSChildName, UninstallString ``` The `PSChildName` is typically the GUID (e.g., `{9D9EEE25-4D24-422D-98AF-2ADEDA4745ED}`). **Installer Requirements:** - Must support silent installation flags - Inno Setup: `/VERYSILENT /SUPPRESSMSGBOXES /NORESTART` - MSI: `/qn /norestart` - NSIS: `/S` If your installer uses different flags, modify the `InstallKioskApp` scriptblock. --- ## How-To Guides ### How to Repair System Files **Scenario:** A PC has corrupted system files causing crashes or errors. #### Option 1: DISM (Component Store Repair) ```powershell # Run DISM repair on a single PC .\Invoke-RemoteMaintenance.ps1 -ComputerName "PROBLEM-PC" -Task DISM -Credential $cred ``` **What it does:** - Downloads missing/corrupted files from Windows Update - Repairs the Windows component store - Required before SFC if component store is damaged **Expected output:** ``` [PROBLEM-PC] DISM: SUCCESS Deployment Image Servicing and Management tool The restore operation completed successfully. ``` #### Option 2: SFC (System File Checker) ```powershell # Run SFC after DISM .\Invoke-RemoteMaintenance.ps1 -ComputerName "PROBLEM-PC" -Task SFC -Credential $cred ``` **What it does:** - Scans all protected system files - Replaces corrupted files from component store - Creates log at `C:\Windows\Logs\CBS\CBS.log` **Best Practice - Full Repair Sequence:** ```powershell # Step 1: Run DISM first .\Invoke-RemoteMaintenance.ps1 -ComputerName "PROBLEM-PC" -Task DISM -Credential $cred # Step 2: Run SFC after DISM completes .\Invoke-RemoteMaintenance.ps1 -ComputerName "PROBLEM-PC" -Task SFC -Credential $cred # Step 3: Reboot to apply changes .\Invoke-RemoteMaintenance.ps1 -ComputerName "PROBLEM-PC" -Task Reboot -Credential $cred ``` --- ### How to Optimize Disks **Scenario:** PCs are running slow due to disk fragmentation or lack of TRIM. #### Single PC Optimization ```powershell .\Invoke-RemoteMaintenance.ps1 -ComputerName "SLOW-PC" -Task OptimizeDisk -Credential $cred ``` **What it does:** - Detects drive type (SSD vs HDD) - For SSDs: Runs TRIM to reclaim deleted blocks - For HDDs: Runs defragmentation #### Optimize All CMM PCs (After Hours) ```powershell # CMM PCs often have large files - optimize overnight .\Invoke-RemoteMaintenance.ps1 -PcType CMM -Task OptimizeDisk -Credential $cred -ThrottleLimit 3 ``` #### Full Cleanup Sequence ```powershell # Step 1: Clear update cache .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01" -Task ClearUpdateCache -Credential $cred # Step 2: Run disk cleanup .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01" -Task DiskCleanup -Credential $cred # Step 3: Optimize disk .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01" -Task OptimizeDisk -Credential $cred ``` --- ### How to Fix Stuck Windows Updates **Scenario:** Windows Update is stuck or failing repeatedly. ```powershell # Clear the Windows Update cache .\Invoke-RemoteMaintenance.ps1 -ComputerName "UPDATE-STUCK-PC" -Task ClearUpdateCache -Credential $cred ``` **What it does:** 1. Stops Windows Update service 2. Stops BITS service 3. Clears `C:\Windows\SoftwareDistribution\Download` 4. Restarts services **After clearing, trigger new update check:** ```powershell # On the target PC (optional follow-up) wuauclt /detectnow ``` --- ### How to Clear Browser Cache **Scenario:** CMM or inspection PCs have slow browser performance. ```powershell # Single PC .\Invoke-RemoteMaintenance.ps1 -ComputerName "CMM-PC01" -Task ClearBrowserCache -Credential $cred # All CMM PCs .\Invoke-RemoteMaintenance.ps1 -PcType CMM -Task ClearBrowserCache -Credential $cred ``` **What it does:** - Clears Chrome cache directories - Clears Edge cache directories - Does NOT clear saved passwords or bookmarks --- ### How to Manage Services #### Fix Printing Issues ```powershell # Restart print spooler on a PC with stuck print jobs .\Invoke-RemoteMaintenance.ps1 -ComputerName "PRINT-PROBLEM-PC" -Task RestartSpooler -Credential $cred ``` **What it does:** 1. Stops Print Spooler service 2. Clears print queue 3. Restarts Print Spooler service #### Fix DNS Resolution Issues ```powershell # Flush DNS cache when a PC can't resolve hostnames .\Invoke-RemoteMaintenance.ps1 -ComputerName "DNS-ISSUE-PC" -Task FlushDNS -Credential $cred # Flush DNS on all PCs in a business unit .\Invoke-RemoteMaintenance.ps1 -BusinessUnit Blisk -Task FlushDNS -Credential $cred ``` #### Fix Remote Management Issues ```powershell # Restart WinRM if subsequent remote commands fail .\Invoke-RemoteMaintenance.ps1 -ComputerName "WINRM-ISSUE-PC" -Task RestartWinRM -Credential $cred ``` **Note:** Connection will briefly drop during restart. --- ### How to Fix Time Sync Issues **Scenario:** PC clock is wrong, causing certificate errors or login issues. #### Set Correct Timezone ```powershell # Single PC .\Invoke-RemoteMaintenance.ps1 -ComputerName "WRONG-TIME-PC" -Task SetTimezone -Credential $cred # All shopfloor PCs .\Invoke-RemoteMaintenance.ps1 -All -Task SetTimezone -Credential $cred ``` **Sets timezone to:** Eastern Standard Time #### Force Time Synchronization ```powershell # Sync time with domain controller .\Invoke-RemoteMaintenance.ps1 -ComputerName "WRONG-TIME-PC" -Task SyncTime -Credential $cred ``` **Full time fix sequence:** ```powershell # Step 1: Set correct timezone .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01" -Task SetTimezone -Credential $cred # Step 2: Sync time .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01" -Task SyncTime -Credential $cred ``` --- ### How to Update DNC Configurations #### Update DNC MX Hosts **Scenario:** FtpHostPrimary/FtpHostSecondary in DNC\MX registry needs updating (hostname migration). ```powershell # Single PC .\Invoke-RemoteMaintenance.ps1 -ComputerName "DNC-PC01" -Task UpdateDNCMXHosts -Credential $cred # All shopfloor PCs .\Invoke-RemoteMaintenance.ps1 -All -Task UpdateDNCMXHosts -Credential $cred ``` **What it does:** 1. Checks both 32-bit (WOW6432Node) and 64-bit registry paths 2. Only updates values matching the old hostname - skips unexpected values 3. Safe to run on all PCs: no-ops if DNC\MX key doesn't exist #### Audit DNC Config vs UDC Backup **Scenario:** Verify DNC registry settings match UDC backup JSON files. ```powershell .\Invoke-RemoteMaintenance.ps1 -All -Task AuditDNCConfig -Credential $cred -LogFile ``` **What it does:** 1. Reads DNC registry values (General, eFocas, Hssb, PPDCS keys) 2. Compares against UDC backup JSON files on the network share 3. Reports MATCH/MISMATCH/MISSING for each field 4. Exports CSV report to `logs/` #### Check Defect Tracker Status ```powershell .\Invoke-RemoteMaintenance.ps1 -PcType Shopfloor -Task CheckDefectTracker -Credential $cred ``` **What it does:** 1. Checks if `Defect_Tracker.exe` is running on each PC 2. Reports machine number + running status 3. Exports CSV report to `logs/` --- ### How to Deploy Files **Scenario:** Push any file to remote PCs with automatic backup of existing files. #### Basic File Copy ```powershell # Copy a config file to a specific destination .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01","PC02" -Task CopyFile ` -SourcePath "\\server\share\config.json" ` -DestinationPath "C:\ProgramData\App\config.json" ` -Credential $cred ``` **What it does:** 1. Copies source file to `C:\Windows\Temp\` on remote PC via WinRM 2. Creates backup of existing file (if any) with timestamp 3. Moves temp file to final destination 4. Verifies deployment #### File Copy with Post-Copy Command **Scenario:** Deploy a file and restart a service/app in the logged-in user's session. ```powershell # Deploy eMxInfo.txt and kill DNC so it picks up the new file .\Invoke-RemoteMaintenance.ps1 -All -Task CopyFile ` -SourcePath "\\server\share\eMxInfo.txt" ` -DestinationPath "C:\Program Files (x86)\DNC\Server Files\eMxInfo.txt" ` -RunCommand "taskkill /IM DNCMain.exe /F" ` -Credential $cred # Deploy UDC config (no restart needed) .\Invoke-RemoteMaintenance.ps1 -PcType Shopfloor -Task CopyFile ` -SourcePath "\\server\share\udc_webserver_settings.json" ` -DestinationPath "C:\ProgramData\UDC\udc_webserver_settings.json" ` -Credential $cred ``` The `-RunCommand` runs via a one-shot scheduled task as the logged-in user, so it works for user-session processes (same pattern as Dashboard/Lobby Display kiosk relaunch). --- ### How to Import Registry Files **Scenario:** Apply registry settings from a `.reg` file to remote PCs. ```powershell # Import a .reg file on all shopfloor PCs .\Invoke-RemoteMaintenance.ps1 -PcType Shopfloor -Task ImportReg ` -SourcePath "\\server\share\intranet-zone.reg" ` -Credential $cred # Import on specific PCs .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC01" -Task ImportReg ` -SourcePath "C:\Scripts\my-settings.reg" ` -Credential $cred ``` **What it does (default — as logged-in user):** 1. Copies `.reg` file to `C:\Windows\Temp\` on remote PC via WinRM 2. Creates a one-shot scheduled task as the logged-in user 3. Runs `regedit.exe /s` to silently import the registry file 4. Cleans up temp file and scheduled task **HKCU support:** Because the import runs as the logged-in user (via scheduled task), both `HKLM` and `HKCU` keys in the `.reg` file are applied correctly. If no user is logged in, it falls back to direct import (HKLM only). #### HKLM-Only / System Context Use `-AsSystem` when the `.reg` file only contains `HKLM` keys and you want to skip the scheduled task overhead: ```powershell # Import HKLM-only registry settings directly as SYSTEM .\Invoke-RemoteMaintenance.ps1 -All -Task ImportReg ` -SourcePath "\\server\share\machine-policy.reg" ` -AsSystem -Credential $cred ``` This runs `regedit.exe /s` directly in the WinRM session (SYSTEM context). Faster, but HKCU keys will not apply to any user. --- ### How to Deploy Software #### Install GE Aerospace Dashboard **Scenario:** Convert a PC to a Dashboard kiosk. ```powershell # Single PC installation .\Invoke-RemoteMaintenance.ps1 -ComputerName "NEWKIOSK-01" -Task InstallDashboard -Credential $cred # Multiple PCs from a list $kiosks = @("KIOSK-01", "KIOSK-02", "KIOSK-03") .\Invoke-RemoteMaintenance.ps1 -ComputerName $kiosks -Task InstallDashboard -Credential $cred ``` **What it does:** 1. Pings target PC (skips if offline) 2. Copies installer from network share to `C:\Windows\Temp\` 3. Kills running Edge kiosk 4. Runs silent installation (120-second timeout) 5. Relaunches Edge kiosk via scheduled task as the logged-in user 6. Cleans up installer and scheduled task **No reboot required** — Edge relaunches automatically in the logged-in user's session. ```powershell # Deploy to all Dashboard kiosks .\Invoke-RemoteMaintenance.ps1 -PcType Dashboard -Task InstallDashboard -Credential $cred # Deploy to all Lobby Display kiosks .\Invoke-RemoteMaintenance.ps1 -PcType "Lobby Display" -Task InstallLobbyDisplay -Credential $cred ``` #### Install Lobby Display ```powershell .\Invoke-RemoteMaintenance.ps1 -ComputerName "LOBBY-01" -Task InstallLobbyDisplay -Credential $cred ``` #### Uninstall Dashboard or Lobby Display ```powershell # Remove Dashboard .\Invoke-RemoteMaintenance.ps1 -ComputerName "OLD-KIOSK" -Task UninstallDashboard -Credential $cred # Remove Lobby Display .\Invoke-RemoteMaintenance.ps1 -ComputerName "OLD-LOBBY" -Task UninstallLobbyDisplay -Credential $cred ``` --- ### How to Reboot PCs #### Single PC Reboot ```powershell .\Invoke-RemoteMaintenance.ps1 -ComputerName "PC-TO-REBOOT" -Task Reboot -Credential $cred ``` **Note:** Reboot has a 30-second delay to allow graceful shutdown. #### Reboot All Dashboard PCs ```powershell # Reboot all Dashboard PCs (e.g., for software update) .\Invoke-RemoteMaintenance.ps1 -PcType Dashboard -Task Reboot -Credential $cred ``` #### Reboot All Lobby Display PCs ```powershell .\Invoke-RemoteMaintenance.ps1 -PcType "Lobby Display" -Task Reboot -Credential $cred ``` #### Reboot PCs by Business Unit ```powershell # Reboot all HPT PCs during maintenance window .\Invoke-RemoteMaintenance.ps1 -BusinessUnit HPT -Task Reboot -Credential $cred ``` --- ### How to Run Batch Operations #### Using a Computer List File Create a text file with one hostname per line: ```text # shopfloor-pcs.txt PC001 PC002 PC003 PC004 PC005 ``` Run tasks against the list: ```powershell .\Invoke-RemoteMaintenance.ps1 -ComputerListFile ".\shopfloor-pcs.txt" -Task FlushDNS -Credential $cred ``` #### Running Multiple Tasks in Sequence ```powershell # Maintenance routine for a PC $pc = "SHOPFLOOR-PC01" # Step 1: Clear caches .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task ClearUpdateCache -Credential $cred .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task ClearBrowserCache -Credential $cred # Step 2: Disk cleanup .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task DiskCleanup -Credential $cred # Step 3: Repair .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task DISM -Credential $cred .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task SFC -Credential $cred # Step 4: Sync time .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task SetTimezone -Credential $cred .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task SyncTime -Credential $cred # Step 5: Reboot .\Invoke-RemoteMaintenance.ps1 -ComputerName $pc -Task Reboot -Credential $cred ``` --- ## Targeting Strategies ### By Individual PCs **Best for:** Specific troubleshooting, targeted fixes ```powershell .\Invoke-RemoteMaintenance.ps1 -ComputerName "PROBLEM-PC" -Task DISM -Credential $cred ``` ### By PC Type **Best for:** Type-specific maintenance, software updates ```powershell # All CMM PCs .\Invoke-RemoteMaintenance.ps1 -PcType CMM -Task DiskCleanup -Credential $cred # All Dashboard kiosks .\Invoke-RemoteMaintenance.ps1 -PcType Dashboard -Task Reboot -Credential $cred ``` ### By Business Unit **Best for:** Department-specific maintenance windows ```powershell # All Blisk area PCs .\Invoke-RemoteMaintenance.ps1 -BusinessUnit Blisk -Task SyncTime -Credential $cred ``` ### All Shopfloor PCs **Best for:** Global maintenance, security updates ```powershell # Flush DNS everywhere .\Invoke-RemoteMaintenance.ps1 -All -Task FlushDNS -Credential $cred -ThrottleLimit 10 ``` ### Using a List File **Best for:** Custom groups, staged rollouts ```powershell .\Invoke-RemoteMaintenance.ps1 -ComputerListFile ".\phase1-pcs.txt" -Task DISM -Credential $cred ``` --- ## Troubleshooting ### Task Times Out **Cause:** Task takes longer than session timeout. **Solution:** DISM and SFC can take a long time. Check if task completed on target: ```powershell # Check DISM log Invoke-Command -ComputerName "PC01" -Credential $cred -ScriptBlock { Get-Content "C:\Windows\Logs\DISM\dism.log" -Tail 50 } ``` ### "Access Denied" on Some PCs **Cause:** Credentials don't have admin rights on that PC. **Solutions:** 1. Use different credentials 2. Add account to local Administrators group on target 3. Check if UAC is blocking remote admin ### Software Installation Fails **Cause:** Network share not accessible or installer missing. **Solutions:** 1. Verify network share path is accessible 2. Check installer exists at expected location 3. Verify credentials can access the share ### Reboot Doesn't Happen **Cause:** User cancelled shutdown or application blocked it. **Solutions:** ```powershell # Force immediate reboot (no 30-second delay) Invoke-Command -ComputerName "PC01" -Credential $cred -ScriptBlock { Restart-Computer -Force } ``` --- ## Best Practices ### 1. Start Small Test on one PC before running against groups: ```powershell # Test on single PC first .\Invoke-RemoteMaintenance.ps1 -ComputerName "TEST-PC" -Task DISM -Credential $cred ``` ### 2. Use Appropriate Throttle Limits | Scenario | Recommended ThrottleLimit | |----------|--------------------------| | Fast network, light tasks | 10-25 | | Normal operations | 5 (default) | | Heavy tasks (DISM, Defrag) | 2-3 | | Slow network | 2-3 | ### 3. Schedule Disruptive Tasks Run reboots and heavy tasks during maintenance windows: - DISM/SFC: After hours - Disk optimization: After hours - Reboots: During shift changes or maintenance windows ### 4. Verify Before Rebooting Always confirm which PCs will be affected: ```powershell # Check PC type before reboot .\Update-ShopfloorPCs-Remote.ps1 -PcType Dashboard -WhatIf ``` ### 5. Keep Logs Redirect output for audit trail: ```powershell .\Invoke-RemoteMaintenance.ps1 -All -Task SyncTime -Credential $cred | Tee-Object -FilePath "maintenance-log-$(Get-Date -Format 'yyyyMMdd').txt" ```