powershell-scripts/PRODUCTION_URL_UPDATE.md

# PowerShell Scripts - Production URL Configuration

**Date:** 2025-11-21
**Status:**  Updated for Production
**Target Server:** https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp

---

## Changes Made

### Files Updated

1. **Update-PC-CompleteAsset-Silent.bat**
   - Dashboard URL: https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp

2. **Update-PC-CompleteAsset.ps1**
   - Default parameter: https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp
   - Auto-discovery list (first priority)
   - Fallback default URL

---

## Deployment Instructions

### Step 1: Copy Files to Client PCs

**Source Location (Linux Dev):**
```
/home/camp/projects/powershell/
```

**Target Location (Windows PCs):**
```
C:\Apps\PowerShell\
```

**Files to Deploy:**
```
Update-PC-CompleteAsset.ps1
Update-PC-CompleteAsset-Silent.bat
Get-ShopfloorConfig.ps1
Backup-GERegistry.ps1
applications.csv
```

### Step 2: Deployment Methods

#### Option A: Group Policy (Recommended)

**GPO Startup Script:**
```batch
@echo off
REM Copy PowerShell scripts from network share to local PC
xcopy /Y /E "\\fileserver\shares\IT\PowerShell\*.*" "C:\Apps\PowerShell\"
```

**GPO Path:**
```
Computer Configuration
   Policies
     Windows Settings
       Scripts (Startup/Shutdown)
         Startup
           Add: deploy-powershell-scripts.bat
```

#### Option B: Manual Copy via Network Share

```batch
REM On each PC (or via remote execution)
xcopy /Y /E "\\tsgwp00525\IT\PowerShell\*.*" "C:\Apps\PowerShell\"
```

#### Option C: PowerShell Remoting (Bulk Deployment)

```powershell
# Run from admin workstation
$PCs = Get-Content "C:\PCList.txt"

foreach ($PC in $PCs) {
    Write-Host "Deploying to $PC..."

    # Create directory if doesn't exist
    Invoke-Command -ComputerName $PC -ScriptBlock {
        New-Item -Path "C:\Apps\PowerShell" -ItemType Directory -Force
    }

    # Copy files
    Copy-Item -Path "\\source\PowerShell\*" -Destination "\\$PC\C$\Apps\PowerShell\" -Recurse -Force

    Write-Host "  [OK] Deployed to $PC" -ForegroundColor Green
}
```

### Step 3: Create Scheduled Task

**Task Configuration:**
```xml
Name: Update PC Asset Data
Description: Daily collection of PC hardware and software inventory
Trigger: Daily at 6:00 AM
Action: C:\Apps\PowerShell\Update-PC-CompleteAsset-Silent.bat
Run as: SYSTEM
Run with highest privileges: Yes
```

**GPO Scheduled Task:**
```
Computer Configuration
   Preferences
     Control Panel Settings
       Scheduled Tasks
         New  Scheduled Task (Windows 7+)
```

**Settings:**
- Name: `Update PC Asset Data`
- Program: `C:\Apps\PowerShell\Update-PC-CompleteAsset-Silent.bat`
- Trigger: Daily, 6:00 AM
- Random delay: 0-10 minutes (built into script)
- Run whether user logged on or not: Yes
- Run with highest privileges: Yes

### Step 4: Test on Sample PCs

**Test on 3 different PC types:**

1. **Standard PC (Office):**
```powershell
# Run manually
cd C:\Apps\PowerShell
.\Update-PC-CompleteAsset.ps1
```

**Expected:**
- Detects PC type: Standard
- Collects system info
- Sends to https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp
- Success message

2. **Shopfloor PC (LTSC):**
```powershell
cd C:\Apps\PowerShell
.\Update-PC-CompleteAsset.ps1
```

**Expected:**
- Detects PC type: Shopfloor
- Collects system info + network interfaces + DNC config
- Sends to production API
- Success message

3. **Engineer PC (Has C:\Apps + V: drive):**
```powershell
cd C:\Apps\PowerShell
.\Update-PC-CompleteAsset.ps1
```

**Expected:**
- Detects PC type: Engineer
- Collects system info
- Sends to production API
- Success message

### Step 5: Verify in Database

```sql
-- Check recent PC updates (last 24 hours)
SELECT
    hostname,
    machinetypeid,
    serialnumber,
    lastupdated
FROM machines
WHERE pctypeid IS NOT NULL
  AND lastupdated >= DATE_SUB(NOW(), INTERVAL 24 HOUR)
ORDER BY lastupdated DESC;
```

### Step 6: Monitor Logs

**Check API logs on server:**
```
https://tsgwp00525.rd.ds.ge.com/shopdb/logs/api-2025-11-21.log
```

**Check PowerShell logs on network share:**
```
S:\dt\cameron\scan\logs\CompleteAsset-[HOSTNAME]-[TIMESTAMP].log
```

**Fallback location (if network share unavailable):**
```
C:\Apps\PowerShell\Logs\CompleteAsset-[HOSTNAME]-[TIMESTAMP].log
```

---

## URL Configuration Details

### Production URL

**Full URL:**
```
https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp
```

**Server:** tsgwp00525.rd.ds.ge.com
**Protocol:** HTTPS (secure)
**Path:** /shopdb/api.asp
**Port:** 443 (default HTTPS)

### Network Requirements

**Firewall Rules:**
- Allow outbound HTTPS (port 443) from all client PCs
- Destination: tsgwp00525.rd.ds.ge.com
- Protocol: TCP/443

**DNS Resolution:**
- tsgwp00525.rd.ds.ge.com must resolve from client PCs
- Test: `nslookup tsgwp00525.rd.ds.ge.com`

**Certificate:**
- Server must have valid SSL certificate
- Client PCs must trust certificate authority
- If using self-signed cert, may need to add to trusted root CAs

**Network Share Access:**
- All client PCs must have read/write access to `S:\dt\cameron\scan\logs`
- Share permissions: DOMAIN\Domain Computers (Modify)
- NTFS permissions: DOMAIN\Domain Computers (Modify)
- If network share unavailable, script will fallback to local `C:\Apps\PowerShell\Logs\`

### URL Priority (Auto-Discovery)

If parameter not provided, script tries URLs in this order:

1. https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp (PRODUCTION)
2. http://192.168.122.151:8080/api.asp (DEV)
3. http://localhost:8080/api.asp (Local test)
4. (other fallbacks...)

---

## Rollback Instructions

If production deployment fails, revert to DEV URLs:

**Update-PC-CompleteAsset-Silent.bat:**
```batch
Line 27: echo Dashboard: http://192.168.122.151:8080/api.asp >> "%logfile%" 2>&1
Line 60: -DashboardURL "http://192.168.122.151:8080/api.asp"
```

**Update-PC-CompleteAsset.ps1:**
```powershell
Line 26: [string]$DashboardURL = "http://192.168.122.151:8080/api.asp",
Line 70: First candidate = "http://192.168.122.151:8080/api.asp"
Line 98: $defaultUrl = "http://192.168.122.151:8080/api.asp"
```

---

## Verification Checklist

Before production rollout:

- [ ] Verify network share exists: `S:\dt\cameron\scan\logs`
- [ ] Test network share write permissions from client PC
- [ ] Test script on Standard PC
- [ ] Test script on Shopfloor PC
- [ ] Test script on Engineer PC
- [ ] Verify logs written to `S:\dt\cameron\scan\logs`
- [ ] Verify data appears in database
- [ ] Check API logs on server
- [ ] Test scheduled task execution
- [ ] Confirm HTTPS certificate valid
- [ ] Verify firewall allows outbound HTTPS
- [ ] Test DNS resolution of tsgwp00525.rd.ds.ge.com
- [ ] Deploy to pilot group (5-10 PCs)
- [ ] Monitor for 1 week (check network share logs)
- [ ] Deploy to all PCs via GPO

---

## Troubleshooting

### Issue: Cannot reach dashboard

**Symptom:**
```
[FAIL] Cannot reach: The remote name could not be resolved
```

**Causes:**
1. DNS not resolving tsgwp00525.rd.ds.ge.com
2. Firewall blocking port 443
3. Server offline

**Fix:**
```powershell
# Test DNS
nslookup tsgwp00525.rd.ds.ge.com

# Test HTTPS connectivity
Test-NetConnection -ComputerName tsgwp00525.rd.ds.ge.com -Port 443

# Test API endpoint
Invoke-RestMethod -Uri "https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp?action=getDashboardData"
```

### Issue: SSL certificate error

**Symptom:**
```
The underlying connection was closed: Could not establish trust relationship
```

**Cause:** Self-signed or untrusted certificate

**Fix:**
```powershell
# Temporary bypass (testing only)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# Permanent fix: Install certificate to Trusted Root
Import-Certificate -FilePath "server-cert.crt" -CertStoreLocation Cert:\LocalMachine\Root
```

### Issue: 401 Unauthorized

**Symptom:**
```
The remote server returned an error: (401) Unauthorized
```

**Cause:** Server requires authentication

**Fix:**
- Check IIS authentication settings
- Ensure Anonymous Authentication enabled for api.asp
- Or add credentials to script

### Issue: 500 Internal Server Error

**Symptom:**
```
The remote server returned an error: (500) Internal Server Error
```

**Cause:** API error on server side

**Fix:**
- Check server logs: `C:\inetpub\wwwroot\shopdb\logs\api-YYYY-MM-DD.log`
- Check IIS logs: `C:\inetpub\logs\LogFiles\`
- Verify database connectivity from server
- Check ASP error details (disable friendly errors)

### Issue: Network log directory not accessible

**Symptom:**
```
WARNING: Network log directory S:\dt\cameron\scan\logs not accessible, using local Logs directory
```

**Cause:** Network share not accessible or permissions issue

**Fix:**
```powershell
# Test network share access
Test-Path "S:\dt\cameron\scan\logs"

# Verify drive mapping
Get-PSDrive S

# Test write permissions
New-Item -Path "S:\dt\cameron\scan\logs\test.txt" -ItemType File -Value "test" -Force
Remove-Item "S:\dt\cameron\scan\logs\test.txt"
```

**Permission Requirements:**
- Share: `\\fileserver\share` mapped to S: drive
- Share Permissions: Domain Computers (Read/Write)
- NTFS Permissions: Domain Computers (Modify)
- Ensure folder exists: `S:\dt\cameron\scan\logs`

---

## Production Readiness Status

 **Scripts Updated:** Both .bat and .ps1 files configured for production URL
 **Documentation:** Complete deployment guide created
 **Testing Plan:** 3-tier testing (Standard, Shopfloor, Engineer)
 **Monitoring:** API logs and PowerShell logs configured
 **Rollback Plan:** DEV URL reversion documented

**Ready for Deployment:** YES

**Recommended Timeline:**
1. Day 1-2: Test on 3 PCs (one of each type)
2. Day 3-7: Deploy to pilot group (10 PCs)
3. Day 8-14: Monitor pilot group
4. Day 15+: Full deployment via GPO to all PCs

---

## Contact

**For deployment issues:**
- Check this documentation
- Review PowerShell logs on client PC
- Review API logs on server
- Contact: IT Asset Management Team

**File Locations:**
- Dev: `/home/camp/projects/powershell/`
- Production Scripts: `C:\Apps\PowerShell\` (on PCs)
- Production Logs: `S:\dt\cameron\scan\logs\` (network share)
- Server: `https://tsgwp00525.rd.ds.ge.com/shopdb/`

---

**Document Version:** 1.0
**Last Updated:** 2025-11-21
**Status:** Production Ready