powershell-scripts/docs/SCRIPTS_REFERENCE.md

# PowerShell Scripts Reference

Complete documentation for all scripts in this repository.

**Last Updated:** 2025-12-10

---

## Repository Structure

```
powershell-scripts/
├── asset-collection/       # Local PC data collection scripts
├── remote-execution/       # Remote WinRM execution scripts
├── setup-utilities/        # Configuration and testing
├── registry-backup/        # GE registry backup
├── winrm-https/           # WinRM HTTPS/certificate setup
└── docs/                  # Documentation
```

---

## Table of Contents

1. [Asset Collection Scripts](#asset-collection-scripts) (`asset-collection/`)
2. [Remote Execution Scripts](#remote-execution-scripts) (`remote-execution/`)
3. [Setup & Utility Scripts](#setup--utility-scripts) (`setup-utilities/`)
4. [Registry Backup Scripts](#registry-backup-scripts) (`registry-backup/`)
5. [WinRM HTTPS Scripts](#winrm-https-scripts) (`winrm-https/`)

---

## Asset Collection Scripts

**Location:** `asset-collection/`

### Update-PC-CompleteAsset.ps1

**Purpose:** Primary script for comprehensive PC asset data collection and database storage.

**What It Does:**
1. Collects system information (hostname, serial number, manufacturer, model)
2. Determines PC type (Engineer/Shopfloor/Standard/Measuring)
3. Collects network interface configurations
4. For shopfloor PCs: Collects DNC/machine configurations from GE registry
5. Optionally retrieves Dell warranty information via proxy
6. Sends all data to ShopDB API for storage

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-ProxyURL` | `http://10.48.130.158/vendor-api-proxy.php` | Warranty API proxy server |
| `-DashboardURL` | `https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp` | ShopDB API endpoint |
| `-SkipWarranty` | `$true` | Skip warranty lookups (enabled by default) |
| `-TestConnections` | `$false` | Test API connectivity without collecting data |

**Usage:**
```powershell
# Standard execution (run as administrator)
.\Update-PC-CompleteAsset.ps1

# Test connectivity only
.\Update-PC-CompleteAsset.ps1 -TestConnections

# With warranty lookup enabled
.\Update-PC-CompleteAsset.ps1 -SkipWarranty:$false
```

**Requires:** Administrator privileges for full data collection

---

### Get-ShopfloorConfig.ps1

**Purpose:** Library of functions for collecting shopfloor-specific configurations.

**What It Does:**
- Enumerates all network interfaces and their configurations
- Detects "machine networks" (192.168.x.x subnets)
- Collects serial port (COM) configurations
- Extracts DNC settings from GE Aircraft Engines registry
- Analyzes DualPath configurations for multi-machine setups

**Key Functions:**
| Function | Description |
|----------|-------------|
| `Get-NetworkInterfaceConfig` | Collects all network adapter information |
| `Get-SerialPortConfig` | Enumerates COM port configurations |
| `Get-DNCConfig` | Extracts DNC registry settings |
| `Get-GERegistryConfig` | Reads GE Aircraft Engines registry keys |

**Note:** This script is sourced (dot-sourced) by `Update-PC-CompleteAsset.ps1` and not run directly.

---

### Update-PC-Minimal.ps1

**Purpose:** Lightweight asset collection for locked-down PCs with restricted permissions.

**What It Does:**
1. Collects basic system info without requiring admin privileges
2. Uses only non-elevated WMI/CIM queries
3. Detects PC-DMIS software for measuring machine classification
4. Sends minimal data to ShopDB API

**When to Use:**
- PCs where users cannot run as administrator
- Measuring machines with restricted permissions
- Quick data collection without full registry access

**Usage:**
```powershell
.\Update-PC-Minimal.ps1
```

**Requires:** No elevated privileges (runs as standard user)

---

### Backup-GERegistry.ps1

**Purpose:** Backs up GE Aircraft Engines registry keys for disaster recovery and auditing.

**What It Does:**
1. Exports registry keys from both 32-bit and 64-bit locations
2. Creates backup files named with machine number and serial number
3. Saves to network share for centralized backup storage

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-BackupPath` | `S:\DT\cameron\scan\backup\reg` | Network path for backup files |
| `-Silent` | `$false` | Suppress console output |

**Backup Locations:**
- `HKLM:\Software\GE Aircraft Engines`
- `HKLM:\Software\WOW6432Node\GE Aircraft Engines`

**Output Filename Format:** `[machinenumber-]serialnumber-YYYY-MM-DD.reg`

**Usage:**
```powershell
# Interactive backup
.\Backup-GERegistry.ps1

# Silent backup (for scheduled tasks)
.\Backup-GERegistry.ps1 -Silent
```

---

## Remote Execution Scripts

### Invoke-RemoteAssetCollection.ps1

**Purpose:** Remotely executes asset collection on multiple PCs via WinRM (HTTP).

**What It Does:**
1. Establishes WinRM connections to target PCs
2. Executes `Update-PC-CompleteAsset.ps1` remotely
3. Collects and logs results from each PC
4. Supports parallel execution for efficiency

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-ComputerList` | - | Array of computer names/IPs |
| `-ComputerListFile` | - | Path to text file with computer list |
| `-Credential` | - | PSCredential for authentication |
| `-MaxConcurrent` | `5` | Maximum parallel sessions |
| `-TestConnections` | `$false` | Test connectivity only |
| `-ScriptPath` | `C:\Scripts\Update-PC-CompleteAsset.ps1` | Path to script on remote PCs |

**Prerequisites:**
- WinRM enabled on target PCs (`Enable-PSRemoting -Force`)
- Admin credentials for remote PCs
- Port 5985 (HTTP) open

**Usage:**
```powershell
# From file with prompted credentials
.\Invoke-RemoteAssetCollection.ps1 -ComputerListFile ".\shopfloor-pcs.txt"

# Specific computers with stored credentials
$cred = Get-Credential
.\Invoke-RemoteAssetCollection.ps1 -ComputerList @("PC001","PC002") -Credential $cred

# Test connections only
.\Invoke-RemoteAssetCollection.ps1 -ComputerList @("PC001") -TestConnections
```

**Requires:** Administrator privileges, WinRM access to targets

---

### Invoke-RemoteAssetCollection-HTTPS.ps1

**Purpose:** Secure remote asset collection via WinRM over HTTPS (port 5986).

**What It Does:**
Same as `Invoke-RemoteAssetCollection.ps1` but uses:
- HTTPS/TLS encryption for secure communication
- Wildcard certificates for domain-wide deployment
- Automatic FQDN construction from hostnames

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-HostnameList` | - | Array of hostnames (without domain) |
| `-HostnameListFile` | - | Path to text file with hostnames |
| `-Domain` | - | Domain suffix (e.g., "logon.ds.ge.com") |
| `-Port` | `5986` | HTTPS port |
| `-SkipCertificateCheck` | `$false` | Skip SSL validation (not recommended) |

**Usage:**
```powershell
# With domain suffix
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -HostnameList @("PC001","PC002") -Domain "logon.ds.ge.com"

# From file
.\Invoke-RemoteAssetCollection-HTTPS.ps1 -HostnameListFile ".\hostnames.txt" -Domain "logon.ds.ge.com"
```

**Requires:** WinRM HTTPS configured on targets (see winrm-https folder)

---

### Update-ShopfloorPCs-Remote.ps1

**Purpose:** Query ShopDB for all shopfloor PCs and update them remotely.

**What It Does:**
1. Queries ShopDB API for list of all shopfloor PCs
2. Establishes WinRM connections to each PC
3. Collects system info remotely and POSTs to API
4. Logs success/failure for each PC

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-ComputerName` | - | Specific PC(s) to update |
| `-All` | `$false` | Update all shopfloor PCs from ShopDB |
| `-SetupTrustedHosts` | `$false` | Configure WinRM trusted hosts |
| `-Credential` | - | PSCredential for authentication |
| `-ApiUrl` | `https://tsgwp00525.rd.ds.ge.com/shopdb/api.asp` | ShopDB API URL |

**Usage:**
```powershell
# Update all shopfloor PCs
.\Update-ShopfloorPCs-Remote.ps1 -All

# Update specific PCs
.\Update-ShopfloorPCs-Remote.ps1 -ComputerName "PC001","PC002"

# Setup trusted hosts first
.\Update-ShopfloorPCs-Remote.ps1 -SetupTrustedHosts
```

---

## Configuration & Setup Scripts

### Setup-WinRM.ps1

**Purpose:** Configures WinRM on the management server for remote asset collection.

**What It Does:**
1. Enables WinRM service
2. Configures trusted hosts for remote connections
3. Sets up HTTP listener on port 5985
4. Tests connectivity to specified computers

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-TrustedHosts` | `""` | Comma-separated list of trusted hosts (use "*" for all) |
| `-TestConnection` | `@()` | Array of computers to test after setup |

**Usage:**
```powershell
# Trust all hosts (less secure, simpler)
.\Setup-WinRM.ps1 -TrustedHosts "*"

# Trust specific IPs
.\Setup-WinRM.ps1 -TrustedHosts "10.48.130.100,10.48.130.101"

# Setup and test
.\Setup-WinRM.ps1 -TrustedHosts "*" -TestConnection @("10.48.130.100")
```

**Requires:** Administrator privileges

---

### Install-AssetCollectionSchedule.ps1

**Purpose:** Creates a Windows scheduled task for automated asset collection.

**What It Does:**
1. Creates scheduled task running 4 times daily (6:00, 12:00, 18:00, 00:00)
2. Configures silent execution (no window popup)
3. Runs as SYSTEM account
4. Handles battery/network conditions appropriately

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-ScriptPath` | `S:\DT\adata\script\Update-PC-CompleteAsset-Silent.bat` | Path to batch file |
| `-TaskName` | `"GE Asset Collection"` | Name for scheduled task |

**Usage:**
```powershell
# Install with defaults
.\Install-AssetCollectionSchedule.ps1

# Custom script path
.\Install-AssetCollectionSchedule.ps1 -ScriptPath "C:\Scripts\Update-PC-CompleteAsset-Silent.bat"
```

**Requires:** Administrator privileges

---

## Utility Scripts

### Test-API-Connection.ps1

**Purpose:** Tests connectivity and functionality of the ShopDB API.

**What It Does:**
1. Tests basic API connectivity
2. Tests INSERT operation (creates test PC record)
3. Tests UPDATE operation (modifies test record)
4. Tests DELETE operation (cleans up test record)
5. Reports success/failure for each operation

**Parameters:**
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-DashboardURL` | `http://192.168.122.151:8080/api.asp` | API endpoint to test |

**Usage:**
```powershell
# Test development API
.\Test-API-Connection.ps1

# Test production API
.\Test-API-Connection.ps1 -DashboardURL "https://production-server/shopdb/api.asp"
```

---

### Get-InstalledApps.ps1

**Purpose:** Collects list of installed applications from a PC.

**What It Does:**
- Queries registry for installed programs
- Returns application names and versions
- Used for software inventory in ShopDB

**Usage:**
```powershell
.\Get-InstalledApps.ps1
```

---

## Batch File Launchers

### Update-PC-CompleteAsset.bat
Standard launcher - opens PowerShell window with output visible.

### Update-PC-CompleteAsset-Silent.bat
Silent launcher - runs hidden, suitable for scheduled tasks.

### Update-PC-Minimal.bat
Launcher for minimal collection script.

### Run-RemoteCollection.bat
Launcher for remote collection script.

### Get-InstalledApps.bat
Launcher for application inventory script.

### Run-GetInstalledApps.bat
Alternative launcher for application inventory.

---

## WinRM HTTPS Scripts

Located in `winrm-https/` folder. These scripts configure secure WinRM over HTTPS.

### Key Scripts:

| Script | Purpose |
|--------|---------|
| `Setup-WinRM-HTTPS.ps1` | Configure WinRM HTTPS on target PCs |
| `Create-CertificateAuthority.ps1` | Create internal CA for certificates |
| `Sign-PCCertificate.ps1` | Sign individual PC certificates |
| `Sign-BulkPCCertificates.ps1` | Sign certificates for multiple PCs |
| `Configure-WinRM-Client.ps1` | Configure client for HTTPS connections |
| `Test-WinRM-HTTPS-Setup.ps1` | Verify HTTPS configuration |
| `Test-ShopfloorPC.ps1` | Test connectivity to shopfloor PC |

### Documentation:

| Document | Description |
|----------|-------------|
| `README.md` | Overview and quick start |
| `CA-APPROACH-GUIDE.md` | Certificate Authority setup guide |
| `GETTING_STARTED.md` | Step-by-step initial setup |
| `NETWORK_SHARE_DEPLOYMENT.md` | Deploying via network share |
| `SECURE_CREDENTIAL_MANAGEMENT.md` | Credential security best practices |
| `TROUBLESHOOTING_CERTIFICATE_GENERATION.md` | Certificate troubleshooting |

---

## Architecture Overview

```
┌─────────────────────────────────────────────────────────────────┐
│                     Management Server                            │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  Invoke-RemoteAssetCollection.ps1                        │   │
│  │  Invoke-RemoteAssetCollection-HTTPS.ps1                  │   │
│  │  Update-ShopfloorPCs-Remote.ps1                          │   │
│  └──────────────────────┬───────────────────────────────────┘   │
└─────────────────────────┼───────────────────────────────────────┘
                          │ WinRM (5985/5986)
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│                     Shopfloor PCs                                │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  Update-PC-CompleteAsset.ps1                             │   │
│  │  Get-ShopfloorConfig.ps1                                 │   │
│  │  Backup-GERegistry.ps1                                   │   │
│  └──────────────────────┬───────────────────────────────────┘   │
└─────────────────────────┼───────────────────────────────────────┘
                          │ HTTPS
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│                     ShopDB API Server                            │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  api.asp (IIS)    MySQL Database                        │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
```

---

## Quick Reference

### Run asset collection on local PC:
```batch
Update-PC-CompleteAsset.bat
```

### Run silent collection (for scheduled tasks):
```batch
Update-PC-CompleteAsset-Silent.bat
```

### Collect from all shopfloor PCs remotely:
```powershell
.\Update-ShopfloorPCs-Remote.ps1 -All
```

### Test API connectivity:
```powershell
.\Test-API-Connection.ps1
```

### Setup scheduled collection:
```powershell
.\Install-AssetCollectionSchedule.ps1
```

---

**Repository:** http://localhost:3000/cproudlock/powershell-scripts