From 1b6e9c3156b98e07911e11b9a1fecc2200a47e1e Mon Sep 17 00:00:00 2001 From: samsamfin Date: Sun, 22 Mar 2026 09:01:40 +0000 Subject: [PATCH] Upload files to "Remediation" --- Remediation/Dell-BIOSPassword-Detection.ps1 | 57 +++++++++++++ Remediation/Dell-BIOSPassword-Remediation.ps1 | 79 +++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 Remediation/Dell-BIOSPassword-Detection.ps1 create mode 100644 Remediation/Dell-BIOSPassword-Remediation.ps1 diff --git a/Remediation/Dell-BIOSPassword-Detection.ps1 b/Remediation/Dell-BIOSPassword-Detection.ps1 new file mode 100644 index 0000000..63c6397 --- /dev/null +++ b/Remediation/Dell-BIOSPassword-Detection.ps1 @@ -0,0 +1,57 @@ +<# +.SYNOPSIS + Detection: Checks if Dell BIOS Admin password is set and matches current expected password. + Uses the root\dcim\sysman\wmisecurity namespace. +#> + +# === CONFIG === +$NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D" + +# --- Dell check --- +if ((Get-CimInstance -ClassName Win32_ComputerSystem).Manufacturer -notlike "*Dell*") { exit 0 } + +# --- Fetch current expected password from Azure --- +try { + $Base64NewPwd = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim() + $NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64NewPwd)) +} catch { + Write-Output "Failed to fetch password from Azure." + exit 1 +} + +# --- Check if Admin Password is set --- +try { + $PwdObj = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" -ErrorAction Stop | + Where-Object { $_.NameId -eq "Admin" } + + if ($PwdObj.IsPasswordSet -ne 1) { + Write-Output "Admin password is NOT set. Non-compliant." + exit 1 + } +} catch { + Write-Output "WMI Security namespace not found." + exit 1 +} + +# --- Verify it matches the NEW password --- +# We use the SecurityInterface to attempt a "verify" (setting the password to itself) +try { + $SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" + $Encoder = New-Object System.Text.UTF8Encoding + $PwdBytes = $Encoder.GetBytes($NewPassword) + + # SetNewPassword(IsChange, PwdLen, PwdBytes, PwdType, OldPwd, NewPwd) + # PwdType: "Admin" + $Result = $SecurityInterface.SetNewPassword(1, $PwdBytes.Length, $PwdBytes, "Admin", $NewPassword, $NewPassword) + + if ($Result.Status -eq 0) { + Write-Output "Admin password matches current expected value. Compliant." + exit 0 + } else { + Write-Output "Admin password is set but does NOT match current expected value. Non-compliant." + exit 1 + } +} catch { + Write-Output "Verification call failed." + exit 1 +} \ No newline at end of file diff --git a/Remediation/Dell-BIOSPassword-Remediation.ps1 b/Remediation/Dell-BIOSPassword-Remediation.ps1 new file mode 100644 index 0000000..dba1da2 --- /dev/null +++ b/Remediation/Dell-BIOSPassword-Remediation.ps1 @@ -0,0 +1,79 @@ +<# +.SYNOPSIS + Remediation: Sets Dell BIOS Admin password using the wmisecurity provider. + Tries all known old passwords from Azure blob. +#> + +# === CONFIG === +$NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D" +$OldPwdListBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/old-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D" + +$LogPath = "$env:ProgramData\Dell\BiosConfig\BiosRemediation.log" +New-Item -ItemType Directory -Path (Split-Path $LogPath) -Force | Out-Null +Start-Transcript -Path $LogPath -Append + +Write-Output "$(Get-Date) - Starting BIOS password remediation (WMI Security)" + +# --- Fetch Passwords from Azure --- +try { + $Base64New = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim() + $NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64New)) + + $RawOld = Invoke-RestMethod -Uri $OldPwdListBlobUrl -Method Get + $OldPasswords = @() + foreach ($line in ($RawOld -split "`n")) { + $trimmed = $line.Trim() + if ($trimmed -eq "") { $OldPasswords += "" } + else { $OldPasswords += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($trimmed)) } + } +} catch { + Write-Output "Failed to fetch passwords from Azure." + Stop-Transcript; exit 1 +} + +# --- Connect to WMI --- +try { + $SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" -ErrorAction Stop + $PasswordObject = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" | Where-Object NameId -eq "Admin" + $Encoder = New-Object System.Text.UTF8Encoding +} catch { + Write-Output "WMI Security classes not found." + Stop-Transcript; exit 1 +} + +# --- Logic: Set or Change --- +$IsSet = $PasswordObject.IsPasswordSet -eq 1 +$Success = $false + +foreach ($OldPwd in $OldPasswords) { + $MaskedOld = if ($OldPwd -eq "") { "EMPTY" } else { "REDACTED" } + Write-Output "Attempting to apply password (OldPwd: $MaskedOld)" + + try { + if (-not $IsSet) { + # Case: No password currently set + $Result = $SecurityInterface.SetNewPassword(0, 0, 0, "Admin", "", $NewPassword) + } else { + # Case: Password is set, attempting change + $OldBytes = $Encoder.GetBytes($OldPwd) + $Result = $SecurityInterface.SetNewPassword(1, $OldBytes.Length, $OldBytes, "Admin", $OldPwd, $NewPassword) + } + + if ($Result.Status -eq 0) { + Write-Output "Success! BIOS Admin password updated." + $Success = $true + break + } else { + Write-Output "Failed with status: $($Result.Status)" + } + } catch { + Write-Output "Error during WMI call: $_" + } +} + +if ($Success) { + Stop-Transcript; exit 0 +} else { + Write-Output "All old password candidates failed." + Stop-Transcript; exit 1 +} \ No newline at end of file