Omnia/Azure-Dell-BIOS-Password-Solution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "Remediation"

Browse Source
This commit is contained in:
samsamfin
2026-03-22 09:01:40 +00:00
commit 1b6e9c3156
2 changed files with 136 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
Remediation/Dell-BIOSPassword-Detection.ps1 Normal file
View File

@@ -0,0 +1,57 @@
<#
.SYNOPSIS
Detection: Checks if Dell BIOS Admin password is set and matches current expected password.
Uses the root\dcim\sysman\wmisecurity namespace.
#>
# === CONFIG ===
$NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
# --- Dell check ---
if ((Get-CimInstance -ClassName Win32_ComputerSystem).Manufacturer -notlike "*Dell*") { exit 0 }
# --- Fetch current expected password from Azure ---
try {
$Base64NewPwd = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
$NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64NewPwd))
} catch {
Write-Output "Failed to fetch password from Azure."
exit 1
}
# --- Check if Admin Password is set ---
try {
$PwdObj = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" -ErrorAction Stop |
Where-Object { $_.NameId -eq "Admin" }
if ($PwdObj.IsPasswordSet -ne 1) {
Write-Output "Admin password is NOT set. Non-compliant."
exit 1
}
} catch {
Write-Output "WMI Security namespace not found."
exit 1
}
# --- Verify it matches the NEW password ---
# We use the SecurityInterface to attempt a "verify" (setting the password to itself)
try {
$SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface"
$Encoder = New-Object System.Text.UTF8Encoding
$PwdBytes = $Encoder.GetBytes($NewPassword)
# SetNewPassword(IsChange, PwdLen, PwdBytes, PwdType, OldPwd, NewPwd)
# PwdType: "Admin"
$Result = $SecurityInterface.SetNewPassword(1, $PwdBytes.Length, $PwdBytes, "Admin", $NewPassword, $NewPassword)
if ($Result.Status -eq 0) {
Write-Output "Admin password matches current expected value. Compliant."
exit 0
} else {
Write-Output "Admin password is set but does NOT match current expected value. Non-compliant."
exit 1
}
} catch {
Write-Output "Verification call failed."
exit 1
}