Upload files to "Remediation"
This commit is contained in:
79
Remediation/Dell-BIOSPassword-Remediation.ps1
Normal file
79
Remediation/Dell-BIOSPassword-Remediation.ps1
Normal file
@@ -0,0 +1,79 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Remediation: Sets Dell BIOS Admin password using the wmisecurity provider.
|
||||
Tries all known old passwords from Azure blob.
|
||||
#>
|
||||
|
||||
# === CONFIG ===
|
||||
$NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
|
||||
$OldPwdListBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/old-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
|
||||
|
||||
$LogPath = "$env:ProgramData\Dell\BiosConfig\BiosRemediation.log"
|
||||
New-Item -ItemType Directory -Path (Split-Path $LogPath) -Force | Out-Null
|
||||
Start-Transcript -Path $LogPath -Append
|
||||
|
||||
Write-Output "$(Get-Date) - Starting BIOS password remediation (WMI Security)"
|
||||
|
||||
# --- Fetch Passwords from Azure ---
|
||||
try {
|
||||
$Base64New = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
|
||||
$NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64New))
|
||||
|
||||
$RawOld = Invoke-RestMethod -Uri $OldPwdListBlobUrl -Method Get
|
||||
$OldPasswords = @()
|
||||
foreach ($line in ($RawOld -split "`n")) {
|
||||
$trimmed = $line.Trim()
|
||||
if ($trimmed -eq "") { $OldPasswords += "" }
|
||||
else { $OldPasswords += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($trimmed)) }
|
||||
}
|
||||
} catch {
|
||||
Write-Output "Failed to fetch passwords from Azure."
|
||||
Stop-Transcript; exit 1
|
||||
}
|
||||
|
||||
# --- Connect to WMI ---
|
||||
try {
|
||||
$SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" -ErrorAction Stop
|
||||
$PasswordObject = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" | Where-Object NameId -eq "Admin"
|
||||
$Encoder = New-Object System.Text.UTF8Encoding
|
||||
} catch {
|
||||
Write-Output "WMI Security classes not found."
|
||||
Stop-Transcript; exit 1
|
||||
}
|
||||
|
||||
# --- Logic: Set or Change ---
|
||||
$IsSet = $PasswordObject.IsPasswordSet -eq 1
|
||||
$Success = $false
|
||||
|
||||
foreach ($OldPwd in $OldPasswords) {
|
||||
$MaskedOld = if ($OldPwd -eq "") { "EMPTY" } else { "REDACTED" }
|
||||
Write-Output "Attempting to apply password (OldPwd: $MaskedOld)"
|
||||
|
||||
try {
|
||||
if (-not $IsSet) {
|
||||
# Case: No password currently set
|
||||
$Result = $SecurityInterface.SetNewPassword(0, 0, 0, "Admin", "", $NewPassword)
|
||||
} else {
|
||||
# Case: Password is set, attempting change
|
||||
$OldBytes = $Encoder.GetBytes($OldPwd)
|
||||
$Result = $SecurityInterface.SetNewPassword(1, $OldBytes.Length, $OldBytes, "Admin", $OldPwd, $NewPassword)
|
||||
}
|
||||
|
||||
if ($Result.Status -eq 0) {
|
||||
Write-Output "Success! BIOS Admin password updated."
|
||||
$Success = $true
|
||||
break
|
||||
} else {
|
||||
Write-Output "Failed with status: $($Result.Status)"
|
||||
}
|
||||
} catch {
|
||||
Write-Output "Error during WMI call: $_"
|
||||
}
|
||||
}
|
||||
|
||||
if ($Success) {
|
||||
Stop-Transcript; exit 0
|
||||
} else {
|
||||
Write-Output "All old password candidates failed."
|
||||
Stop-Transcript; exit 1
|
||||
}
|
||||
Reference in New Issue
Block a user