Upload files to "Remediation"

2026-03-22 09:01:40 +00:00
commit 1b6e9c3156
2 changed files with 136 additions and 0 deletions
--- a/Remediation/Dell-BIOSPassword-Detection.ps1
+++ b/Remediation/Dell-BIOSPassword-Detection.ps1
@@ -0,0 +1,57 @@
 <#
 .SYNOPSIS
    Detection: Checks if Dell BIOS Admin password is set and matches current expected password.
    Uses the root\dcim\sysman\wmisecurity namespace.
 #>
 # === CONFIG ===
 $NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
 # --- Dell check ---
 if ((Get-CimInstance -ClassName Win32_ComputerSystem).Manufacturer -notlike "*Dell*") { exit 0 }
 # --- Fetch current expected password from Azure ---
 try {
    $Base64NewPwd = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
    $NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64NewPwd))
 } catch {
    Write-Output "Failed to fetch password from Azure."
    exit 1
 }
 # --- Check if Admin Password is set ---
 try {
    $PwdObj = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" -ErrorAction Stop | 
              Where-Object { $_.NameId -eq "Admin" }
    if ($PwdObj.IsPasswordSet -ne 1) {
        Write-Output "Admin password is NOT set. Non-compliant."
        exit 1
    }
 } catch {
    Write-Output "WMI Security namespace not found."
    exit 1
 }
 # --- Verify it matches the NEW password ---
 # We use the SecurityInterface to attempt a "verify" (setting the password to itself)
 try {
    $SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface"
    $Encoder = New-Object System.Text.UTF8Encoding
    $PwdBytes = $Encoder.GetBytes($NewPassword)
    # SetNewPassword(IsChange, PwdLen, PwdBytes, PwdType, OldPwd, NewPwd)
    # PwdType: "Admin"
    $Result = $SecurityInterface.SetNewPassword(1, $PwdBytes.Length, $PwdBytes, "Admin", $NewPassword, $NewPassword)
    if ($Result.Status -eq 0) {
        Write-Output "Admin password matches current expected value. Compliant."
        exit 0
    } else {
        Write-Output "Admin password is set but does NOT match current expected value. Non-compliant."
        exit 1
    }
 } catch {
    Write-Output "Verification call failed."
    exit 1
 }
--- a/Remediation/Dell-BIOSPassword-Remediation.ps1
+++ b/Remediation/Dell-BIOSPassword-Remediation.ps1
@@ -0,0 +1,79 @@
 <#
 .SYNOPSIS
    Remediation: Sets Dell BIOS Admin password using the wmisecurity provider.
    Tries all known old passwords from Azure blob.
 #>
 # === CONFIG ===
 $NewPwdBlobUrl     = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
 $OldPwdListBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/old-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
 $LogPath = "$env:ProgramData\Dell\BiosConfig\BiosRemediation.log"
 New-Item -ItemType Directory -Path (Split-Path $LogPath) -Force | Out-Null
 Start-Transcript -Path $LogPath -Append
 Write-Output "$(Get-Date) - Starting BIOS password remediation (WMI Security)"
 # --- Fetch Passwords from Azure ---
 try {
    $Base64New = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
    $NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64New))
    $RawOld = Invoke-RestMethod -Uri $OldPwdListBlobUrl -Method Get
    $OldPasswords = @()
    foreach ($line in ($RawOld -split "`n")) {
        $trimmed = $line.Trim()
        if ($trimmed -eq "") { $OldPasswords += "" }
        else { $OldPasswords += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($trimmed)) }
    }
 } catch {
    Write-Output "Failed to fetch passwords from Azure."
    Stop-Transcript; exit 1
 }
 # --- Connect to WMI ---
 try {
    $SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" -ErrorAction Stop
    $PasswordObject    = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" | Where-Object NameId -eq "Admin"
    $Encoder = New-Object System.Text.UTF8Encoding
 } catch {
    Write-Output "WMI Security classes not found."
    Stop-Transcript; exit 1
 }
 # --- Logic: Set or Change ---
 $IsSet = $PasswordObject.IsPasswordSet -eq 1
 $Success = $false
 foreach ($OldPwd in $OldPasswords) {
    $MaskedOld = if ($OldPwd -eq "") { "EMPTY" } else { "REDACTED" }
    Write-Output "Attempting to apply password (OldPwd: $MaskedOld)"
    try {
        if (-not $IsSet) {
            # Case: No password currently set
            $Result = $SecurityInterface.SetNewPassword(0, 0, 0, "Admin", "", $NewPassword)
        } else {
            # Case: Password is set, attempting change
            $OldBytes = $Encoder.GetBytes($OldPwd)
            $Result = $SecurityInterface.SetNewPassword(1, $OldBytes.Length, $OldBytes, "Admin", $OldPwd, $NewPassword)
        }
        if ($Result.Status -eq 0) {
            Write-Output "Success! BIOS Admin password updated."
            $Success = $true
            break
        } else {
            Write-Output "Failed with status: $($Result.Status)"
        }
    } catch {
        Write-Output "Error during WMI call: $_"
    }
 }
 if ($Success) {
    Stop-Transcript; exit 0
 } else {
    Write-Output "All old password candidates failed."
    Stop-Transcript; exit 1
 }