<#
.SYNOPSIS
    Remediation: Sets Dell BIOS Admin password using the wmisecurity provider.
    Tries all known old passwords from Azure blob.
#>

# === CONFIG ===
$NewPwdBlobUrl     = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
$OldPwdListBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/old-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"

$LogPath = "$env:ProgramData\Dell\BiosConfig\BiosRemediation.log"
New-Item -ItemType Directory -Path (Split-Path $LogPath) -Force | Out-Null
Start-Transcript -Path $LogPath -Append

Write-Output "$(Get-Date) - Starting BIOS password remediation (WMI Security)"

# --- Fetch Passwords from Azure ---
try {
    $Base64New = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
    $NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64New))

    $RawOld = Invoke-RestMethod -Uri $OldPwdListBlobUrl -Method Get
    $OldPasswords = @()
    foreach ($line in ($RawOld -split "`n")) {
        $trimmed = $line.Trim()
        if ($trimmed -eq "") { $OldPasswords += "" }
        else { $OldPasswords += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($trimmed)) }
    }
} catch {
    Write-Output "Failed to fetch passwords from Azure."
    Stop-Transcript; exit 1
}

# --- Connect to WMI ---
try {
    $SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" -ErrorAction Stop
    $PasswordObject    = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" | Where-Object NameId -eq "Admin"
    $Encoder = New-Object System.Text.UTF8Encoding
} catch {
    Write-Output "WMI Security classes not found."
    Stop-Transcript; exit 1
}

# --- Logic: Set or Change ---
$IsSet = $PasswordObject.IsPasswordSet -eq 1
$Success = $false

foreach ($OldPwd in $OldPasswords) {
    $MaskedOld = if ($OldPwd -eq "") { "EMPTY" } else { "REDACTED" }
    Write-Output "Attempting to apply password (OldPwd: $MaskedOld)"

    try {
        if (-not $IsSet) {
            # Case: No password currently set
            $Result = $SecurityInterface.SetNewPassword(0, 0, 0, "Admin", "", $NewPassword)
        } else {
            # Case: Password is set, attempting change
            $OldBytes = $Encoder.GetBytes($OldPwd)
            $Result = $SecurityInterface.SetNewPassword(1, $OldBytes.Length, $OldBytes, "Admin", $OldPwd, $NewPassword)
        }

        if ($Result.Status -eq 0) {
            Write-Output "Success! BIOS Admin password updated."
            $Success = $true
            break
        } else {
            Write-Output "Failed with status: $($Result.Status)"
        }
    } catch {
        Write-Output "Error during WMI call: $_"
    }
}

if ($Success) {
    Stop-Transcript; exit 0
} else {
    Write-Output "All old password candidates failed."
    Stop-Transcript; exit 1
}