<# .SYNOPSIS Detection: Checks if Dell BIOS Admin password is set and matches current expected password. Uses the root\dcim\sysman\wmisecurity namespace. #> # === CONFIG === $NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D" # --- Dell check --- if ((Get-CimInstance -ClassName Win32_ComputerSystem).Manufacturer -notlike "*Dell*") { exit 0 } # --- Fetch current expected password from Azure --- try { $Base64NewPwd = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim() $NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64NewPwd)) } catch { Write-Output "Failed to fetch password from Azure." exit 1 } # --- Check if Admin Password is set --- try { $PwdObj = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" -ErrorAction Stop | Where-Object { $_.NameId -eq "Admin" } if ($PwdObj.IsPasswordSet -ne 1) { Write-Output "Admin password is NOT set. Non-compliant." exit 1 } } catch { Write-Output "WMI Security namespace not found." exit 1 } # --- Verify it matches the NEW password --- # We use the SecurityInterface to attempt a "verify" (setting the password to itself) try { $SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" $Encoder = New-Object System.Text.UTF8Encoding $PwdBytes = $Encoder.GetBytes($NewPassword) # SetNewPassword(IsChange, PwdLen, PwdBytes, PwdType, OldPwd, NewPwd) # PwdType: "Admin" $Result = $SecurityInterface.SetNewPassword(1, $PwdBytes.Length, $PwdBytes, "Admin", $NewPassword, $NewPassword) if ($Result.Status -eq 0) { Write-Output "Admin password matches current expected value. Compliant." exit 0 } else { Write-Output "Admin password is set but does NOT match current expected value. Non-compliant." exit 1 } } catch { Write-Output "Verification call failed." exit 1 }