Omnia/Azure-Dell-BIOS-Password-Solution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Azure-Dell-BIOS-Password-So…/Remediation/Dell-BIOSPassword-Remediation.ps1

79 lines
3.1 KiB
PowerShell
Raw Permalink Blame History

<#
.SYNOPSIS
Remediation: Sets Dell BIOS Admin password using the wmisecurity provider.
Tries all known old passwords from Azure blob.
#>
# === CONFIG ===
$NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
$OldPwdListBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/old-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
$LogPath = "$env:ProgramData\Dell\BiosConfig\BiosRemediation.log"
New-Item -ItemType Directory -Path (Split-Path $LogPath) -Force | Out-Null
Start-Transcript -Path $LogPath -Append
Write-Output "$(Get-Date) - Starting BIOS password remediation (WMI Security)"
# --- Fetch Passwords from Azure ---
try {
$Base64New = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
$NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64New))
$RawOld = Invoke-RestMethod -Uri $OldPwdListBlobUrl -Method Get
$OldPasswords = @()
foreach ($line in ($RawOld -split "`n")) {
$trimmed = $line.Trim()
if ($trimmed -eq "") { $OldPasswords += "" }
else { $OldPasswords += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($trimmed)) }
}
} catch {
Write-Output "Failed to fetch passwords from Azure."
Stop-Transcript; exit 1
}
# --- Connect to WMI ---
try {
$SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" -ErrorAction Stop
$PasswordObject = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" | Where-Object NameId -eq "Admin"
$Encoder = New-Object System.Text.UTF8Encoding
} catch {
Write-Output "WMI Security classes not found."
Stop-Transcript; exit 1
}
# --- Logic: Set or Change ---
$IsSet = $PasswordObject.IsPasswordSet -eq 1
$Success = $false
foreach ($OldPwd in $OldPasswords) {
$MaskedOld = if ($OldPwd -eq "") { "EMPTY" } else { "REDACTED" }
Write-Output "Attempting to apply password (OldPwd: $MaskedOld)"
try {
if (-not $IsSet) {
# Case: No password currently set
$Result = $SecurityInterface.SetNewPassword(0, 0, 0, "Admin", "", $NewPassword)
} else {
# Case: Password is set, attempting change
$OldBytes = $Encoder.GetBytes($OldPwd)
$Result = $SecurityInterface.SetNewPassword(1, $OldBytes.Length, $OldBytes, "Admin", $OldPwd, $NewPassword)
}
if ($Result.Status -eq 0) {
Write-Output "Success! BIOS Admin password updated."
$Success = $true
break
} else {
Write-Output "Failed with status: $($Result.Status)"
}
} catch {
Write-Output "Error during WMI call: $_"
}
}
if ($Success) {
Stop-Transcript; exit 0
} else {
Write-Output "All old password candidates failed."
Stop-Transcript; exit 1
}
Reference in New Issue View Git Blame Copy Permalink