79 lines
3.1 KiB
PowerShell
79 lines
3.1 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Remediation: Sets Dell BIOS Admin password using the wmisecurity provider.
|
|
Tries all known old passwords from Azure blob.
|
|
#>
|
|
|
|
# === CONFIG ===
|
|
$NewPwdBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/current-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
|
|
$OldPwdListBlobUrl = "https://stitbiosmgmt.blob.core.windows.net/mgmt/old-content.txt?sp=r&st=2026-02-26T08:49:58Z&se=2034-01-08T17:04:58Z&spr=https&sv=2024-11-04&sr=c&sig=zS74OfiIR93eSpFz68xnqW99UF0pJPLCoUIB7X5rnnM%3D"
|
|
|
|
$LogPath = "$env:ProgramData\Dell\BiosConfig\BiosRemediation.log"
|
|
New-Item -ItemType Directory -Path (Split-Path $LogPath) -Force | Out-Null
|
|
Start-Transcript -Path $LogPath -Append
|
|
|
|
Write-Output "$(Get-Date) - Starting BIOS password remediation (WMI Security)"
|
|
|
|
# --- Fetch Passwords from Azure ---
|
|
try {
|
|
$Base64New = (Invoke-RestMethod -Uri $NewPwdBlobUrl -Method Get).Trim()
|
|
$NewPassword = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Base64New))
|
|
|
|
$RawOld = Invoke-RestMethod -Uri $OldPwdListBlobUrl -Method Get
|
|
$OldPasswords = @()
|
|
foreach ($line in ($RawOld -split "`n")) {
|
|
$trimmed = $line.Trim()
|
|
if ($trimmed -eq "") { $OldPasswords += "" }
|
|
else { $OldPasswords += [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($trimmed)) }
|
|
}
|
|
} catch {
|
|
Write-Output "Failed to fetch passwords from Azure."
|
|
Stop-Transcript; exit 1
|
|
}
|
|
|
|
# --- Connect to WMI ---
|
|
try {
|
|
$SecurityInterface = Get-WmiObject -Namespace "root\dcim\sysman\wmisecurity" -Class "SecurityInterface" -ErrorAction Stop
|
|
$PasswordObject = Get-CimInstance -Namespace "root\dcim\sysman\wmisecurity" -ClassName "PasswordObject" | Where-Object NameId -eq "Admin"
|
|
$Encoder = New-Object System.Text.UTF8Encoding
|
|
} catch {
|
|
Write-Output "WMI Security classes not found."
|
|
Stop-Transcript; exit 1
|
|
}
|
|
|
|
# --- Logic: Set or Change ---
|
|
$IsSet = $PasswordObject.IsPasswordSet -eq 1
|
|
$Success = $false
|
|
|
|
foreach ($OldPwd in $OldPasswords) {
|
|
$MaskedOld = if ($OldPwd -eq "") { "EMPTY" } else { "REDACTED" }
|
|
Write-Output "Attempting to apply password (OldPwd: $MaskedOld)"
|
|
|
|
try {
|
|
if (-not $IsSet) {
|
|
# Case: No password currently set
|
|
$Result = $SecurityInterface.SetNewPassword(0, 0, 0, "Admin", "", $NewPassword)
|
|
} else {
|
|
# Case: Password is set, attempting change
|
|
$OldBytes = $Encoder.GetBytes($OldPwd)
|
|
$Result = $SecurityInterface.SetNewPassword(1, $OldBytes.Length, $OldBytes, "Admin", $OldPwd, $NewPassword)
|
|
}
|
|
|
|
if ($Result.Status -eq 0) {
|
|
Write-Output "Success! BIOS Admin password updated."
|
|
$Success = $true
|
|
break
|
|
} else {
|
|
Write-Output "Failed with status: $($Result.Status)"
|
|
}
|
|
} catch {
|
|
Write-Output "Error during WMI call: $_"
|
|
}
|
|
}
|
|
|
|
if ($Success) {
|
|
Stop-Transcript; exit 0
|
|
} else {
|
|
Write-Output "All old password candidates failed."
|
|
Stop-Transcript; exit 1
|
|
} |