Closed jgstew closed 4 years ago
Forum Post: https://forum.bigfix.com/t/bios-updates-configuration-using-bigfix/24058/42
Current BIOS Update Template: https://github.com/jgstew/bigfix-content/blob/master/fixlet/BIOS%20Update%20%7B%7Bvendor%7D%7D%20%7B%7Bmodel%7D%7D%20to%20%7B%7Bbios_version%7D%7D%20-%20Windows.bes
names of bes fixlets whose(exists mime fields "parametermetadatatag" of it AND body of it as string as lowercase contains "vrt_utils" )
unique value of mime fields "vrt_utils.js" of fixlets whose ( task flag of it AND "Parameterized Fixlet Library" = name of it ) of bes sites whose(name of it = "BES Support")
regset64 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
manage-bde -protectors -enable C:
CMD /C "manage-bde -protectors -enable C: > \Windows\Temp\BitLockerEnable.txt"
action requires restart "BIOS Update"
exists boolean values whose(it) of selects "IsSet FROM DCIM_BIOSPassword where ElementName='BiosSetupPassword'" of wmis "ROOT\DCIM\SYSMAN"
ConversionStatus
value of 1,2,4exists it whose(exists integer values whose(it = 1) of properties "ProtectionStatus" of it OR exists integer values whose(it = 1 OR it = 2 OR it = 4) of properties "ConversionStatus" of it) of select objects "ConversionStatus, ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose(string value of property "DriveLetter" of it starts with (name of drive of system folder)) of wmis "root\CIMv2\Security\MicrosoftVolumeEncryption"
integer values of properties "ProtectionStatus" of select objects "ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose(string value of property "DriveLetter" of it starts with "C:") of wmis "root\CIMv2\Security\MicrosoftVolumeEncryption"
(exists wmi "root\CIMv2\Security\MicrosoftVolumeEncryption" whose (exists select objects "ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose (integer value of property "ProtectionStatus" of it = 0 AND string value of property "DriveLetter" of it = "C:") of it))
manage-bde -protectors -disable C: -RebootCount 1
CMD /C "manage-bde -protectors -disable C: -RebootCount 1"
exists files "manage-bde.exe" of (system folders; system x64 folders)
Suspend-BitLocker -mountpoint "C:" -rebootcount 1
powershell -ExecutionPolicy Bypass -command "Suspend-BitLocker -mountpoint 'C:' -rebootcount 1"
I created a "Suspend BitLocker Until Next Reboot - Windows" task: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Suspend%20BitLocker%20Until%20Next%20Reboot%20-%20Windows.bes
Get List of Examples that use the parameterized fixlet library OR a similar one with Session Relevance:
names of bes fixlets whose(exists mime fields "parametermetadatatag" of it)
You can find fixlets that DO NOT use the parameterized fixlet library for form inputs using this Session Relevance:
names of bes fixlets whose(exists body whose(it as string as lowercase contains "<input") of it AND not exists mime fields "parametermetadatatag" of it)
Fixlets that use action parameter query
:
names of bes fixlets whose(exists scripts whose(it contains "action parameter query") of actions of it)
It turns out the rabbit hole goes even deeper. There is the parameterized fixlet library vrt_utils.js
but there is also many different vrt_fixletUtils.js
that seem to have a similar function and purpose, but this one is generally only found within specific site files, not a task that can be easily referenced by ANY fixlet/task/etc...
The other confusing thing is that vrt_fixletUtils.js
seems slightly different in each site. Is one of them better than the others? How much do they overlap with vrt_utils.js
?
I feel compelled to do a diff against all of the vrt_fixletUtils.js
files as well as vrt_utils.js
just to dig deeper.
After doing a diff against a few different versions of vrt_fixletUtils.js
AND vrt_utils.js
it is clear that they are both based upon the same code, just that vrt_fixletUtils.js
has progressed and changes since vrt_utils.js
was first created.
It isn't clear if you could swap out the newest version of vrt_fixletUtils.js
for vrt_utils.js
directly. Seems like there would be a bit more to it than that.
example Dell BIOS XML inside the CatalogPC.xml:
<?xml version="1.0" encoding="utf-16"?>
<Manifest baseLocation="downloads.dell.com" dateTime="2020-06-22T17:20:03+05:30" releaseID="F0J4H" version="20.06.22" identifier="afb6bf76-e108-45cb-824f-678e9350264f">
<SoftwareComponent schemaVersion="2.0" identifier="6c64acf6-5fdf-4b84-8eb6-377f71fb48dc" packageID="PTJJD" releaseID="PTJJD" hashMD5="d7bafe87a8469d43b30a5c2dca05d3e1" path="FOLDER05644492M/1/O3020A20.exe" dateTime="2018-11-12T07:52:25Z" releaseDate="June 19, 2019" vendorVersion="A20" dellVersion="A20" packageType="LWXP" size="5004032">
<Name>
<Display lang="en"><![CDATA[Dell OptiPlex 3020 System BIOS,A20,A20]]></Display>
</Name>
<ComponentType value="BIOS">
<Display lang="en"><![CDATA[BIOS]]></Display>
</ComponentType>
<Description>
<Display lang="en"><![CDATA[SWB,BIOS,OPTIPLEX3020,A20]]></Display>
</Description>
<Category value="BI">
<Display lang="en"><![CDATA[BIOS]]></Display>
</Category>
<SupportedDevices>
<Device componentID="159" embedded="false">
<Display lang="en"><![CDATA[BIOS]]></Display>
</Device>
</SupportedDevices>
<LUCategory value="NONE">
<Display lang="en"><![CDATA[NONE]]></Display>
</LUCategory>
<SupportedSystems>
<Brand key="1" prefix="OP">
<Display lang="en"><![CDATA[Optiplex]]></Display>
<Model systemID="0612">
<Display lang="en"><![CDATA[3020]]></Display>
</Model>
</Brand>
</SupportedSystems>
<ImportantInfo URL="http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=PTJJD" />
<Criticality value="2">
<Display lang="en"><![CDATA[Urgent]]></Display>
</Criticality>
</SoftwareComponent>
</Manifest>
Actual download URL is [Manifest baseLocation] + / + [SoftwareComponent path]
Looks like there are 311 BIOS updates within the catalog:
Q: number of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: 311
T: 1570.711 ms
Example getting the names of the BIOS updates:
Q: node values of xpaths "Name/Display/text()" of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: Dell Latitude 5495 System BIOS,1.3.4,1.3.4
A: Dell Latitude 3190 and 3190 2-in-1 System BIOS,1.10.0,1.10.0
Get the version numbers:
Q: node values of xpaths "@dellVersion" of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: 1.3.4
A: 1.10.0
Get Brand + Model for relevance:
Q: ( (item 0 of it & " " & item 1 of it) of (node values of xpaths "Display/text()" of it, node values of xpaths "Model/Display/text()" of it) of xpaths "SupportedSystems/Brand" of it) of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: Latitude 5495
A: Latitude 3190
Get Download URL:
Q: ("http://" & item 0 of it & "/" & item 1 of it) of (node values of xpaths "@baseLocation" of it , node values of xpaths "@path" of xpaths "SoftwareComponent[ComponentType[@value='BIOS']]" of it) of xpaths "/Manifest" of xml documents of files "C:\tmp\CatalogPC.xml"
A: http://downloads.dell.com/FOLDER06217780M/1/Latitude_5495_1.3.4.exe
A: http://downloads.dell.com/FOLDER06036787M/1/Latitude_3190_1.10.0.exe
Get Size, MD5, URL:
Q: ( node values of xpaths "@size" of it, node values of xpaths "@hashMD5" of it, ("http://downloads.dell.com/" & it) of node values of xpaths "@path" of it) of xpaths "SoftwareComponent[ComponentType[@value='BIOS']]" of xpaths "/Manifest" of xml documents of files "C:\tmp\CatalogPC.xml"
A: 6154960, 488d59fdd41345213f082bddbcad0be1, http://downloads.dell.com/FOLDER06217780M/1/Latitude_5495_1.3.4.exe
A: 8620064, b52303759ac28770fcd0c6deb451725f, http://downloads.dell.com/FOLDER06036787M/1/Latitude_3190_1.10.0.exe
I'm not currently handling encrypting the BIOS password, but I released 300+ BIOS update tasks here: https://github.com/jgstew/bigfix-content/tree/master/fixlet/BIOS/Dell
These have NOT been tested except for on the 1 model I happen to have, and even then, not all cases. Please test them out carefully and provide me feedback on if they work, if they don't, and any suggestions for improvement.
I used this python script:
I used this template:
These also make use of:
this project still needs some refinement, but I'm calling it "done" for now.
Already found edge case issues with this and filed a new issue here: https://github.com/jgstew/bigfix-content/issues/25
Might be possible to generate bigfix content for Linux firmware updates using this: https://www.addictivetips.com/ubuntu-linux-tips/update-computer-firmware-in-linux/
Dell Command Update added checks to handle BitLocker being enabled when installing BIOS updates, but apparently if you generate BigFix content that installs Dell BIOS updates directly without going through Dell Command Update, then those BIOS updates will happily install with BitLocker enabled (not suspended) and put BitLocker into recovery mode. This is very bad.
Examples with the problem:
Related: