Add BitLocker relevance / handling to Dell BIOS content

[jgstew]

Dell Command Update added checks to handle BitLocker being enabled when installing BIOS updates, but apparently if you generate BigFix content that installs Dell BIOS updates directly without going through Dell Command Update, then those BIOS updates will happily install with BitLocker enabled (not suspended) and put BitLocker into recovery mode. This is very bad.

Examples with the problem:

• https://bigfix.me/fixlet/details/3907 Generated with https://bigfix.me/fixlet/details/3905

Related:

• https://forum.bigfix.com/t/bios-updates-configuration-using-bigfix/24058
• https://github.com/strawgate/C3-Protect/blob/master/Analyses/Bitlocker%20-%20Audit%20-%20Windows.bes
• https://bigfix.me/fixlet/details/25505
• https://bigfix.me/relevance/details/3004824
• https://bigfix.me/analysis/details/2994763
• https://bigfix.me/analysis/details/2994743
• https://github.com/strawgate/C3-Inventory/blob/master/Analyses/TPM%20-%20Windows.bes
• https://github.com/strawgate/C3-Protect/blob/master/Fixlets/Invoke%20-%20Bitlocker%20Configuration%20Probe%20-%20Windows.bes
• https://www.bigfix.me/fixlet/details/23146?force=true

[jgstew]

Forum Post: https://forum.bigfix.com/t/bios-updates-configuration-using-bigfix/24058/42

Current BIOS Update Template: https://github.com/jgstew/bigfix-content/blob/master/fixlet/BIOS%20Update%20%7B%7Bvendor%7D%7D%20%7B%7Bmodel%7D%7D%20to%20%7B%7Bbios_version%7D%7D%20-%20Windows.bes

TODO:

• [ ] BigFix Fixlet Secure Parameter for BIOS Password (with verification?)
  • Plain JavaScript: https://bigfix.me/fixlet/details/6076
  • Parameterized Fixlet?
  • https://github.com/jgstew/bigfix-content/blob/master/fixlet/Test%20Password%20Entry%20with%20Validation%20with%20verifying%20match%20-%20parameterized%20fixlet%20-%20Universal.bes.xml
  • https://bigfix.me/relevance/details/3003679
  • Get List of Examples with Session Relevance: names of bes fixlets whose(exists mime fields "parametermetadatatag" of it AND body of it as string as lowercase contains "vrt_utils" )
  • Get Library contents: unique value of mime fields "vrt_utils.js" of fixlets whose ( task flag of it AND "Parameterized Fixlet Library" = name of it ) of bes sites whose(name of it = "BES Support")
• [x] Handle BitLocker on Win7 and Win2008R2?: https://forum.bigfix.com/t/bios-updates-configuration-using-bigfix/24058/40?u=jgstew
  • Seems like WinVista and Win2008R2 might need this too
  • Use RunOnce key to Resume BitLocker on older windows that don't support reboot count?
  • https://cmatskas.com/configure-a-runonce-task-on-windows/
  • regset64 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • manage-bde -protectors -enable C:
  • CMD /C "manage-bde -protectors -enable C: > \Windows\Temp\BitLockerEnable.txt"
  • Separate Task to Resume BitLocker on Win7 if Suspended and NOT pending restart?
  • action requires restart "BIOS Update"
• [x] Detect if BIOS Password Set
  • TRUE if DellCommandMonitor(or similar) installed AND BIOS password is set: exists boolean values whose(it) of selects "IsSet FROM DCIM_BIOSPassword where ElementName='BiosSetupPassword'" of wmis "ROOT\DCIM\SYSMAN"
    • If TRUE, then verify password was supplied, else stop action.
• [x] Detect if BitLocker Enabled
  • BitLocker can also be in process of being enabled: https://docs.microsoft.com/en-us/windows/win32/secprov/getconversionstatus-win32-encryptablevolume
  • ConversionStatus value of 1,2,4
  • exists it whose(exists integer values whose(it = 1) of properties "ProtectionStatus" of it OR exists integer values whose(it = 1 OR it = 2 OR it = 4) of properties "ConversionStatus" of it) of select objects "ConversionStatus, ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose(string value of property "DriveLetter" of it starts with (name of drive of system folder)) of wmis "root\CIMv2\Security\MicrosoftVolumeEncryption"
  • Relevance: integer values of properties "ProtectionStatus" of select objects "ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose(string value of property "DriveLetter" of it starts with "C:") of wmis "root\CIMv2\Security\MicrosoftVolumeEncryption"
  • Relevance: (exists wmi "root\CIMv2\Security\MicrosoftVolumeEncryption" whose (exists select objects "ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose (integer value of property "ProtectionStatus" of it = 0 AND string value of property "DriveLetter" of it = "C:") of it))
• [x] Suspend BitLocker for 1 reboot
  • Command:
  • manage-bde -protectors -disable C: -RebootCount 1
  • CMD /C "manage-bde -protectors -disable C: -RebootCount 1"
  • exists files "manage-bde.exe" of (system folders; system x64 folders)
  • PowerShell:
  • Suspend-BitLocker -mountpoint "C:" -rebootcount 1
  • powershell -ExecutionPolicy Bypass -command "Suspend-BitLocker -mountpoint 'C:' -rebootcount 1"
• [x] Check Exit Codes?

[jgstew]

I created a "Suspend BitLocker Until Next Reboot - Windows" task: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Suspend%20BitLocker%20Until%20Next%20Reboot%20-%20Windows.bes

[jgstew]

Get List of Examples that use the parameterized fixlet library OR a similar one with Session Relevance:

names of bes fixlets whose(exists mime fields "parametermetadatatag" of it)

You can find fixlets that DO NOT use the parameterized fixlet library for form inputs using this Session Relevance:

names of bes fixlets whose(exists body whose(it as string as lowercase contains "<input") of it AND not exists mime fields "parametermetadatatag" of it)

Fixlets that use action parameter query:

names of bes fixlets whose(exists scripts whose(it contains "action parameter query") of actions of it)

---

It turns out the rabbit hole goes even deeper. There is the parameterized fixlet library vrt_utils.js but there is also many different vrt_fixletUtils.js that seem to have a similar function and purpose, but this one is generally only found within specific site files, not a task that can be easily referenced by ANY fixlet/task/etc...

The other confusing thing is that vrt_fixletUtils.js seems slightly different in each site. Is one of them better than the others? How much do they overlap with vrt_utils.js?

I feel compelled to do a diff against all of the vrt_fixletUtils.js files as well as vrt_utils.js just to dig deeper.

[jgstew]

After doing a diff against a few different versions of vrt_fixletUtils.js AND vrt_utils.js it is clear that they are both based upon the same code, just that vrt_fixletUtils.js has progressed and changes since vrt_utils.js was first created.

It isn't clear if you could swap out the newest version of vrt_fixletUtils.js for vrt_utils.js directly. Seems like there would be a bit more to it than that.

[jgstew]

I created a mustache template for BigFix BIOS Updates:

• https://github.com/jgstew/bigfix-content/blob/master/fixlet/BIOS%20Update%20%7B%7Bvendor%7D%7D%20%7B%7Bmodel%7D%7D%20to%20%7B%7Bbios_version%7D%7D%20-%20Windows.bes
• https://forum.bigfix.com/t/bios-updates-configuration-using-bigfix/24058/42

[jgstew]

example Dell BIOS XML inside the CatalogPC.xml:

<?xml version="1.0" encoding="utf-16"?>
<Manifest baseLocation="downloads.dell.com" dateTime="2020-06-22T17:20:03+05:30" releaseID="F0J4H" version="20.06.22" identifier="afb6bf76-e108-45cb-824f-678e9350264f">
  <SoftwareComponent schemaVersion="2.0" identifier="6c64acf6-5fdf-4b84-8eb6-377f71fb48dc" packageID="PTJJD" releaseID="PTJJD" hashMD5="d7bafe87a8469d43b30a5c2dca05d3e1" path="FOLDER05644492M/1/O3020A20.exe" dateTime="2018-11-12T07:52:25Z" releaseDate="June 19, 2019" vendorVersion="A20" dellVersion="A20" packageType="LWXP" size="5004032">
    <Name>
      <Display lang="en"><![CDATA[Dell OptiPlex 3020 System BIOS,A20,A20]]></Display>
    </Name>
    <ComponentType value="BIOS">
      <Display lang="en"><![CDATA[BIOS]]></Display>
    </ComponentType>
    <Description>
      <Display lang="en"><![CDATA[SWB,BIOS,OPTIPLEX3020,A20]]></Display>
    </Description>
    <Category value="BI">
      <Display lang="en"><![CDATA[BIOS]]></Display>
    </Category>
    <SupportedDevices>
      <Device componentID="159" embedded="false">
        <Display lang="en"><![CDATA[BIOS]]></Display>
      </Device>
    </SupportedDevices>
    <LUCategory value="NONE">
      <Display lang="en"><![CDATA[NONE]]></Display>
    </LUCategory>
    <SupportedSystems>
      <Brand key="1" prefix="OP">
        <Display lang="en"><![CDATA[Optiplex]]></Display>
        <Model systemID="0612">
          <Display lang="en"><![CDATA[3020]]></Display>
        </Model>
      </Brand>
    </SupportedSystems>
    <ImportantInfo URL="http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=PTJJD" />
    <Criticality value="2">
      <Display lang="en"><![CDATA[Urgent]]></Display>
    </Criticality>
  </SoftwareComponent>
</Manifest>

Actual download URL is [Manifest baseLocation] + / + [SoftwareComponent path]

Looks like there are 311 BIOS updates within the catalog:

Q: number of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: 311
T: 1570.711 ms

Example getting the names of the BIOS updates:

Q: node values of xpaths "Name/Display/text()" of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: Dell Latitude 5495 System BIOS,1.3.4,1.3.4
A: Dell Latitude 3190 and 3190 2-in-1 System BIOS,1.10.0,1.10.0

Get the version numbers:

Q: node values of xpaths "@dellVersion" of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: 1.3.4
A: 1.10.0

Get Brand + Model for relevance:

Q: ( (item 0 of it & " " & item 1 of it) of (node values of xpaths "Display/text()" of it, node values of xpaths "Model/Display/text()" of it) of xpaths "SupportedSystems/Brand" of it) of xpaths "/Manifest/SoftwareComponent[ComponentType[@value='BIOS']]" of xml documents of files "C:\tmp\CatalogPC.xml"
A: Latitude 5495
A: Latitude 3190

Get Download URL:

Q: ("http://" & item 0 of it & "/" & item 1 of it) of (node values of xpaths "@baseLocation" of it , node values of xpaths "@path" of xpaths "SoftwareComponent[ComponentType[@value='BIOS']]" of it) of xpaths "/Manifest" of xml documents of files "C:\tmp\CatalogPC.xml"
A: http://downloads.dell.com/FOLDER06217780M/1/Latitude_5495_1.3.4.exe
A: http://downloads.dell.com/FOLDER06036787M/1/Latitude_3190_1.10.0.exe

Get Size, MD5, URL:

Q: ( node values of xpaths "@size" of it, node values of xpaths "@hashMD5" of it, ("http://downloads.dell.com/" & it) of node values of xpaths "@path" of it) of xpaths "SoftwareComponent[ComponentType[@value='BIOS']]" of xpaths "/Manifest" of xml documents of files "C:\tmp\CatalogPC.xml"
A: 6154960, 488d59fdd41345213f082bddbcad0be1, http://downloads.dell.com/FOLDER06217780M/1/Latitude_5495_1.3.4.exe
A: 8620064, b52303759ac28770fcd0c6deb451725f, http://downloads.dell.com/FOLDER06036787M/1/Latitude_3190_1.10.0.exe

• https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=ptjjd&oscode=w764&productcode=optiplex-3020-desktop
• https://stackoverflow.com/questions/8692/how-to-use-xpath-in-python

[jgstew]

I'm not currently handling encrypting the BIOS password, but I released 300+ BIOS update tasks here: https://github.com/jgstew/bigfix-content/tree/master/fixlet/BIOS/Dell

These have NOT been tested except for on the 1 model I happen to have, and even then, not all cases. Please test them out carefully and provide me feedback on if they work, if they don't, and any suggestions for improvement.

I used this python script:

• https://github.com/jgstew/generate_bes_from_template/blob/master/examples/BIOS_from_dell_catalog.py

I used this template:

• https://github.com/jgstew/generate_bes_from_template/blob/master/examples/TEMPLATE_BIOS_Update.bes

These also make use of:

• https://github.com/jgstew/bigfix_prefetch
• https://github.com/jgstew/generate_bes_from_template

[jgstew]

this project still needs some refinement, but I'm calling it "done" for now.

[jgstew]

Already found edge case issues with this and filed a new issue here: https://github.com/jgstew/bigfix-content/issues/25

[jgstew]

Might be possible to generate bigfix content for Linux firmware updates using this: https://www.addictivetips.com/ubuntu-linux-tips/update-computer-firmware-in-linux/