Max
Reputation: 46
Sccm remediation scritpt always return true
I have a configuration item with a troubleshooting scenario. I know for a fact that my test host does not comply with the rule. But the troubleshooting script always returns true, although if I run the script locally on the host I get false as expected I know that the file "C:\Windows\temp\biospwd.txt" doesn't exist on the host.
discovery:
# File detection script in user profile
$FileToDetect = "C:\Windows\Temp\biospwd.txt"
if (Test-Path $FileToDetect -PathType leaf)
#File exists
{ return $True }
else
#File does not exist
{ return $false }
remedation:
# File detection script in user profile
$FileToDetect = "C:\Windows\Temp\biospwd.txt"
if (Test-Path $FileToDetect -PathType leaf)
#File exists
{ return $True }
else
#File does not exist
{
# Generate passhash
$biosserialNumber = (Get-WmiObject Win32_BIOS).SerialNumber
$password = $biosserialNumber + "123"
$passwordBytes = [System.Text.Encoding]::UTF8.GetBytes($password)
$shaSHA512 = [System.Security.Cryptography.SHA512]::Create()
$hashBytes = $shaSHA512.ComputeHash($passwordBytes)
$hashString = [System.BitConverter]::ToString($hashBytes) -replace '-'
$hashString = $hashString.Substring(0, 14)
# Get the last boot time of the system
$lastBoottime = (Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime | Get-Date
# Define the path to the index file
$indexFilePath = "C:\Windows\Temp\BiosPasswordIndex.txt"
$biosPassTimeFilePath = "C:\Windows\Temp\BiosPassTime.txt"
# Check if the index file exists and read the index
if (Test-Path $indexFilePath) {
$i = [int](Get-Content -Path $indexFilePath)
} else {
$i = 0
}
# Get the last write time of the BiosPassTime.txt file
if (Test-Path $biosPassTimeFilePath) {
$getfiletime = (Get-Item -Path $biosPassTimeFilePath).LastWriteTime
} else {
$getfiletime = $null
}
# Check reboot condition and file existence
if (($lastBoottime -gt $getfiletime) -or ($null -eq $getfiletime)) {
# List of passwords
$passwords = @(
"1", "2", "3",
"4"
)
[string]$MyPassword = $hashString
$setPw = Get-WmiObject -Class Lenovo_setBiosPassword -Namespace root\wmi
# Iterate through passwords starting from index $i
for ($j = $i; ($j -lt $passwords.Length) -and ($j -le ($i + 1)); $j++) {
$currentPassword = $passwords[$j]
$return = $setPw.SetBiosPassword("pap,$currentPassword,$MyPassword,ascii,us")
if ($return.return -like "Success") {
# Successful password change, create file and exit
New-Item -Path "C:\windows\Temp" -ItemType File -Name "biospwd.txt" -Force -Confirm:$false | Out-Null
# Remove the index file as the password has been successfully changed
Remove-Item -Path $indexFilePath -Force | Out-Null
#write-host $return.return
return $true
} else {
# Failure, update the index and save it to the file
Set-Content -Path $indexFilePath -Value ($j + 1) | Out-Null
#write-host $return.return
}
}
# If all attempts fail, create or update the last write time of the BiosPassTime.txt file
New-Item -Path $biosPassTimeFilePath -ItemType File -Force | Out-Null
# write-host $return.return
return $false
} else {return $false}
}
baseline:
compliance rule:
host report:
I don't understand why the host report returns true?
if you take out the remediation script and leave only the discovery script. Everything works as it should and I see non-compliant in the report.
Upvotes: 0
Views: 39
Answers (0)
Related Questions
- How can I re-use/import script code in PowerShell scripts?
- PowerShell script to return true or false, takes two input params
- How to find a string in a folder and return the value using PowerShell?
- If true, proceed with script
- PowerShell - Return True if string matches a condition
- SCCM Compliance state always 'Compliant' when remediation script runs
- Return Yes or No instead of True or False in Powershell
- Escape Character Needed for Password