Untitled

####################################################
# Checks.ps1
$Version = "1.0.11"
$Date = "5.12.2018"
# Updated: 5 Dec 2018
# Author: Luke Stanley-Ryan.
# Summary: This Script pre-installs required Firmware Updates and settings.
# Pre-Requisites: Designed to run under WinPE.
####################################################
Write-Host "Script Version $Version, updated: $Date"
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
#Grab mount point of the USB drive for pointing to locations dynamically.
$currentDrive = (Get-Location).ToString().Substring(0,2)
$Model = (Get-WmiObject -Class Win32_ComputerSystem).Model
$Battery = (Get-WmiObject Win32_battery).EstimatedChargeRemaining
$Mem = (Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory
#Add to these and copy/edit code blocks to support more devices.
$1040 = "HP EliteBook Folio 1040 G3"
$MFF = "HP EliteDesk 800"
$x2 = "HP Elite x2"
$840 = "HP EliteBook 840 G3"
#Change these as the BIOS version being upgraded to changes.
$1040G3BIOS = "N83 Ver. 01.33"
$MFFBIOS = "N21 Ver. 02.36"
$x2BIOS = "N85 Ver. 01.33"
$840G3BIOS = "N75 Ver. 01.25"
#Change these as TPM version being upgraded to changes.
$TPMVerTo = "7.62"
$TPMSpecTo = "2.0"

#I7 devices should be put aside for people who moan about getting I5.
if (($Model -match $1040) -and ((Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name) -match "i7")){
    Write-Host "Device has an I7 Processor" -ForegroundColor Cyan
    Start-Sleep -s 1
}
elseif ($Model -match $1040){
    Write-Host "Device has an I5 Processor" -ForegroundColor Cyan
    Start-Sleep -s 1
}

#Tells you how much memory the device has.
if ($Mem -lt 10000000000){
    $Ram = $Mem.ToString().SubString(0,1)
}
elseif ($Mem -lt 100000000000){
    $Ram = $Mem.ToString().SubString(0,2)
}
else {
    $Ram = $Mem.ToString().SubString(0,3)
}

Write-Host "Device has a total of $Ram`GB of Physical Memory" -ForegroundColor Yellow

#Determine if device needs to be plugged into AC Power before Firmware/BIOS updates.
if ($Model -match $MFF){
    Write-Host "Device is on AC Power..." -ForegroundColor Green}
elseif ((Get-WmiObject -Class Win32_Battery).BatteryStatus -ne 1){
    Write-Host "Device is on AC Power..." -ForegroundColor Green}
elseif ($Battery -lt 26){
    Write-Host "$Battery`% battery remaining, Plug AC Power in before BIOS and Firmware updates..." -ForegroundColor Red
    Read-Host "Press <Enter> to continue..."} #Prompt the user if the battery is critically low.
elseif ($Battery -lt 51){
    Write-Host "$Battery`% battery remaining, Recommend plugging AC Power in before BIOS and Firmware updates..." -ForegroundColor Yellow}
elseif ($Battery -lt 76){
    Write-Host "$Battery`% battery remaining..." -ForegroundColor Cyan}
else {
    Write-Host "$Battery`% battery remaining..." -ForegroundColor Green
}

#Configure UEFI BIOS settings for updates, needs to be configured to run BIOS and TPM updates.
Write-Host "`nPart 1 - Updating BIOS Settings..." -ForegroundColor Black -BackgroundColor White
Set-Location -path "$currentDrive\HP-BCU"
cmd /c "BiosConfigUtility64.exe /cspwdfile:`"Old.txt`" /npwdfile:`"`""
cmd /c "BiosConfigUtility64.exe /setdefaults"
cmd /c "BiosConfigUtility64.exe /set:`"Settings.txt`""

#Check if the Intel ME Firmware requires an update and run it to patch security vulnerability.
Set-Location -path "$currentDrive\IntelME-FW"
Write-Host "`nPart 2 - Updating Intel Management Engine (ME) Firmware if required..." -ForegroundColor Black -BackgroundColor White
cmd /c "update64.bat"

#Check to see if any drives are encrypted with BitLocker, USB should never be encrypted so it won't get wiped.
Write-Host "`nPart 3 - Formatting Encrypted Drives if required..." -ForegroundColor Black -BackgroundColor White
if (Get-BitLockerVolume -ErrorAction SilentlyContinue | Where-Object VolumeStatus -ne "FullyDecrypted") {
    $EncDrives = (Get-BitLockerVolume -ErrorAction SilentlyContinue | Where-Object VolumeStatus -ne "FullyDecrypted" | Select-Object -ExpandProperty MountPoint | Out-String).SubString(0,1)
    foreach ($EncDrive in $EncDrives) {
        #Format any drives that are encrypted with BitLocker so BIOS and TPM Firmware updates work correctly.
        Format-Volume -DriveLetter $EncDrive -FileSystem NTFS
        Write-Host "$EncDrive`: drive has been formatted..." -ForegroundColor Green
    }
}
else {
    Write-Host "No Encrypted Drives found." -ForegroundColor Magenta
}

#Check if BIOS needs updating by checking what model the device is and if the current BIOS version is the most up to date, needs to be updated as BIOS updates are released.
#Automatic check only supports 1040 G3's, 840 G3's, MFF's, and x2's. If other device models are used the script needs to be updated or BIOS update needs to be called manually.
Set-Location -path "$currentDrive\Hp-BIOS-FW"
if ((Get-WmiObject -Namespace root\cimv2\security\microsofttpm -Class Win32_Tpm | Select-Object SpecVersion) -match ".*=(.*?),.*"){$TPMSpec = $matches.1}
$Ver = (Get-WmiObject -Class win32_BIOS).SMBIOSBIOSVersion
$TPMVer = (Get-WmiObject -Namespace root\cimv2\security\microsofttpm -Class Win32_Tpm | Select-Object -ExpandProperty ManufacturerVersion) #Pulls the TPM Version number.
if ($Model -match $1040){
    Write-Host "`nPart 4 - Updating HP System BIOS to $1040G3BIOS if required..." -ForegroundColor Black -BackgroundColor White
    Write-host "Model is $Model, $Ver, TPM is Spec $TPMSpec, Version $TPMVer" -ForegroundColor Cyan
    if ($Ver -ne $1040G3BIOS){
        Write-Host "`nPreparing BIOS update to $1040G3BIOS..." -ForegroundColor Cyan
        cmd /c "HPBIOSUPDREC64.exe -r -s -bloverride" #1040 G3 check.
        Write-Host "`nBIOS Update to $1040G3BIOS prepared..." -ForegroundColor Green
    }
    else {
        Write-Host "`nSystem BIOS already updated to $1040G3BIOS..." -ForegroundColor Green
    }
}
elseif ($Model -match $MFF){
    Write-Host "`nPart 4 - Updating HP System BIOS to $MFFBIOS if required..." -ForegroundColor Black -BackgroundColor White
    Write-host "Model is $Model, $Ver, TPM is Spec $TPMSpec, Version $TPMVer" -ForegroundColor Cyan
    if ($Ver -ne $MFFBIOS){
        Write-Host "`nPreparing BIOS update to $MFFBIOS..." -ForegroundColor Cyan
        cmd /c "HPBIOSUPDREC64.exe -r -s -bloverride" #MFF check.
        Write-Host "`nBIOS Update to $MFFBIOS prepared..." -ForegroundColor Green
    }
    else {
        Write-Host "`nSystem BIOS already updated to $MFFBIOS..." -ForegroundColor Green
    }
}
elseif ($Model -match $x2){
    Write-Host "`nPart 4 - Updating HP System BIOS to $x2BIOS if required..." -ForegroundColor Black -BackgroundColor White
    Write-host "Model is $Model, $Ver, TPM is Spec $TPMSpec, Version $TPMVer" -ForegroundColor Cyan
    if ($Ver -ne $x2BIOS){
        Write-Host "`nPreparing BIOS update to $x2BIOS..." -ForegroundColor Cyan
        cmd /c "HPBIOSUPDREC64.exe -r -s -bloverride" #x2 check.
        Write-Host "`nBIOS Update to $x2BIOS prepared..." -ForegroundColor Green
    }
    else {
        Write-Host "`nSystem BIOS already updated to $x2BIOS..." -ForegroundColor Green
    }
}
elseif ($Model -match $840){
    Write-Host "`nPart 4 - Updating HP System BIOS to $840G3BIOS if required..." -ForegroundColor Black -BackgroundColor White
    Write-host "Model is $Model, $Ver, TPM is Spec $TPMSpec, Version $TPMVer" -ForegroundColor Cyan
    if ($Ver -ne $840G3BIOS){
        Write-Host "`nPreparing BIOS update to $840G3BIOS..." -ForegroundColor Cyan
        cmd /c "HPBIOSUPDREC64.exe -r -s -bloverride" #840 G3 check, added 28.09.18 in case 840 G3's are used for meeting rooms.
        Write-Host "`nBIOS Update to $840G3BIOS prepared..." -ForegroundColor Green
    }
    else {
        Write-Host "`nSystem BIOS already updated to $840G3BIOS..." -ForegroundColor Green
    }
}
else {
    Write-Host "$Model is not supported for automatic BIOS update. supported devices are:`n$1040`n$840`n$x2`n$MFF" -ForegroundColor Yellow
}

Write-Host "`nPart 5 - Updating Trusted Platform Module (TPM) Firmware to Spec $TPMSpecTo, Version $TPMVerTo if required..." -ForegroundColor Black -BackgroundColor White
#Check that the TPM version is 7.62 to patch security vulnerability, update it to 7.62 if it is not. If the TPM version we are updating to gets updated, the $TPM*To varibles need to be updated to reflect that.
Set-Location -path "$currentDrive\HP-TPM-FW"
if ($TPMVer -lt $TPMVerTo){
    $FileList = ((Get-ChildItem -Path "$currentDrive\HP-TPM-FW").Name)
    foreach ($File in $FileList){
        if (($File -match ".BIN") -and ($File -match "$TPMVer")){
            cmd /c "TPMConfig64.exe -c -s -f$File" #-c = Create recovery partition if not present, -s = silent, -f[filename] = update version to use - required to use -s.
            Write-Host "TPM Update to Spec: $TPMSpecTo, Version: $TPMVerTo prepared..." -ForegroundColor Cyan
        }
    }
    #Restarts the device so all the Firmware updates can apply.
    Start-Sleep -s 2
    Restart-Computer -Force -ErrorAction SilentlyContinue
    Start-Sleep -s 5
}

#Restarts the device so BIOS can update, stops the device from looping if it is already updated.
if ($Model -match $1040){
    if ($Ver -ne $1040G3BIOS){
    Write-Host "BIOS Update to $1040G3BIOS Prepared, TPM Already Updated to Spec: $TPMSpec, Version: $TPMVer..." -ForegroundColor Cyan
    Start-Sleep -s 2
    Restart-Computer -Force -ErrorAction SilentlyContinue
    }
    else {
        Write-Host "BIOS Already Updated to $1040G3BIOS, TPM already updated to Spec $TPMSpec, Version $TPMVer..." -ForegroundColor Green
        Read-Host -prompt "`nPress <Enter> to Restart..."
        Restart-Computer -Force -ErrorAction SilentlyContinue
    }
}
elseif ($Model -match $MFF){
    if ($Ver -ne $MFFBIOS){
    Write-Host "BIOS Update to $MFFBIOS Prepared, TPM Already Updated to Spec: $TPMSpec, Version: $TPMVer..." -ForegroundColor Cyan
    Start-Sleep -s 2
    Restart-Computer -Force -ErrorAction SilentlyContinue
    }
    else {
        Write-Host "BIOS Already Updated to $MFFBIOS, TPM already updated to Spec $TPMSpec, Version $TPMVer..." -ForegroundColor Green
        Read-Host -prompt "`nPress <Enter> to Restart..."
        Restart-Computer -Force -ErrorAction SilentlyContinue
    }
}
elseif ($Model -match $x2){
    if ($Ver -ne $x2BIOS){
    Write-Host "BIOS Update to $x2BIOS Prepared, TPM Already Updated to Spec: $TPMSpec, Version: $TPMVer..." -ForegroundColor Cyan
    Start-Sleep -s 2
    Restart-Computer -Force -ErrorAction SilentlyContinue
    }
    else {
        Write-Host "BIOS Already Updated to $x2BIOS, TPM already updated to Spec $TPMSpec, Version $TPMVer..." -ForegroundColor Green
        Read-Host -prompt "`nPress <Enter> to Restart..."
        Restart-Computer -Force -ErrorAction SilentlyContinue
    }
}
elseif ($Model -match $840){
    if ($Ver -ne $840G3BIOS){
    Write-Host "BIOS Update to $840G3BIOS Prepared, TPM Already Updated to Spec: $TPMSpec, Version: $TPMVer..." -ForegroundColor Cyan
    Start-Sleep -s 2
    Restart-Computer -Force -ErrorAction SilentlyContinue
    }
    else {
        Write-Host "BIOS Already Updated to $840G3BIOS, TPM already updated to Spec $TPMSpec, Version $TPMVer..." -ForegroundColor Green
        Read-Host -prompt "`nPress <Enter> to Restart..."
        Restart-Computer -Force -ErrorAction SilentlyContinue
    }
}
else {
    Write-Host "$Model is not supported for automatic BIOS update. supported devices are:`n$1040`n$840`n$x2`n$MFF" -ForegroundColor Yellow
    Read-Host -prompt "`nPress <Enter> to Restart..."
    Restart-Computer -Force -ErrorAction SilentlyContinue
}