PowerShell script and passing parameters

I need to deploy a PowerShell script the requires parameters to be set before being executed in order for TFS Agents can be properly configured on the endpoint.

Example

 .\VSTSAgentInstallation.ps1 -DeploymentGroup "TestAgentDeploymentGroup" -Collection DefaultCollection -ProjectName "TestPackage" -TFSUrl https://tfs/tfs -AccessToken PrivateAccessToken
 #>
 param(
     [String] $AgentVersion = "2.136.1",
     [String] $DeploymentGroup,
     [String] $TFSUrl = https://tfs-test/tfs,
     [String] $AccessToken,
     [String] $Collection,
     [String] $ProjectName
 )

What or how is the best way so that when I goto deploy this task I am prompted to key in these values and then have them deploy with the script so everything runs correctly?

You can used “parameterized fixlets” to have either set values to choose from, or free form entry

You could also use action parameter query to ask for the operator to enter the values. This is easier way to get started, but less robust, and also doesn’t support encrypted parameters.

Once you collect the values, then you can use relevance substitution to put the entered values into the command.

See this example: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Rename%20Windows%20Computer%20-%20Not%20Domain%20Joined.bes

Sounds a bit like a foreign language. :slight_smile:

Can you provide me with an example?

We do use the action parameter query when adding client settings, like identifying the System Manager for a server owner.

action parameter query “SystemManagerName” with description “Enter the SystemManagerName.”
setting “SystemManagerName”=“{parameter “SystemManagerName” of action}” on “{parameter “action issue date” of action}” for client

I just am not envisioning how this would work for the PowerShell script.

action parameter query “DeploymentGroup” with description “Enter the DeploymentGroup value”

Where or how or what would the setting “DeploymentGroup”= stuff look like for the PowerShell script. Or what is the other method you were referencing?

I am newbie material so easier is better plus these only come around once in a blue moon.

No more so than powershell is to me.

would become:

.\VSTSAgentInstallation.ps1 -DeploymentGroup {parameter "DeploymentGroup"} -Collection DefaultCollection -ProjectName "TestPackage" -TFSUrl https://tfs/tfs -AccessToken PrivateAccessToken

In which {parameter "DeploymentGroup"} is replaced by bigfix with the string given for the parameter.

Wow! That looks simple enough.

I’ll give that a go and see what happens. I’ll report back the results good or bad.

Thanks for the assist!

1 Like

I would see this example: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Rename%20Windows%20Computer%20-%20Not%20Domain%20Joined.bes

Here’s also an example of using parameters to rename a PC joined to a domain

<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
	<Task>
		<Title>Rename PC (Win10)</Title>
		<Description><![CDATA[<P><B>Please Enter your Domain Username and Password. This will be used for changing the name and re-adding it back to the Domain </P></B>
<P>Username: <INPUT id=username name=username> </P>
<P>Password: <INPUT id=pw type=password name=pw> </P><script>
			document.body.ontakeaction = function() {
				var User = document.getElementById( "username" ).value;
				var Pass = document.getElementById( "pw" ).value;
				TakeSecureFixletAction( Relevance('id of current fixlet'), Relevance('id of current bes site'), "Action1", {}, { username: User, pw: Pass } );
				return false;
			}
			</script> ]]></Description>
		<Relevance>true</Relevance>
		<Category></Category>
		<Source>Internal</Source>
		<SourceID></SourceID>
		<SourceReleaseDate>2020-04-24</SourceReleaseDate>
		<SourceSeverity></SourceSeverity>
		<CVENames></CVENames>
		<SANSID></SANSID>
		<MIMEField>
			<Name>x-fixlet-modification-time</Name>
			<Value>Fri, 24 Apr 2020 17:49:55 +0000</Value>
		</MIMEField>
		<Domain>BESC</Domain>
		<DefaultAction ID="Action1">
			<Description>
				<PreLink>Click </PreLink>
				<Link>here</Link>
				<PostLink> to deploy this action.</PostLink>
			</Description>
			<ActionScript MIMEType="application/x-Fixlet-Windows-Shell">action uses wow64 redirection {not x64 of operating system}

action parameter query "PCName" with description "Please enter the New PC Name" with default value "New PC Name"

delete __createfile


createfile until END_OF_FILE

$bfuser = '{parameter "username" of action}'
$bfpass = '{parameter "pw" of action}'
$password = $bfpass | ConvertTo-SecureString -AsPlainText -Force

$Credential = New-Object System.Management.Automation.PsCredential -ArgumentList $bfuser, $Password

Rename-Computer -NewName "{parameter "PCName"}" -DomainCredential $Credential -Force
END_OF_FILE

delete powershell.ps1
move __createfile powershell.ps1

waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) } -ExecutionPolicy Bypass -File powershell.ps1
delete powershell.ps1</ActionScript>
		</DefaultAction>
	</Task>
</BES>
1 Like

This will put the actual password into the file, written to disk. It is slightly safer to send the password as an argument instead of hard coding it into the file. If the action didn’t complete for some reason, the file could remain.

You can skip all that and just put powershell and that works in most cases, as long as it is in the 32bit PATH or if you disable wow redirection and it is in the 64bit PATH.

Is there a way to allow a domain joined computer to rename itself? I find this so annoying that you have to provide AD creds to rename a computer.

1 Like

Yea I noticed that, is there a way to use it as an argument while remaining hidden from the console? Unless I’m overlooking something I have not been able to rename any computers on my end without AD creds.

1 Like

BigFix automatically will not show the console arguments if the action uses secure parameters in the client logs, but you can also enable this at any time for any action.

1 Like