From 48f987ed484c7b8e56031f96f9f58f1e7c3e123e Mon Sep 17 00:00:00 2001 From: "Mattias Alvbring (Fors)" <11193779+DeployWindowsCom@users.noreply.github.com> Date: Mon, 8 Nov 2021 11:45:22 +0100 Subject: [PATCH] Update DeviceConfiguration_Get.ps1 An update that will decrypt any windows10CustomConfiguration policies with a property named isEncrypted = true Ref : https://docs.microsoft.com/en-us/graph/api/intune-deviceconfig-deviceconfiguration-getomasettingplaintextvalue?view=graph-rest-1.0 --- .../DeviceConfiguration_Get.ps1 | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/DeviceConfiguration/DeviceConfiguration_Get.ps1 b/DeviceConfiguration/DeviceConfiguration_Get.ps1 index 284f5ff..e4e1bdb 100644 --- a/DeviceConfiguration/DeviceConfiguration_Get.ps1 +++ b/DeviceConfiguration/DeviceConfiguration_Get.ps1 @@ -210,6 +210,71 @@ $DCP_resource = "deviceManagement/deviceConfigurations" #################################################### +Function Get-DecryptedDeviceConfigurationPolicy(){ + + <# + .SYNOPSIS + This function is used to decrypt device configuration policies from an json array with the use of the Graph API REST interface + .DESCRIPTION + The function connects to the Graph API Interface and decrypt Windows custom device configuration policies that is encrypted + .EXAMPLE + Decrypt-DeviceConfigurationPolicy -dcps $DCPs + Returns any device configuration policies configured in Intune in clear text without encryption + .NOTES + NAME: Decrypt-DeviceConfigurationPolicy + #> + + [cmdletbinding()] + + param + ( + $dcps + ) + + $graphApiVersion = "Beta" + $DCP_resource = "deviceManagement/deviceConfigurations" + + foreach ($dcp in $dcps) { + if ($dcp.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration") { + # Convert policy of type windows10CustomConfiguration + foreach ($omaSetting in $dcp.omaSettings) { + try { + + if ($omaSetting.isEncrypted -eq $true) { + $DCP_resource_function = "$($DCP_resource)/$($dcp.id)/getOmaSettingPlainTextValue(secretReferenceValueId='$($omaSetting.secretReferenceValueId)')" + $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource_function)" + $value = ((Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value) + + #Remove any unnecessary properties + $omaSetting.PsObject.Properties.Remove("isEncrypted") + $omaSetting.PsObject.Properties.Remove("secretReferenceValueId") + $omaSetting.value = $value + } + + } + catch { + + $ex = $_.Exception + $errorResponse = $ex.Response.GetResponseStream() + $reader = New-Object System.IO.StreamReader($errorResponse) + $reader.BaseStream.Position = 0 + $reader.DiscardBufferedData() + $responseBody = $reader.ReadToEnd(); + Write-Host "Response content:`n$responseBody" -f Red + Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" + write-host + break + + } + } + } + } + $dcps + +} + + #################################################### + Function Get-DeviceConfigurationPolicyAssignment(){ <# @@ -415,6 +480,7 @@ $global:authToken = Get-AuthToken -User $User #################################################### $DCPs = Get-DeviceConfigurationPolicy +$DCPs = Get-DecryptedDeviceConfigurationPolicy -dcp $DCPs write-host