microsoftgraph · DeployWindowsCom · Nov 8, 2021
diff --git a/DeviceConfiguration/DeviceConfiguration_Get.ps1 b/DeviceConfiguration/DeviceConfiguration_Get.ps1
@@ -210,6 +210,71 @@ $DCP_resource = "deviceManagement/deviceConfigurations"
 
 ####################################################
 
+Function Get-DecryptedDeviceConfigurationPolicy(){
+
+    <#
+    .SYNOPSIS
+    This function is used to decrypt device configuration policies from an json array with the use of the Graph API REST interface
+    .DESCRIPTION
+    The function connects to the Graph API Interface and decrypt Windows custom device configuration policies that is encrypted
+    .EXAMPLE
+    Decrypt-DeviceConfigurationPolicy -dcps $DCPs
+    Returns any device configuration policies configured in Intune in clear text without encryption
+    .NOTES
+    NAME: Decrypt-DeviceConfigurationPolicy
+    #>
+
+    [cmdletbinding()]
+
+    param
+    (
+        $dcps
+    )
+
+    $graphApiVersion = "Beta"
+    $DCP_resource = "deviceManagement/deviceConfigurations"
+
+    foreach ($dcp in $dcps) {
+        if ($dcp.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration") {
+            # Convert policy of type windows10CustomConfiguration
+            foreach ($omaSetting in $dcp.omaSettings) {
+                try {
+
+                    if ($omaSetting.isEncrypted -eq $true) {
+                        $DCP_resource_function = "$($DCP_resource)/$($dcp.id)/getOmaSettingPlainTextValue(secretReferenceValueId='$($omaSetting.secretReferenceValueId)')"
+                        $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource_function)"
+                        $value = ((Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value)
+
+                        #Remove any unnecessary properties
+                        $omaSetting.PsObject.Properties.Remove("isEncrypted")
+                        $omaSetting.PsObject.Properties.Remove("secretReferenceValueId")
+                        $omaSetting.value = $value
+                    }
+
+                }            
+                catch {
+
+                    $ex = $_.Exception
+                    $errorResponse = $ex.Response.GetResponseStream()
+                    $reader = New-Object System.IO.StreamReader($errorResponse)
+                    $reader.BaseStream.Position = 0
+                    $reader.DiscardBufferedData()
+                    $responseBody = $reader.ReadToEnd();
+                    Write-Host "Response content:`n$responseBody" -f Red
+                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
+                    write-host
+                    break
+
+                }
+            }
+        }
+    }
+    $dcps
+
+}
+
+    ####################################################
+
 Function Get-DeviceConfigurationPolicyAssignment(){
 
 <#
@@ -415,6 +480,7 @@ $global:authToken = Get-AuthToken -User $User
 ####################################################
 
 $DCPs = Get-DeviceConfigurationPolicy
+$DCPs = Get-DecryptedDeviceConfigurationPolicy -dcp $DCPs
 
 write-host