How to recover your PowerShell scripts from Intune?

by | Oct 23, 2019 | Workplace

This short blog describes a straight forward procedure to recover your Intune PowerShell scripts. We are going to use the Fiddler tool to collect the data sent by the browser to the Microsoft Graph API. I’m working on activities for multiple projects by different customers each month. Often they are continuing the journey of implementation of the modern workplace while I’m not present. In the last period, the usage of PowerShell script increases. Therefore the demand to change or review the content of those scripts. Currently, it’s not possible to view or download those scripts via the Azure portal. By following the procedure below you can see the content of any Intune PowerShell script.

Procedure to recover your PowerShell scripts from Intune

Step 1 – Download and install Fiddler.

Step 2 – In the Azure portal open the Intune blade and go to Configuration > Scripts. Click on the script you want to recover.

Step 3 – Open the Fiddler app.

By opening the Fiddler application the capture starts automatically. In case this is the first capture it will ask you to accept a self-signed certificate. It’s required to decrypt the secure HTTP(S) traffic.

For security reasons, you can remove the certificate from your local certificate store after you completed the retrieval process.

Step 4 – Change ‘something’ like adding a dot in the description field and save. 

Step 5 – Open the Fiddler app again and search for;

host: Graph.microsoft.com

URL: https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/[guid]

 

Copy the content from scriptcontent to a .txt file. In this example, it starts from PCMNC.

Step 6 – Run the script below  decrypt base64encoding to PowerShell. The output is pushed to Notepad and saved in the path where the script is executed.

 

Why Base64encoding?

The Microsoft Graph API is based on JSON configuration templates. Those templates are built-up line configuration line to configuration line. All scripts containing multiple lines of code because of this it’s required to use an alternative like base64encoding

 

 

 

##Intune-Decode-Base64.ps1## 
$Base64Code = read-host 'fill in the .txt file containing the base64 code to decode' 
$Code = Get-Content $Base64Code [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Code))| ` 
out-file -Encoding "ascii" output.ps1 
notepad.exe .\output.ps1

Conclusion

Unfortunately, Intune does not provide this feature by default. This approach is a simple and straight where (almost) none knowledge is required of the Microsoft Graph API. This combination with fiddler is useful in cases when you need to collect or retrieve Intune configuration or compliance profiles. Updating those requires another set of skills/tools. Return to this blog to read more about these topics.  

Share This