forked from okieselbach/Intune
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Get-DecryptInfoFromSideCarLogFiles.ps1
54 lines (41 loc) · 1.89 KB
/
Get-DecryptInfoFromSideCarLogFiles.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<#
Version: 1.0
Author: Oliver Kieselbach
Script: Get-DecryptInfoFromSideCarLogFiles.ps1
Description:
run as Admin on a device where you are AADJ and Intune enrolled to successfully decrypt
the log message containing decryption info for Intune Win32 apps (.intunewin)
Release notes:
Version 1.0: Original published version.
The script is provided "AS IS" with no warranties.
#>
function Decrypt($base64string)
{
[System.Reflection.Assembly]::LoadWithPartialName("System.Security") | Out-Null
$content = [Convert]::FromBase64String($base64string)
$envelopedCms = New-Object Security.Cryptography.Pkcs.EnvelopedCms
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$envelopedCms.Decode($content)
$envelopedCms.Decrypt($certCollection)
$utf8content = [text.encoding]::UTF8.getstring($envelopedCms.ContentInfo.Content)
return $utf8content
}
$agentLogPath = Join-Path $env:ProgramData "Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log"
$stringToSearch = "<![LOG[Get content info from service,ret = {"
Get-Content $agentLogPath | ForEach-Object {
if ($nextLine) {
$reply = "{$($_.ToString().TrimStart())}" | ConvertFrom-Json
$responsePayload = ($reply.ResponsePayload | ConvertFrom-Json)
$contentInfo = ($responsePayload.ContentInfo | ConvertFrom-Json)
$decryptInfo = Decrypt(([xml]$responsePayload.DecryptInfo).EncryptedMessage.EncryptedContent) | ConvertFrom-Json
"URL: $($contentInfo.UploadLocation)"
"Key: $($decryptInfo.EncryptionKey)"
"IV: $($decryptInfo.IV)"
# optional call:
# .\IntuneWinAppUtilDecoder.exe `"$($contentInfo.UploadLocation)`" /key:$($decryptInfo.EncryptionKey) /iv:$($decryptInfo.IV)
$nextLine = $false
}
if ($_.ToString().StartsWith($stringToSearch) -eq $true) {
$nextLine = $true
}
}