okieselbach / intune Goto Github PK

The script only searches the current (latest) IME log - sometimes the download info may have aged out of the current log into a rolled over log.

The code updates below will search all IME logs:

function ExtractIntuneAppDetailsFromLogFile()
{
    $IMELogs = Get-ChildItem -Path $env:ProgramData\Microsoft\IntuneManagementExtension\Logs -Filter IntuneManagementExtension*.log -Recurse -ErrorAction SilentlyContinue
    foreach ($IMELog in $IMELogs)
    {
        $agentLogPath = $IMELog.FullName
        $stringToSearch = "<![LOG[Response from Intune = {".ToLower()

        Get-Content $agentLogPath | ForEach-Object {
        ...

how can it decrypt a null certcollection.
Stuck here. Please help.

Hi Oliver,

thanks for the collection of scripts!

As I couldn't find a license information, I'd kindly ask to consider adding a license file. Without a license it's unclear from a legal perspective how to use your collection.

Another repository is already licensed under the MIT License: https://github.com/okieselbach/SyncMLViewer/blob/master/LICENSE

function Convert-SIDGUID {
<#
.SYNOPSIS
This will help translate SIDS into GUIDS and vice versa. Checks if input is SID or GUID and returns the other.

.DESCRIPTION
Based on code from https://tech.nicolonsky.ch/validating-a-guid-with-powershell/ and https://oliverkieselbach.com/2020/05/13/powershell-helpers-to-convert-azure-ad-object-ids-and-sids/

.PARAMETER InputObject
The SID or GUID to convert
#>
param
(
    [Parameter(Mandatory = $true, Position = 0, ValueFromPipelineByPropertyName = $true)]
    [AllowEmptyString()]
    [string]$InputObject
)


$tryguid = [guid]::TryParse($InputObject, $([ref][guid]::Empty))
if ($tryguid) {
    $bytes = [Guid]::Parse($ObjectId).ToByteArray()
    $array = New-Object 'UInt32[]' 4
    [Buffer]::BlockCopy($bytes, 0, $array, 0, 16)
    $sid = "S-1-12-1-$array".Replace(' ', '-')
    return $sid
}

try {
    $sid = New-Object System.Security.Principal.SecurityIdentifier($InputObject) | foreach {$_.Value}
    $index = 'S-1-12-1-'.Length 
    $length = $sid.length - $index
    $text = $sid.Substring($index,$length)
    # $text = $sid.Replace('S-1-12-1-', '')
    $array = [UInt32[]]$text.Split('-')
    $bytes = New-Object 'Byte[]' 16
    [Buffer]::BlockCopy($array, 0, $bytes, 0, 16)
    [Guid]$guid = $bytes
    return $guid
}
catch {
    Return "No valid SID or GUID found"
}

}

Not directly an issue with script (which is great), but the GUID from the URL are nothing like the file that gets saved locally, so one need to match these ie by time, to know which file the keys correspond to...

The app does what it is supposed to. The problem i am having is that the app always shows an error after i have typed in my PIN (which is getting prompted for at start-up of the Notebook). The error message states that there is a problem with the installation. I was guessing that it is actually a problem with the detection PS-Script, but i tried a few things tweaking the Script and i am still getting the same error. The status of the app not beeing installed leads to the daily prompt that i should set my PIN (although it is already set and actually working).
Does anyone have an idea what the root of this problem could be? Is there a way i could see a log of whats happening after i set my PIN?

When using the -FileName optional parameter, the following error is displayed:

Out-File : Could not find a part of the path 'C:\temp'.
At line:59 char:113

• ... ontent))) | Out-File -Encoding ASCII -FilePath $(Join-Path $FolderPat ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
  • FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

It seems that the Intune Management Extension no longer produces the logs necessary to determine the intunewin IV and key.

I suspect this is due to a recent update. If anyone has docs from the start of October or earlier, I'd love to take a look.

Dear okieselbach,

Bitlocker pin ServiceUI.exe only accept up to 10 characters
It's not allow to click OK if the pin go beyond that number.

Do you mind to share the source code ?

Thanks.

When I download intunewin file from azure I cannot extract it.
ERROR: End of Central Directory record could not be found.

For the x86 -> x64 context switch, the IntunePSTemplate.ps1 sample sets the RedirectStandardOutput property for the ProcessStartInfo object to $true, but does not consume the StandardOutput. This can cause the new x64 child process to hang indefinitely:

>> (..) When the child process writes enough data to fill its redirected stream, it is dependent on the parent. The child process waits for the next write operation until the parent reads from the full stream or closes the stream. (..) <<
Source: ProcessStartInfo.RedirectStandardOutput Property

When the StandardOutput is not consumed by the parent script, the $pinfo.RedirectStandardOutput should be set to $false.

There is another issue: $exitCode = $p.ExitCode gets called without waiting for the child process to exit. Therefore, $exitCode will come back as $NULL most of the time. Better code would look like this:

$stderr = $p.StandardError.ReadToEnd()
$p.WaitForExit()
$exitCode = $p.ExitCode

In some cases the Intune certificate is not installed in the local machine store but in the current user store. In this case the Decrypt function will fail.

The following code update to the function will check the user store if no cert is found in the localmachine store:

[System.Reflection.Assembly]::LoadWithPartialName("System.Security") | Out-Null
  $content = [Convert]::FromBase64String($base64string)
  $envelopedCms = [Security.Cryptography.Pkcs.EnvelopedCms]::new()
  $x509Store = [System.Security.Cryptography.X509Certificates.X509Store]::new([System.Security.Cryptography.X509Certificates.StoreName]::My,[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
  $x509Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
  [System.Object]$certExtension = "1.2.840.113556.5.6"
  $certCollection = $x509Store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByExtension,$certExtension,$false)
  $x509Store.Close()
  if ($certCollection.Count -eq 0)
  {
      $x509Store = [System.Security.Cryptography.X509Certificates.X509Store]::new([System.Security.Cryptography.X509Certificates.StoreName]::My,[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
      $x509Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
      $certCollection = $x509Store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByExtension,$certExtension,$false)
      $x509Store.Close()
  }
  $envelopedCms.Decode($content)
  $envelopedCms.Decrypt($certCollection)

  $utf8content = [text.encoding]::UTF8.getstring($envelopedCms.ContentInfo.Content)

  return $utf8content

Hello,
the Get-WindowsAUtoPilotInfo.ps1 PowerShell scripts returns the error below on computers with latest Windows Updates (May 2022); it seems the KB5013942 is causing it (links: Microsoft Q&A, Reddit).

Get-CimInstance : A general error occurred that is not covered by a more specific error code.
At C:\Program Files\WindowsPowerShell\Scripts\Get-WindowsAutoPilotInfo.ps1:211 char:17
+ ... evDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand

C:\Program Files\WindowsPowerShell\Scripts\Get-WindowsAutoPilotInfo.ps1 : Unable to retrieve device hardware data (hash) from computer localhost

Removing the KB above resolves the issue, however on some environment it isn't possible (Windows says this is a required security update and cannot be removed).

On a deep investigation (WMI Explorer), it appears there is no Instance for the class MDM_DevDetail_Ext01 under root/cimv2/mdm/dmmap namespace, causing the error above.

Maybe you already know about it, and I also understand it isn't a script issue, but more a WMI related issue.

What are your thoughts ?

Thank you,
Luca

Hello

Can you add to the -online parameter the ability to import multiple devices from csv file ?

For example:

at line : 325

if ($FromCSV) {
	$computers = Import-Csv $FromCSV | Select -Unique 
}
if ($Online)
	{
		# Add the devices
		$importStart = Get-Date
		$imported = @()
 etc

$FromCSV is the csv path generated with the parameter $OutputFile

Hi,
is the Set-AutoPilotDeviceAssignedUser function still expected to work? I'm trying to use in but can't make it work.

Set-AutoPilotDeviceAssignedUser : System.Net.Http.HttpRequestException: 400 Bad Request
{"error":{"code":"BadRequest","message":"{\r\n "_version": 3,\r\n "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID:
105e0390-e8ee-47cf-86c6-cfb576279131 - Url: https://fef.amsub0202.manage.microsoft.com/DeviceEnrollmentFE/StatelessDeviceEnrollmentFEService/deviceManagement/windowsAutopilotDeviceIdentities('d565e906-babd-494e-baab-85ce1a5583
17')/microsoft.management.services.api.assignUserToDevice?api-version=5023-06-28",\r\n "CustomApiErrorPhrase": "",\r\n "RetryAfter": null,\r\n "ErrorSourceService": "",\r\n "HttpHeaders":
"{}"\r\n}","innerError":{"date":"2024-02-07T07:04:41","request-id":"105e0390-e8ee-47cf-86c6-cfb576279131","client-request-id":"105e0390-e8ee-47cf-86c6-cfb576279131"}}}
At C:\Users\D053249\SAP SE\IES EMEA - Intune\Scripts\AssignUserToDevice\AssignUserToDevice.ps1:204 char:1

• Set-AutoPilotDeviceAssignedUser -userPrincipalName "xxxxxxxxxx ...

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-AutoPilotDeviceAssignedUser