Skip to content

Intune Script Recovery Shortcut – Skip Graph Permissions!

Intune’s platform and remediation scripts offer admins a powerful toolset to overcome limitations and effortlessly enhance Intune’s capabilities. But what if you need to recover a forgotten script? Follow me as I delve into the Intune script recovery options and uncover a time-saving shortcut. Stay tuned for the full Intune script recovery scoop!

Table Of Contents

Intune Script Variants For Your Windows

Let me start by recapping the two variants of assigning scripts to Windows devices through Microsoft Intune, The Intune platform scripts and the Intune remediations.

Intune Platform Scripts

Intune Platform Scripts are PowerShell scripts used in Microsoft Intune to configure properties not yet available in the settings catalog, copy files, add registry keys, or even run a script to remove unwanted Windows bloatware for a cleaner build. These scripts are run as configurations for simple configuration settings or anything required during device setup. These scripts run before Win32 apps are getting installed.

Intune Remediations

Intune Remediations, formerly known as Proactive Remediations, are script packages that can detect and fix common support issues on a user’s device before they even realize there’s a problem. This can help reduce support calls. Each script package consists of a detection script and a remediation script set to run at intervals. If the detection is true, the remediation will fire. For example, you can have scripts that check network certificates, check registry settings, or update stale device settings.

The Need To Review Intune Scripts

Working with tenants over time or reviewing foreign tenants might require you to look into existing scripts configured. Since the scripts can make deep configurational changes on the endpoints, keeping on top of those workloads is crucial.

The Easy Intune Remediation Recovery

Intune remediations are fairly easy to review since the Intune portal gives the information we need directly in the portal. Navigating to a remediation script, I can click on Edit for the Settings.

This will give me direct access to review the detection and remediation scripts inside the portal.

I can’t download the scripts from the portal, but I can easily mark them up and copy them to my favorite script editor or AI tool for analysis. This is often just what I need to do a quick review.

The Challenging Intune Platform Script Recovery

Working with Intune Platform scripts is performed from almost the same location as Intune Remediations, and the first steps are pretty much the same as those for remediations.

The problem is the missing preview of the script in this last picture:

The platform script content is hidden in the GUI, where the remediations display the script contents. I am completely blindfolded!

Intune Script Recovery Options

There are some options available to get around the Intune script recovery challenge.

Intune Script Recovery From Managed Endpoint

When you use Intune to deploy PowerShell scripts to your Windows devices, they’re initially saved here: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts. It can, therefore, be technically possible to collect the scripts from that location, provided that you have a PC onboarded. But don’t get too attached – these scripts only stick around briefly. Once the deployment wraps up, the Intune management extension promptly clears them.

This isn’t a reliable methodology on which to depend for Intune script recovery.

Intune Script Recovery Using Graph

Microsoft Intune is powered by Graph, and the Microsoft Graph API for Intune enables programmatic access to Inune information. Looking in Microsoft Graph with tools like Graph X-Ray, we can find the Intune scripts behind the following address: https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts

MVP Jan Bakker has created a great blog post about navigating the Microsoft Graph to perform Intune script recovery. Take a look at Jan’s post to sort out all those details. MVP Oliver Kieselbach has even created a script to make performing the Intune script recovery easy. Oliver’s solution will download all Intune Scripts in one run to a local folder on your device.

The Graph Challenge

Scripting through Microsoft Graph is great—as long as you can connect to Graph and run the necessary queries. That might not always be the case. You might struggle with access if you operate a first-line helpdesk or are a hired gun doing a tenant review. A common misconception is that Global Reader has access to read everything in the tenant.

Does the Global Reader allow you to read everything in the tenant?

Checking the before-mentioned Graph address in Microsoft Graph Explorer (aka.ms/ge) as Global Reader clearly states the challenge.

The application I am using is not authorized to perform this operation. The same will happen if I try to connect to Graph in a Powershell script.

If I use a managed endpoint or any VDI, I might first encounter challenges installing the necessary PowerShell module.

Secondly, I might encounter the same challenge as in Graph Explorer when trying to connect to Graph and get access to the necessary scopes.

In some environments, this can be a challenge to overcome. Since I am a Global Reader, I am supposed to have the necessary rights to run a review. In this regard, Global Reader will be of no help. I need the “deviceManagementConfiguration.Read.All” access to get to the bottom of this.

Intune Script Recovery Shortcut – Skip Graph Permissions!

Sandy and Simon at MMSMOA 2024
Sandy and Simon at MMSMOA 2024

While performing a tenant review, I fell straight into these challenges. I needed to review the scripts but did not have the access rights needed to get to the level of detail needed. Luckily, my awesome colleague MVP Sandy Zeng put me on the correct trail using the Microsoft Edge Dev Tools hidden behind the famous F12 shortcut.

Under normal circumstances, I would have used the Graph X-Ray extension from Merill Fernando to find what I wanted in the Edge Dev Tools. But not this time. This would only lead to the challenging graph path leading to the permission deadlock.

This time, I was pointed to look at the Network blade of the Edge Dev Tools, where I could dive into the Response blade for one of the requests. This gave me the scriptContent data!

This is the script’s base64-encoded payload!

Using my favorite Base64 plugin on the data in Visual Studio Code gave me the full content of the script! Alternatively, you can use MVP Petri Paavola‘s awesome ClipboardTools to do the Base64 decoding.

<ctrl> + <a> to mark the base64 code. <ctrl> + <k>, <ctrl> + <5> to base64 decode.

This way, I had an Intune script recovery shortcut without needing extended Graph permissions in the tenant! Once the script is available, everything should be set for a thorough review to understand its functionality. And what better tool for this job than an AI tool like Copilot for Security?

Final Thoughts On Intune Script Recovery

So, diving into the nitty-gritty of Microsoft Intune’s inner workings is often best done through Microsoft Graph. But there are times when that option isn’t available like it wasn’t for me recently. Finding shortcuts to get the data you need is a lifesaver.

I can’t help but wonder why Microsoft keeps the platform scripts hidden, while they’ve jazzed up the GUI for the remediation scripts, revealing their content. Considering that the script content is already accessible in the browser, it seems like a no-brainer to extend this functionality to the platform script GUI.

Imagine the Powershell script content available in Platform Scripts as it is in Remediations!

Feedback has been filed for this, meaning you can vote the feature up.

External References

Published inAutomationEndpointGraphAPIIntuneWindows

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.