8,330 questions
Have you considered using convert to secure string cmdlet to encrypt the key and then allow decryption locally on the devices?
Using Azure keys in PowerShell securly
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 25%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Joe H
96
Reputation points
I have a proactive remediation PowerShell script in Intune that includes the primary key for an Azure Log Analytics workspace. Since that script will persist on each user's computer, I really don't want to have the key stored in the script for obvious reasons.
Here are the limitations I have to work with:
The script will reside on each computer in a subfolder of Program Files. It is not possible to have the script removed after it runs, so it is always going to be there.
Due to limitations in Intune I cannot pass anything to the script at run time, so I cannot pass the key.
Any ideas on how I could accomplish this without have the key embedded in the script?
Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Intune | Other
5,569 questions
3 answers
Sort by: Most helpful
-
-
Joe H 96 Reputation points
2021-06-07T12:37:24.697+00:00 Thanks. Unless I'm missing something, if I convert the Log Analytics key to a secure string I would still have to put the secure string and the decryption key for it in the script. That would make it just slightly more difficult for someone to get the LA key. I can't pass the key to the script because of a limitation in Intune.
-
Rahul Jindal [MVP] 10,911 Reputation points MVP2021-06-07T15:38:31.437+00:00 Look at example 1. convertto-securestring
As I understand, all that should be required is putting in the encrypted key in the script (converted using from secure string cmdlet). Then you use the covert to secure string later in the script which should decrypt the key for you. Store the value in variable and parse it in the fly. I could be wrong as I have never tried this but worth a shot.
Sign in to comment -
-
Joe H 96 Reputation points
2021-06-07T15:55:22.553+00:00 I tried that, but the issue is that when the encryption is done on one PC it can't be decrypted on another, unless you specify a key during encryption. I would have to put the encryption key in the PowerShell script, so it kind of defeats the purpose. Thanks though.
-
Rahul Jindal [MVP] 10,911 Reputation points MVP
2021-06-07T16:12:13.97+00:00 I see. However, you will atleast be able to prevent the exposure of your actual keys. This may not be full proof from a security perspective, but certainly a start. Maybe look at leveraging azure key vault to store the keys and use graph api to fetch from there.
Sign in to comment -