Have you considered using convert to secure string cmdlet to encrypt the key and then allow decryption locally on the devices?
Using Azure keys in PowerShell securly
I have a proactive remediation PowerShell script in Intune that includes the primary key for an Azure Log Analytics workspace. Since that script will persist on each user's computer, I really don't want to have the key stored in the script for obvious reasons.
Here are the limitations I have to work with:
The script will reside on each computer in a subfolder of Program Files. It is not possible to have the script removed after it runs, so it is always going to be there.
Due to limitations in Intune I cannot pass anything to the script at run time, so I cannot pass the key.
Any ideas on how I could accomplish this without have the key embedded in the script?
3 answers
Sort by: Most helpful
-
-
Joe H 96 Reputation points
2021-06-07T12:37:24.697+00:00 Thanks. Unless I'm missing something, if I convert the Log Analytics key to a secure string I would still have to put the secure string and the decryption key for it in the script. That would make it just slightly more difficult for someone to get the LA key. I can't pass the key to the script because of a limitation in Intune.
-
Joe H 96 Reputation points
2021-06-07T15:55:22.553+00:00 I tried that, but the issue is that when the encryption is done on one PC it can't be decrypted on another, unless you specify a key during encryption. I would have to put the encryption key in the PowerShell script, so it kind of defeats the purpose. Thanks though.