This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 25%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
I have a proactive remediation PowerShell script in Intune that includes the primary key for an Azure Log Analytics workspace. Since that script will persist on each user's computer, I really don't want to have the key stored in the script for obvious reasons.
Here are the limitations I have to work with:
The script will reside on each computer in a subfolder of Program Files. It is not possible to have the script removed after it runs, so it is always going to be there.
Due to limitations in Intune I cannot pass anything to the script at run time, so I cannot pass the key.
Any ideas on how I could accomplish this without have the key embedded in the script?
Have you considered using convert to secure string cmdlet to encrypt the key and then allow decryption locally on the devices?
Thanks. Unless I'm missing something, if I convert the Log Analytics key to a secure string I would still have to put the secure string and the decryption key for it in the script. That would make it just slightly more difficult for someone to get the LA key. I can't pass the key to the script because of a limitation in Intune.
Look at example 1. convertto-securestring
As I understand, all that should be required is putting in the encrypted key in the script (converted using from secure string cmdlet). Then you use the covert to secure string later in the script which should decrypt the key for you. Store the value in variable and parse it in the fly. I could be wrong as I have never tried this but worth a shot.
I tried that, but the issue is that when the encryption is done on one PC it can't be decrypted on another, unless you specify a key during encryption. I would have to put the encryption key in the PowerShell script, so it kind of defeats the purpose. Thanks though.
I see. However, you will atleast be able to prevent the exposure of your actual keys. This may not be full proof from a security perspective, but certainly a start. Maybe look at leveraging azure key vault to store the keys and use graph api to fetch from there.