IT Dev Lab

Learnings and musings of a Microsoft Identity & Security consultant

Intune PowerShell

Proxy authentication required for Intune scripts

By Andrew

I’ve been developing PowerShell scripts in Intune a lot recently for cleaning up various machine issues in an application control project and recently encountered an issue where a PowerShell script deployed via Intune (running as the system context) was failing requiring proxy authentication to access a web service.

Debugging tips

As Intune scripts are run on the device by the Intune service and their output isn’t easily “visible” it can make troubleshooting them more challenging. There are a few tips I’ve used for debugging them

  1. Before deploying the script in Intune test the script in Microsoft Defender Live response first, which allows the execution of PowerShell scripts. This approach doesn’t guarantee finding all the potential issues, but allows you to run the script in a controlled manner and view the output and any errors that occur.
  2. Drop log files onto the file system somewhere, which can even be uploaded to Blob storage
  3. Call a PowerAutomate flow (or Logic App) from the script which can log actions in any of the many Azure storage options or for a very rudimentary approach even just send you emails.

Proxy authentication solution

There are two options for resolution depending what the script is doing.

  1. Configure the script using Run this script using the logged on credentials set to yes, which will run the script as the user logged onto the device.
  2. Bypass the proxy, which is detailed below.

From a compliance perspective using the proxy would be the preferred approach, however unfortunately in this case the script was performing administrative operations that the logged on user doesn’t have permissions to complete.

Thankfully however with just a few additional lines of PowerShell it was possible to bypass the proxy firstly by creating a proxy with no configuration.

$NoProxy = New-Object System.Net.WebProxy
$WebSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$WebSession.Proxy = $NoProxy

Then specifying the proxy we’ve just created on the Invoke-RestMethod (or Invoke-WebRequest cmdlet).

$Uri = "https://mysite.com/WebserviceUri"
$SampleBody = @{ Property = "test"}
$Response = Invoke-RestMethod -Method POST -Uri $Uri -WebSession $WebSession -Body ($SampleBody | ConvertTo-Json)

By Andrew

Related Post

PowerShell WDAC

PowerShell script to convert WDAC XML file to binary CIP format

Andrew
PowerShell

TIL: Finding the location of a user’s desktop folder in PowerShell

Andrew
Microsoft 365 PowerShell Uncategorized

Exchange Online DNS validator

Andrew

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Microsoft Entra MIM2016

Looking to migrate from MIM to Microsoft Entra?

Sentinel WDAC

January 2024 WDAC Advanced Hunting changes

WDAC

Creating a policy with the WDAC Wizard

WDAC

Application control with Microsoft WDAC