GetDecryptionInfoFromLogFile.ps1 doesn't work if Intune cert is in user store

In some cases the Intune certificate is not installed in the local machine store but in the current user store. In this case the Decrypt function will fail.

The following code update to the function will check the user store if no cert is found in the localmachine store:

[System.Reflection.Assembly]::LoadWithPartialName("System.Security") | Out-Null
  $content = [Convert]::FromBase64String($base64string)
  $envelopedCms = [Security.Cryptography.Pkcs.EnvelopedCms]::new()
  $x509Store = [System.Security.Cryptography.X509Certificates.X509Store]::new([System.Security.Cryptography.X509Certificates.StoreName]::My,[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
  $x509Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
  [System.Object]$certExtension = "1.2.840.113556.5.6"
  $certCollection = $x509Store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByExtension,$certExtension,$false)
  $x509Store.Close()
  if ($certCollection.Count -eq 0)
  {
      $x509Store = [System.Security.Cryptography.X509Certificates.X509Store]::new([System.Security.Cryptography.X509Certificates.StoreName]::My,[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
      $x509Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
      $certCollection = $x509Store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByExtension,$certExtension,$false)
      $x509Store.Close()
  }
  $envelopedCms.Decode($content)
  $envelopedCms.Decrypt($certCollection)

  $utf8content = [text.encoding]::UTF8.getstring($envelopedCms.ContentInfo.Content)

  return $utf8content

okieselbach / Intune

GetDecryptionInfoFromLogFile.ps1 doesn't work if Intune cert is in user store #21