Discover the Intune Graph APIs with fiddler

Do you want to recover an Intune PowerShell script but cannot find it at your computer? Yes, this was me a couple of weeks ago. At that moment, I had two options. The first one was to re-write the entire script, or the second option was to find a way to recover an Intune PowerShell script. I chose the second option and accepted the challenge. The result is a lot of fun and a script that I share in this blog, so you can recover Intune Powershell yourself.

My investigation started with a question if I’m able to see the script via the Fiddler (network scanning) tool. I’m using this tool often because it provides insights into the Intune Graph API used to get/update or post configuration items. In the following chapter, you can see how you can install this tool. I have discovered that the Intune scripts are part of the API URL DeviceManagement/DeviceManagementScripts section. A unique GUID represents the script itself. In other words “it’s time to code!” but first of all, I like to explain the steps you can do to discover the API URL.[GUID] 

Using the Fiddler tool

Step 1 – Download and install Fiddler.

Step 2 – In the Azure portal open the Intune blade and go to Configuration > Scripts. Click on the script you want to recover.

Recover Intune PowerShell scripts PowerShell script

Step 3 – Firstly, start the Fiddler app and open one of the PowerShell scripts.

Recover Intune PowerShell scripts Description

Step 4 – Secondly, you you need to change something like adding a dot in the description field and save.

By doing this the script is saved (update/post) and visible via the Fiddler tool


Recover Intune PowerShell scripts Scriptcontent

Step 5 – Open the Fiddler app again and search for;

Step 6 – Any script content block is encoded in base64. Therefore we need to decode it first. You can do this by copying the content from the script content to a .txt file. In this example, it starts from PCMNC. You can do this yourself by running (base64 decode) scrip below. After that the script successfully the output is saved in the path where the script is executed.

Why Base64encoding?

The Microsoft Graph API (language) is based on JSON files/templates. Those templates are built-up line configuration lines to the configuration line. All scripts containing multiple lines of code because of this it’s required to use an alternative like base64encoding.

Recover Intune PowerShell scripts Decode

$Base64Code = read-host 'fill in the .txt file containing the base64 code to decode'
$Code = Get-Content $Base64Code [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Code))| `
out-file -Encoding "ascii" output.ps1
notepad.exe .\output.ps1

Recover an Intune PowerShell script with the code below

I’ve developed a simple script that you can use to restore any Intune PowerShell script(s). In addition, the screen recording below shows you an example of how you need to use the script.

Note – You need to install the module MSAL.PS and use Powershell 7 or higher.

Param (
$authParams = @{
clientId = '53405005-160e-44e4-a86a-8feb23429cf6' #well known intune / graph application
tenantId = "$TenantName"
Interactive = $true
DeviceCode = $true
$token = Get-MsalToken @authParams
$graphApiVersion = "beta";
$resource = "/deviceManagement/deviceManagementScripts";
$headers = @{
"Authorization" = "Bearer $($token.AccessToken )";
"Content-Type" = "application/json";
#region Get all device policies
$Scripts = Invoke-RestMethod -Uri "$($graphApiVersion)/$($resource)" -Method Get -Headers $headers -UseBasicParsing;
"Found $($Scripts.value.Count) script";
$ContentID = ($scripts.value | select DisplayName,ID | out-gridview -PassThru).ID
$Content = Invoke-RestMethod -Uri "$($graphApiVersion)/$($resource)/$ContentID" -Method Get -Headers $headers -UseBasicParsing;
#Decrypt Base64 and export
$EncodedText = $content.scriptcontent
$DecodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($EncodedText))
$DecodedText | out-file $env:temp\PowerShell-script.ps1 -Force
Notepad.exe $env:temp\PowerShell-script.ps1


In conclusion, the Intune GUI cannot export the Intune PowerShell scripts. However, it’s possible to do this if you use the absolute power of the Graph. The Fiddler tool is a helpful tool to see which API calls Microsoft is using in the background, like retrieve information like the script content block. Return to this blog to read more about these topics. 

Related blogs

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *