Skip to content

Encrypted Intune policies #11

New issue
New issue
Open
Open
Encrypted Intune policies#11
@daddycocoaman

Description

@daddycocoaman
daddycocoaman
opened on Dec 16, 2025

On a recent engagement, I used pytune to enroll a Windows device. When I ran download_apps, it found policies but didn't print anything out. So I printed out the whole object instead of just PolicyBody to discover that there are encrypted policies in EncryptedPolicyBody.

pytune/device/windows.py

Lines 403 to 406 in 214760b

for policy in policies:
self.logger.info(f'#{i} (policyid:{policy["PolicyId"]}):\n')
print(policy["PolicyBody"] + '\n')
i=i+1 

pytune.py -v download_apps -d device_name -m device_name_mdm.pfx
[*] downloading scripts...
[!] scripts found!
[*] #1 (policyid:e9de7c4f-a0d2-4f35-a6b6-950481932e5c):

{'AccountId': '[REDACTED], 'PolicyId': 'e9de7c4f-a0d2-4f35-a6b6-950481932e5c', 'DisplayName': None, 'PolicyType': 1, 'DocumentSchemaVersion': '1.0', 'PolicyHash': 'UzbvyvEoo5Q3C4n2qCUYQYQCi/kG/Pbb6XpeaMfUBHQ=', 'PolicyBody': None, 'EncryptedPolicyBody': '<EncryptedMessage xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Management.Services.Common.Cryptography" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><EncryptedContent>MIICQwYJKoZIhvcNAQcDoIICNDCCAjACAQAxggFZMIIBVQIBADA9MCkxJzAlBgNVBAMTHk1pY3Jvc29mdCBJbnR1bmUgTURNIERldmljZSBDQQIQ04iSlPr4TIJACytbs5E/3zANBgkqhkiG9w0BAQcwAASCAQAeA2inWqMNFAzSDjWxfKmKirv1X5M8TcNPhEwDNN5fIQexSKkfoOBgxVGQhzhDRKJCR+ufdRWD9XGmL4hizG0Vj+MI4vsZgIE40aN7wpmYL8Fvx5YC3z3G7H0y4QyZzBWzQPC62TtK/t0paRyb1euLu0lNHRQbih7+Sld+T8mKQOrFnwvp4C7gl+eRe9dzgDRiA1+3AgpW3FQvAOTVmbCf2nt09ZFqr/Fg4M/dnYN+XVI4ZCWE4ByIaIagnE8l2Pex3MhSrSDIEdcTpxpu28rvWDB9eyeFkCD+nAJaKtSp46OWOcE5jrRoBk/4ZpMOv8CY9Oz9+jNr5dBZFMp4c2X8MIHNBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCW03h8ijdrXRdk5V4Ku48egIGg82E+nnMqVP+N31RPpMK0sRlNwoRA0cIBg3L6jXBwT70bs9uSaUXrgn021SDAlkL9J3+Rpz1VOrZRvykFji56wDOaeKk0FKhVS/7Ds0Ri3KamtNYE8uQduAuFObM9e0rvHUrumK2yb8MpKNvt4TDQ4PizrTHBWA271pWkSZMPc/VvnQBsHRRbtGLI1jfWzvCDZ5DBgcICM6YUvJdzdui+og==</EncryptedContent><RecipientCertThumbprints xmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><a:string>DE55F2C87D476C11CECBE9D33803FCBBB7AF1A04</a:string></RecipientCertThumbprints></EncryptedMessage>

<more stuff>

Turns out EncryptedPolicyBody is PKCS7 encrypted with the MDM certificate you get from enrolling (the RecipientCertThumbprints shown matches the thumbprint of the cert). Therefore, it's possible to decrypt the contents with openssl.

"MIICMwYJKoZIhvcNAQcDoIICJDCCAiACAQAxggFZMIIBVQIBADA9MCkxJzAlBgNVBAMTHk1pY3Jvc29mdCBJbnR1bmUgTURNIERldmljZSBDQQIQ04iSlPr4TIJACytbs5E/3zANBgkqhkiG9w0BAQcwAASCAQBCCtV1e4gbfI1Vyfe3TJfW+hOeFTWlYfFrkFvhRWlRvQLb+kqVBgZtZsCoS0vgpOays9T123HiI71ozdRAcEE67dAuDKiBVCotV71Evyi26AwDmHvGZ922xhPjKNANbuppMgy3imRoB5aRiui1ew47F0AyGc4d6GOX9r1QT9/KviFh3wW2HgLSalPx9hr49pNwn8WIKeZm9a6bCGFiI744NEuFfiRwZLkyRnb9MdQ1hIrj87IqQ4OcXJS3hHdK1qt2DDYn2ZCkt7TD4vm7Mp/Du9ecGzEUrZEOUWQCXcqsxm2q2dpkiquy5fJDm6HXe25mBqo5ZMetDcbVcI+svmaiMIG9BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCPx6vzpxc2fbKdW+saWkzjgIGQ0g5HIrMcw6aJV5wiWubSObxLqGnQqXl3FCGgeiFhaDnyMIYU6qcXksvMm2DAJ7f/ZI/IwrSZvUOcVwfODMP2oO2BvQfVV5ZVzsA+3oMzGkvI/rIdx+vsFhbExM2axf3THcoBa6w+IJkL5tQC62QlE1mtLbFkppqlnUPV1cyj4p2Qb/i1P8m9vO3o1ALylePp" | decode base64 | openssl cms -decrypt -inform DER -recip device_name_mdm.crt -inkey device_name_mdm.key
cmd.exe /c wmic product where "name like 'Netsurion Sensor'"
cmd.exe /c wmic product where "name like 'Netsurion Sensor'" call uninstall

This can be added to pytune using cryptography library. Would you take a PR for this?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions