Close Encounters of Fiddler

Last Updated on June 12, 2022 by rudyooms

This blog will show you how to combine the power of Fiddler, MDM, and PowerShell.

Did you ever wonder how you could automate your Microsoft365 deployments or capture some MDM traffic? It’s a lot of work to configure conditional access, device configurations, update settings, and compliance settings manually… and we haven’t even talked about the risk of human error.

I am going to device this blog into multiple parts:

  1. Capturing HTTPS traffic
  2. Basic Fiddler Tips
  3. Capturing MDM Traffic
  4. Capturing MS-Store Apps

1. Capturing HTTPS Trafic

First, we need Fiddler and PowerShell. Download and install Fiddler.

https://www.telerik.com/download/fiddler

When you have installed Fiddler please make sure you enable the possibility to decrypt HTTPS traffic as shown below and allow the Proxy Certificate to be installed. Otherwise, you wouldn’t see much information.

Now we have everything in place, open the Intune web portal. Go ahead and create a new Conditional Access rule in Intune. When saving your Conditional Access rule, you will need to take a good look at Fiddler. Make sure you select inspectors and text view(or raw).

Very Nice… Now you’ve got all the information you need to replicate it with PowerShell.

  1. The host address: main.iam.ad.ext.azure.com. You will need to make a REST API on Azure.  Remember the resource: 74658136-14ec-4630-ad9b-26e160ff0fc6 –> Azure PowerShell
  2.  The URL, Add the host address: https://main.iam.ad.ext.azure.com/api/policies.
  3.  JSON: Copy/paste the information into a variable.

Okay? What now? One script to rule them all!

login-azurermaccount

$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'Content-Type' = 'application/json'
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()
    }

$url = "https://main.iam.ad.ext.azure.com/api/Policies"

$content = 'PUT JSON CONTENT HERE'

Invoke-RestMethod –Uri $url –Headers $header –Method Post -Body $content -ErrorAction Stop

Please beware it’s still using the login.windows.net this will be deprecated next year so read this blog if you want to change/migrate your scripts

Now take a look at your conditional access rules, that’s what I call automation! Please don’t forget to turn Off the conditional rules before you export them.

You could really lock yourself out when importing enabled conditional access rules in another tenant!

2. Basic Fiddler Tips

First, some basic tips, before I show you how to solve it

  • Please make sure before you start with HTTPS decrypting, that you “Exempt All” immersive apps. As you don’t want those apps being blocked from sending network traffic to the local computer
  • When needed you could run Fiddler as system with the use of Psexec, but normally capturing the information with the user itself should be sufficient.
  • Configure the automatic export of logs each minute. So you are 100% sure you are not missing something. You could do so by clicking on “view” –> “tab” –> “autosave”
  • Of course, ensure you have enabled HTTPS decrypting and accepted all the warnings. If not click on Actions and click on “trust root certificate”

3. Capturing MDM Traffic

Now we have seen how we could capture some website traffic with fiddler, let’s take a look at how you could capture traffic from and to Intune/Endpoint Manager.

I guess everyone knows this error when you want to “capture” some Microsoft 365 stuff with Fiddler. The server [r.manage.microsoft.com or manage.microsoft.com] requests a client certificate.

We have got 2 options here to solve this and or maybe not get some good logging.

3.1. Excluding:

Exclude manage.microsoft.com and *.manage.microsoft.com (so also r.manage.microsoft.com) from the HTTPS decryption so you won’t receive any errors! :P… but this is not the way when you want to capture some traffic

3.2. Adding the Intune Client Certificate:

A way better option would be to export the Microsoft Intune MDM device certificate the moment you receive it. Why? Your Intune MDM device certificate is needed for trusted communication with intune, so why not export it so fiddler can use it to decrypt the MDM traffic?

Open the local computer certificate store and export the certificate. Give it the filename ClientCertificate.cer and place it inside the %username%documents\fiddler2 folder. Restart Fiddler after it and watch it log!

Please note, this trick will only work when you have started Fiddler as a user when you executed Fiddler as system you could guess what’s missing… the system document folder. So how to solve this?

Open the Fiddler Script editor by clicking on “Rules” and “customize rules”

And add this part to the “static function OnBeforeRequest(oSession: Session)” part

if (oSession.HostnameIs("r.manage.microsoft.com")) {
			oSession["https-Client-Certificate"] = "C:\\test\\someCert.cer";
		} 
if (oSession.HostnameIs("manage.microsoft.com")) {
			oSession["https-Client-Certificate"] = "C:\\test\\someCert.cer";
		} 

So it looks somehow like this:

4. Capturing MS-Store Apps

Using Fiddler to capture MDM Traffic is great but Fiddler can also be used to download Microsoft Store Apps. In one of my last blogs, I showed you which options you have to deploy the NEW Quick assist tool to your devices. One of those options used Fiddler to do so!. Let me explain what you need to do

Just as we did when capturing MDM traffic, we need to make sure are exempting the Microsoft Store! If you want to reduce the amount of traffic please ONLY Exempt the Microsoft Store

Open the Microsoft Store and click on the install button to start the download process

Go back to your Fiddler tool and watch it go. You will notice the URL http://tlu.dl.delivery.mp.microsoft.com. That’s the one you need!

Right-click on that line and make sure you click on Copy/Just Url

Now it’s only a matter of copy-paste this URL into your favorite browser. It will download the APPX file you wanted

Conclusion:

If you want to know how to change a Microsoft 365 setting with PowerShell, use Fiddler! Conditional access rules are just one of the many examples you could automate. You could even capture MDM traffic with Fiddler, isn’t that great!

Congratulations, you just automated the deployment of compliance settings, device configurations, and azure settings with PowerShell.

The Riddler GIFs - Get the best GIF on GIPHY

One thought on “Close Encounters of Fiddler

  1. Pingback: OOBEAADV10 error when using Autopilot

Leave a Reply

Your email address will not be published.

2  +  4  =