Hi there 馃憢

Profile Photo My name is Nicola and I am interested in endpoint management, security, identity and automation. On this blog I like to share ideas, solutions, experiences and learning on all things related to tech.

Migrating to the new Windows Store experience

The Microsoft Store for Business will be discontinued mid 2023 and Intune recently introduced the new Windows Store experience backed by winget to distribute apps to your Intune managed endpoints. To simplify the migration to the new Windows Store experience I created a PowerShell Script that migrates all currently assigned Windows Store for Business apps to the new Windows Store experience. Kudos to Sander Rozemuller for providing detailed instructions about creating winget apps as PowerShell code samples....

January 30, 2023 路 2 min 路 340 words 路 Nicola Suter

GitHub Actions with Entra Workload Identity Federation

Workload Identity Federation (let鈥檚 just call this WIF) allows app principals not residing within Azure to request short lived access tokens. This removes the need of storing client secrets or certificates within GitHub as Action secrets. One drawback ist that currently only the Azure modules support the usage of WIF. How it聽works WIF relies on trust. This trust is directly configured on the Azure AD app registration and scoped to an individual GitHub repository and optionally fine grained by limiting the usage to single git refs, specifically branches and tags....

January 23, 2023 路 4 min 路 653 words 路 Nicola Suter

Inside Windows package manager (winget)

Windows Package Manager (winget) provides exciting features to install and upgrade apps on Windows devices. But how does winget actually work and how are new packages integrated? Within this post I want to elaborate on some questions I had when having a closer look into winget. How does winget find聽sources? By default, winget has the following sources configured: msstore: Microsoft Store (public) winget: Winget Content Delivery Network (CDN) When searching for a particular package, e....

December 30, 2022 路 3 min 路 588 words 路 Nicola Suter

Setting up a radius server for Azure AD joined devices and 802.1x

A common pitfall in environments where Windows server is used for radius authentication is that Microsoft network policy server (NPS) does currently not support device based authentication for Azure AD joined devices. NPS always checks for the existence of a corresponding computer object in AD. For my home setup and lab I wanted to build a radius solution to enable 802.1x authentication on my Wi-Fi network. Disclaimer This post describes my setup and does not cover prerequisites like certification authority, certificate revocation and client certificate deployment via SCEP....

September 25, 2022 路 7 min 路 1286 words 路 Nicola Suter

Android dedicated devices managed home screen and system apps

Android enterprise dedicated devices with the Microsoft Managed Homescreen app are a conenient way to provide devices with restricted functionality and customized look and feel to end users. Because the Managed Homescreen app acts as an overlay to the underlying Android certain prompts and features are not enabled by default unless you allow-list them by deploying the corresponding Android System App and add the app to the kiosk device restrictions....

September 20, 2022 路 2 min 路 287 words 路 Nicola Suter

The easiest way to work with the Microsoft Graph PowerShell SDK

When you are new to RESTful APIs and want to start with Microsoft Graph to automate tasks in your Endpoint Manager tenant all the stuff about app registrations, access tokens, pagination and request headers can be quite confusing. In this post I want to show you a quick tip to kickstart your Microsoft Graph API experience. Requirements Cloud admin account with Intune Administrator role assigned Ability to install Modules from the PowerShell gallery JWT Just because you can鈥檛 see it鈥 doesn鈥檛 mean it isn鈥檛 there: Due to the naturality of OAuth 2....

September 9, 2022 路 2 min 路 402 words 路 Nicola Suter

Intune app protection policy report

App protection (also called MAM) policies have been around for a couple of years within MEM and I already used them in various projects to protect company data on unmanaged iOS and Android devices. One of the drawbacks with this approach is that we do not have full visibility about the usage and I tried to shed some light about this with a PowerShel reporting script that pulls data from the Microsoft Graph API....

December 13, 2021 路 1 min 路 207 words 路 Nicola Suter

Have you considered TPM key attestation?

Device and user-based certificates are commonly used for secure authentication for services like: MECM in HTTPS mode, Always On VPN, 802.1x for (wireless) LAN and so on. Mostly these certificates are deployed from an internal PKI and the certificate templates are somewhat outdated because everybody is afraid of touching these settings. As with any type of credentials - credential theft is also applicable for certificates and the corresponding private keys. So let鈥檚 dive in and learn the risk and how to reduce the attack surface....

August 28, 2021 路 4 min 路 844 words 路 Nicola Suter

Automatically sign your PowerShell scripts with GitHub actions

Based on one of my older posts about PowerShell script signing with Azure DevOps I recently implemented a PowerShell script signing workflow with GitHub actions I wanted to share with the community. Prerequisites For this post the following prerequisites are required: Code signing certificate in PFX format GitHub account Add variables to GitHub actions Because GitHub variables can only be of string content we need to get the contents of the pfx file as base64 encoded string:...

July 9, 2021 路 2 min 路 239 words 路 Nicola Suter

Securely sending emails from PowerShell scripts with modern authentication enforced

The Send-MailMessage cmdlet has been around for a couple of years and is mostly used to send email messages from PowerShell. But with the deprecation and security flaws of legacy authentication it鈥檚 time for a better option which actually supports modern authentication. For this purpose we can use the Microsoft Graph API and the Microsoft Graph PowerShell SDK. The best thing is that this solution works without any service account and does not need any exclusions from conditional access....

March 19, 2021 路 3 min 路 581 words 路 Nicola Suter