Home About Contact Latest Articles Close

The Story of Mapping Network Drives using Intune

Author: Ofir Gavish

Introduction

So recently we had the need to configure mapping to azure storage accounts using Intune, all the attempts using remediation scripts failed and we didn’t want to go down the “Scheduled tasks” route.

So I came up with a way to make it happen:

  1. Use a Platform script to add the credentials
  2. Use a custom ADMX and OMA-URI policy to map the drive

Let’s start!

Lets start with the script:

If we take a look at the script we can get in the Azure portal for mapping storage account file shares one of the commands is used to enter the credentials (“username” and account key) into the user’s credentials stored in the endpoint, you can see it in the windows Credential Manager under Windows Credentials

Find the following lines in the script:

                    
# Save the password so the drive will persist on reboot
cmd.exe /C "cmdkey /add:`"storageaccountname.file.core.windows.net`" /user:`"localhost\storageaccountname`" /pass:`"xxxxxxXXXXXXXXXXXXxxxxx+xxxxxxxxxxxxxxxxxxxxxxxXXXXXXXXXxxxxxxxxXXXXxxx==`"
                    
                

Copy them to another script file, and add also this code:

                    
$connectTestResult = Test-NetConnection -ComputerName storageaccountname.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
	# Save the password so the drive will persist on reboot
    cmd.exe /C "cmdkey /add:`"storageaccountname.file.core.windows.net`" /user:`"localhost\storageaccountname`" /pass:`"xxxxxxXXXXXXXXXXXXxxxxx+xxxxxxxxxxxxxxxxxxxxxxxXXXXXXXXXxxxxxxxxXXXXxxx==`""
    } else {
    Write-Output -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}
                    
                

Change the line with the command (cmd.exe) to the one copied from your script.

Now we need to deploy this script as a Platform script on Intune:

Head over to the Intune portal and go to Devices on the left hand side -> Scripts and remediations -> Platform scripts and click on Add, choose Windows 10 and later:

Intune Platform Scripts

Give it a name like “MSCloudNinja Storage Key credentials” and add a description if you like

Click on Next

Select the script file you just saved, set “Run this script using the logged on credentials” to Yes, and the other options should be set to No, like in this screenshot:

Intune Platform Script Settings

Assign the script to the related group, click on Next and then Add.

Custom ADMX + OMA-URI Policy Time!

Great now we can start working on the Configuration Policy with our Custom ADMX to actually map the network drive:

Heres a link to an XML that I use to enable mapping for the letters Q and Z, but you can change it to your desired letters, you can also add more letters.

You will use this in one of the settings of our Custom OMA-URI policy to make the computers ingest the ADMX and make the settings available to be configured.

Lets do that now, in the Intune portal go to Devices, and click on Configuration, under Policies click on Create and choose New Policy

Choose Windows 10 and later for the Platform, Profile type to Templates and click on Custom then Create:

Intune Custom Policy Profile

Give it a meaningful name and description and click Next

Click on the Add button and use the following:

  1. Name: DriveMapping.admx
  2. Description: ADMX template for Network Drive Mappings
  3. OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/DriveMapping/Policy/DriveMappingAdmx
  4. Data type: String
  5. Value: Copy and paste the XML we created earlier
  6. Click on Save

Great, now we can configure our mapped drives:

Click on the Add button again, and use this for Drive Q for example:

  1. Name: Drive Q
  2. Description: Maps Q Drive to a network share
  3. OMA-URI: ./user/Vendor/MSFT/Policy/Config/DriveMapping~Policy~DriveMapping/Drive_Q
  4. Data type: String
  5. Value:
  6.                     
    <enabled/>
    <data id="Drive_Q_RemotePath" value="\\storageaccountname.file.core.windows.net\filesharename"/>
                        
                    
  7. Click on Save

You can continue adding more mappings the same way.

When done click on Next and configure the assignments needed, click on Next again, configure applicability rules if needed and click Next, go over the settings and make sure everything is correct and click on Create.

That’s all there is to it, Now you can test using Autopilot or even on existing workstations.