Mapping Network Drives on Intune Devices

Jake ShackelfordEndpoint Management, How-To, Intune, Powershell, Scripting27 Comments

This guide is part of a video series companion guide on setting up mapped drives on Intune devices – you can watch the video here S02E18 – How to Map Network Drives on Microsoft Intune Devices – (I.T) – YouTube! This is rather simple but I will be adding some useful bits of code for people who do not have an always on VPN solution for all those Work From Home scenarios.

Creating the script

Before we get started let me explain how this process works. We are going to create a script that we deploy via intune, which in turn will create a scheduled task to map the network drives at login. We will then be adding a few lines of code to also have it map on any network changes.

  1. Go to https://intunedrivemapping.azurewebsites.net/DriveMapping
  2. Follow the onscreen options to add/remove mapped drives as needed
  3. Select Download Powershell Script
  4. Edit the powershell script, near the bottom you will see the following line
    $trigger = New-ScheduledTaskTrigger -AtLogOn
  5. Remove everything below that point and add the following
$trigger = New-ScheduledTaskTrigger -AtLogOn

$class = cimclass MSFT_TaskEventTrigger root/Microsoft/Windows/TaskScheduler
$trigger2 = $class | New-CimInstance -ClientOnly
$trigger2.Enabled = $True
$trigger2.Subscription = '<QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[Provider[@Name=''Microsoft-Windows-NetworkProfile''] and EventID=10002]]</Select></Query></QueryList>'

$trigger3 = $class | New-CimInstance -ClientOnly
$trigger3.Enabled = $True
$trigger3.Subscription = '<QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[Provider[@Name=''Microsoft-Windows-NetworkProfile''] and EventID=4004]]</Select></Query></QueryList>'

#Execute task in users context
$principal= New-ScheduledTaskPrincipal -GroupId "S-1-5-32-545" -Id "Author"

#call the vbscript helper and pass the PosH script as argument
$action = New-ScheduledTaskAction -Execute $wscriptPath -Argument "`"$dummyScriptPath`" `"$scriptPath`""

$settings= New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

$null=Register-ScheduledTask -TaskName $schtaskName -Trigger $trigger,$trigger2,$trigger3 -Action $action  -Principal $principal -Settings $settings -Description $schtaskDescription -Force

Start-ScheduledTask -TaskName $schtaskName
stop-Transcript
}

Upload to Intune

  1. Navigate to https://endpoint.microsoft.com/
  2. Select Devices
  3. Select Scripts
  4. Select Add – Windows 10
  5. Give it a Name and select Next
  6. Select your script file and Next
  7. Assign to the desired user group and Next
  8. Select Add

Verify the Scheduled Task Exists

Once you have deployed the script to the selected group, you can sync Intune policies through Company Portal. Remember it can take up to 8 hours for this to appear. You should see a scheduled Task named IntuneDriveMapping and the triggers should look like the below.

27 Comments on “Mapping Network Drives on Intune Devices”

  1. Nice Post.. May I suggest checking out Microsof Endpoint Manager > Reports > Endpoint Analytics > Proactive Remediation for deployments. This way it takes two scripts one to see if a mapped drive exists then a remediation script to deploy the setting if it doesn’t. I have had a lot of success with this of other task like setting up a vpn that’s not compatible with the Device configuration template.

    1. Like I point out in the video there are TONS of ways to go about doing this. When I originally did this in my own environment Proactive Remediations weren’t available. I absolutely love them! However in a scenario like this I don’t think it works that well only because it would only run every x hours, days, weeks, or whatever you have it set to. However if it was say writing the paths to the registry that could be a viable option, but in that case seeing the red X when a user isn’t connected to the onprem network is a big no one for me.

  2. You say about not wanting remediations, and want it to remap on each logon, but I have found that when you map the drive once, it will stay mapped, but just not show when not on the network.
    Is there a reason why you would make it map on log on every time? why not assign to the user once and leave it up to windows

    1. The script checks to see if the drive is still mapped or if the network folder that the drive letter is mapped to matching what we want it to be. If the user changes the network location for the drive we’re mapping, it will remove and then remap the drive.

  3. Hi Jake,
    Great walktrough! By any chance, do you know where we can change so that it’s possible to use another domain prefix when mapping the drive? Been scratching my head but can’t figure it out. Tried this setting but it didn’t work for me. $searchRoot = “another domain”. The users have gone all AAD but needs mapping to on-prem domain but the script defaults to azuread\username

  4. Hi, great post and thanks for the video!
    I’m currently using this script, all seemed to be working great. But since a few weeks we’re having issues with autopilot. This scripts is still working fine for enrolled devices.. However after much troubleshooting I found out that this script is causing the issues we’re having with our Autopilot process for some reason.. Was wondering if you are using autopilot and if so, is that still working if this script is targeted to the user who is enrolling a new device with autopilot.

  5. Hi there! If I rename the DriveMapping.ps1 file, do I have to make changes to the code? Also, if I use DriveMapping.ps1 with script 1 and make some changes to it to map different drives and use that for script 2, will that affect script 1?

    1. @Rich – if you look for “$schtaskName” you’ll see that you’re able to change the name of the scheduled task and leave a description, search for $schtaskDescription, of your task. I would suggest changing this for each of the drives you want to map so they make more sense to you later on.

  6. Hi guys. I get a error saying Verify premissions and Authetication in powershell when i run the script on my AAD user. i given him SMB contributor role. is it something am missing?

  7. Hi there, sorry to bother you, but all seems ok when running the script. Task is being created and script tries to run, but fails with the message.

    WARNING: Exception calling “FindOne” with “0” argument(s): The server is not operational

    What can go wrong?

    Regards

  8. Hi guys
    Just have a really silly question…….

    If I have a personal shared network drive for eache user and this network drive works by connecting users via ID, For example ([email protected] and in active directory Test ID is (jh985), is there a way to do this kind of connection in the script?

    1. Hi,

      Try to add $Env:Username In this line: $driveMappingJson = ‘[{“Path”:”\\share.local\users\$Env:Username”

      This should work.

  9. Ok getting the following message and I think it’s because we don’t have the AD connector configured properly but what are my options and where do I run/set this?

    WARNING: You can override your AD Domain in the $overrideUserDnsDomain variable

  10. Is there a way we could have the script only disconnect the drive letter that we’re trying to connect instead of all other mapped drives?

    1. Are you able to select multiple security groups in a single drive mapping or would you have to create a path item for each group you want to include for the same mapped drive?

      If we’re able to have multiple security groups in one path line, can someone provide the syntax of how that would be done?
      Thanks in advance.

  11. I cannot get this to work for none admin users.

    The task is pushed from the script and created but it doesn’t run and when I run it manually it says the user doesn’t have permission.

    How can I make the scheduled task work for none local admin users ?

    1. Sorry for the super later reply but standard users can not force scheduled tasks to go off manually you have to have the network change occur for it to work.

  12. How can I get the scheduled task to run as a standard user ?

    The tasks creates but the users are not local admin and the task doesn’t run. I tried to run manually from task scheduler and it says the user doesn’t have permission.

  13. your missing Stop-Transcript at the end of the edited script…. Currently I am getting failed in Intune and cant figure out why.

  14. your missing Stop-Transcript at the on line 23. also script is failing for me, part of it makes it to the computer but no schedule task created.
    Intune also reports failed

  15. So I fixed the failure it was because of missing the stop-Transcript at the end.
    also I would recommend adding another event trigger, this one covers for OpenVPN network adapter.

    $trigger4 = $class | New-CimInstance -ClientOnly
    $trigger4.Enabled = $True
    $trigger4.Subscription = ‘*[System[Provider[@Name=”Microsoft-Windows-NetworkProfile”] and EventID=10000]]’

    and then update

    $null=Register-ScheduledTask -TaskName $schtaskName -Trigger $trigger,$trigger2,$trigger3,$trigger4 -Action $action -Principal $principal -Settings $settings -Description $schtaskDescription -Force

    to add tigger4 to it.

    Please delete my duplicate posts.

    1. Sorry for the late reply I went ahead and added the Stop-Transcript, it shouldn’t have been needed as it’s worked in the past, thank you!

  16. Are you able to select multiple security groups in a single drive mapping or would you have to create a path item for each group you want to include for the same mapped drive?

    If we’re able to have multiple security groups in one path line, can someone provide the syntax of how that would be done?
    Thanks in advance.

    1. Please disregard my previous comment.
      It looks like someone already created a solution for this on the Github page for this.

      #…pfilter can be like “group1,group2”
      #used to create an array for groups
      $driveMappingConfig = foreach ($d in $driveMappingConfig) {
      [PSCustomObject]@{
      Path = $($d.Path)
      DriveLetter = $($d.DriveLetter)
      Label = $($d.Label)
      Id = $($d.Id)
      GroupFilter = $($d.GroupFilter -split “,”)
      }
      }

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.