Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it's a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.
Lets assume we have the following scenario:
- Customer with hybrid user-identities (Azure AD Connect)
- On premise ressources with legacy file shares
- Devices are Azure AD joined (not hybrid joined)
- MDM managed with Intune
- [Optional] Always on VPN for external on-premise resource access
- [Optional] Windows Hello for Business deployment as described here
With my colleague Alain Schneiter I designed the following solution:
- Main PowerShell script stored on Azure blob storage which handles the drive mapping - driveletters, UNC paths and descriptions can be configured within the script
- Client side script deployed with Intune which triggers the main script during logon. The main script is not stored locally which makes it easy to customize (no updates oder changes needed on client side)
- Deployment is user targeted via Azure AD group and Intune
Azure blob storage configuration
We wanted to store the script within Azure because the customer was already using Azure blob storage. It's also possible to store the PowerShell script on GitHub if you don't want to use Azure.
Create a new Azure storage account. Standard performance and locally-redundant sotrage (LRS) is sufficient for our requirements.
Create an Azure blob container to store the script. Set the public access level to anonymous.
Upload the PowerShell drive mapping script and copy its access url (we need the url later):
Specify the network drives you want to map as
[PSCUSTOMOBJECT] in the config section of the script and don't forget to change the
$dnsDomainName variable to your Active Directory domain name.
The script has the following structure:
- Create transcript in
%temp%directory for the logged in user
- Try to resolve the configured internal DNS name for your Active directory domain
- Maximal three retry attempts with 3 seconds pause in between each are made (intended if you use always on VPN with user tunnel)
- Map configured network drives as persistent PSDrives
In Intune we deploy the client side script which can be found also on my GitHub. The only thing we have to change here is the URL to your main script on the Azure blob storage.
The client side script consists of:
- Create a registry run entry for the currentuser (HKCU) hive to execute the main script from the azure blob storage on each user logon
- Invoke the main script initially (otherwise we would have to wait until the next user logon until the network drives become available)
After adjusting the script deploy it with Intune to an Azure AD group containing your users. Remember to run the script using the logged on credentials.
Executing the main script looks like this - just to show you a cool gif:
- We decided to use the HKCU registry because scheduled tasks cannot be deployed in the user context (local admin rights are required)
- Instead of Azure blob storage you can also make a webrequest to a GitHub "raw" script - e.g.:
Invoke-RestMethod "https://raw.githubusercontent.com/nicolonsky/Techblog/master/IntuneNetworkDrives/DriveMappingScript.ps1" | Invoke-Expression