I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.
The intune-drive-mapping-generator is your tool of choice to:
Generate an Intune PowerShell script to map network drives on Azure AD joined devices Seamlessly migrate existing network drive mapping group policies Generate a network drive mapping configuration from scratch Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.
Architecture # This tool is designed to work best with the following components although it can be useful for other purposes(?) :
Azure AD Joined and Intune enrolled Windows 10 devices Synced user account from Active Directory to Azure Active Directory (Azure AD Connect) On-premises file servers Howto # Export existing group policy # To convert your existing drive mapping group policy configuration, save the GPO as XML report with the group policy management console.
Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.
Default Configuration # On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:
But the connection attempt was still interrupted after a timeout.
Looking trough Group Policy # After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:
In the settings for the public profile under the “Customize” section there’s a section called “Rule merging”:
As you can see rule merging is turned of in the Windows 10 Security Baseline which means, **all locally configured firewall rules are being ignored for the public profile. **Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.
After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:
An error occurred while reconnecting X: to \\nas\data Microsoft Windows Network: You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
Cause # Starting with Windows 10 1709, Windows prevents you from accessing network shares with guest access enabled. Guest access means connecting to network shares without authentication, using the built-in “guest” account.
This has no reference to the SMB1 protocol which was disabled in the latest Windows 10 release.
Resolution # To enable guest access again, configure the following GPO:
Computer configuration > administrative templates > network > Lanman Workstation: "Enable insecure guest logons" = Enabled
Registry Key # The according registry key is located under:
If you imagine that your users or administrators have uncontrolled local administrator rights it’s a nightmare. They have (certainly) full control over their computer, and could do a lot of harm. So managing local administrator rights is definitely a must.
Manage Local Administrator Rights # The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with “Restricted Groups”.
Adding a group or users to a local group # If you want to add a certain group to a built-in group add the group to the restricted groups under the “This group is a member of” sections: When the GPO is no longer applied, the restricted group is being removed from the clients.
Overwrite local group members # When you wan’t take full control over a local group, you can choose the “Members of this group” option. Then all group members are replaced with the specified users or groups here, except the built-in local Administrator account.