I am working with a client on moving them to modern managed Windows 11 cloud only devices, using Microsoft Intune and Autopilot. Like most other clients I have worked with, they have on-prem resources they need access to, these resources are mainly file shares and printers on Windows servers joined to the on-prem Active Directory domain.
Hybrid identities and Cloud Kerberos Trust
User accounts are synchronized from the on-prem Active Directory to Entra ID, also known as hybrid identities in Entra ID using Entra Connect. A hybrid identity user account lives in both the on the on-prem Active Directory and in Entra ID, hence it can be used for authentication in both the on-prem Active Directory domain and to cloud services that support Entra ID authentication.
As my client is also considering using Windows Hello for Business, we have configured Cloud Kerberos Trust to facilitate single sign-on to on-prem resources, when signing in using Windows Hello for Business.
Map network drives on cloud only Windows devices
To map traditional network drives on the cloud only Windows 11 devices, we went with the custom ADMX based solution from Rudy Ooms. My client is happy with this solution, as it works really well and is easy to relate to when coming from a traditional Windows management solution like Group Policy and Group Policy Preferences. However, it would be nice if Microsoft made a native solution within Intune, to map network drives and printers, but I am not expecting this anytime soon.
Event hough the solution from Rudy Ooms is a couple of years old, it still works very well and I use it whenever I can. Recently I became aware of an article by a guy called Maxime Guillemin. This article not only covers how to upload the custom ADMX to Intune and configure network drives, but Maxime has added some additional functionality, providing a script to enable custom names on the mapped network drives, this is very useful in helping the end user to identify a network drive.
During the process of identifying which on-prem resources the user’s needed to access, we covered the aforementioned resources, but my client also had a Windows server with a file share that wasn’t domain joined, which means we had to use a local windows user account to authenticated to the server. In this case the custom ADMX solution will not work, as it doesn’t support mapping network drives using a specific username and password.
The solution
I came up with a solution that would map a network drive based on a specific Entra group membership. I initially went with the New-PsDrive Powershell command, as I have used that before to map network drives. However, I experienced issues where the network drive was not visible in File Explorer, different references in my search mentioned using the -Persist and -Scope Global parameters with New-PSDrive, but I still experienced issues with the drive not being persistent.
Using the good old net use command seemed to produce better results.
So, I ended up creating my own network drive mapper script, based on net use and a JSON file to provide the network drive UNC path, username, password and persistence configurations, as I didn’t want to change the script for each mapped network drive.
You can find the script and JSON file on my Github – Microsoft-Intune/Scripts/Map Network Drive at master · kaspersmjohansen/Microsoft-Intune
Disclaimer! I know that it is not good practice to have the username and password as clear text in a script or a JSON configuration file and I recommend that if you go with this solution to store the JSON configuration file in a secure location. Also, make sure that the local windows account only has the least privileged access to map the network drive
Configuration and Win32 app
In the JSON file, configure the network drive letter, the UNC path, the username and password and whether it’s a persistent network drive by providing either “yes” or “no”.
{ "NetworkDriveInfo":{ "NetworkDriveLetter": "Z:", "NetworkPath": "\\servername\\sharename", "Username":"username", "Password": "password", "Persistent": "Yes" } }
Upon a successful network drive map, the script will create a .tag file in the folder configured as the log folder. By default, the log folder is in the user’s profile folder, this tag file can be used as a detection method in Intune. If the network drive map for some reason fails, the .tag file is not created. The log folder also contains the log files generated in the network drive map process.
Here is an example of how to configure the install and uninstall commands:
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -NoLogo -WindowStyle Hidden -Executionpolicy "Bypass" -File "NetworkDriveMapping.ps1" -NetworkDrive "Create"
In the install command the -NetworkDrive “Create” is provide to map the network drive.
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -NoLogo -WindowStyle Hidden -Executionpolicy "Bypass" -File "NetworkDriveMapping.ps1" -NetworkDrive "Remove"
In the uninstall command the -NetworkDrive “Remove” is provided to remove the network drive. This also removes the .tag file.
Here is an example of the file-based detection method:
This concludes the article. Feel free to reach out to me on X or on LinkedIn if you have any comments or questions.