{"id":1792,"date":"2024-11-26T11:14:10","date_gmt":"2024-11-26T09:14:10","guid":{"rendered":"https:\/\/kasperjohansen.net\/?p=1792"},"modified":"2024-11-26T11:14:10","modified_gmt":"2024-11-26T09:14:10","slug":"quick-post-map-network-drive-to-a-non-domain-resource","status":"publish","type":"post","link":"https:\/\/kasperjohansen.net\/index.php\/2024\/11\/26\/quick-post-map-network-drive-to-a-non-domain-resource\/","title":{"rendered":"Quick Post: Map network drive to a non-domain resource"},"content":{"rendered":"\n<p>I am working with a client on moving them to modern managed Windows 11 cloud only devices, using Microsoft Intune and Autopilot. Like most other clients I have worked with, they have on-prem resources they need access to, these resources are mainly file shares and printers on Windows servers joined to the on-prem Active Directory domain.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/kasperjohansen.net\/index.php\/2024\/11\/26\/quick-post-map-network-drive-to-a-non-domain-resource\/#Hybrid_identities_and_Cloud_Kerberos_Trust\" >Hybrid identities and Cloud Kerberos Trust<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/kasperjohansen.net\/index.php\/2024\/11\/26\/quick-post-map-network-drive-to-a-non-domain-resource\/#Map_network_drives_on_cloud_only_Windows_devices\" >Map network drives on cloud only Windows devices<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/kasperjohansen.net\/index.php\/2024\/11\/26\/quick-post-map-network-drive-to-a-non-domain-resource\/#The_solution\" >The solution<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/kasperjohansen.net\/index.php\/2024\/11\/26\/quick-post-map-network-drive-to-a-non-domain-resource\/#Configuration_and_Win32_app\" >Configuration and Win32 app<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hybrid_identities_and_Cloud_Kerberos_Trust\"><\/span>Hybrid identities and Cloud Kerberos Trust<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>User accounts are synchronized from the on-prem Active Directory to Entra ID, also known as <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/whatis-hybrid-identity\">hybrid identities in Entra ID<\/a> using <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/whatis-azure-ad-connect\">Entra Connect<\/a>. A hybrid identity user account lives in both the on the on-prem Active Directory and in Entra ID, hence it can be used for authentication in both the on-prem Active Directory domain and to cloud services that support Entra ID authentication.<\/p>\n\n\n\n<p>As my client is also considering using Windows Hello for Business, we have configured <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/identity-protection\/hello-for-business\/deploy\/hybrid-cloud-kerberos-trust?tabs=intune\">Cloud Kerberos Trust to facilitate single sign-on<\/a> to on-prem resources, when signing in using Windows Hello for Business.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Map_network_drives_on_cloud_only_Windows_devices\"><\/span>Map network drives on cloud only Windows devices<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>To map traditional network drives on the cloud only Windows 11 devices, we went with the <a href=\"https:\/\/call4cloud.nl\/intune-drive-mappings-admx-drive-letters\/\">custom ADMX based solution from Rudy Ooms<\/a>. My client is happy with this solution, as it works really well and is easy to relate to when coming from a traditional Windows management solution like Group Policy and Group Policy Preferences. However, it would be nice if Microsoft made a native solution within Intune, to map network drives and printers, but I am not expecting this anytime soon.<\/p>\n\n\n\n<p>Event hough the solution from Rudy Ooms is a couple of years old, it still works very well and I use it whenever I can. Recently I became aware of an <a href=\"https:\/\/cloudflow.be\/intune-magic-automate-network-drive-names\/#Introduction_to_Intune_Network_Drive_Automation\">article by a guy called Maxime Guillemin<\/a>. This article not only covers how to upload the custom ADMX to Intune and configure network drives, but Maxime has added some additional functionality, providing a script to enable custom names on the mapped network drives, this is very useful in helping the end user to identify a network drive.<\/p>\n\n\n\n<p>During the process of identifying which on-prem resources the user&#8217;s needed to access, we covered the aforementioned resources, but my client also had a Windows server with a file share that wasn&#8217;t domain joined, which means we had to use a local windows user account to authenticated to the server. In this case the custom ADMX solution will not work, as it doesn&#8217;t support mapping network drives using a specific username and password.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_solution\"><\/span>The solution<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>I came up with a solution that would map a network drive based on a specific Entra group membership. I initially went with the <em>New-PsDrive<\/em> Powershell command, as I have used that before to map network drives. However, I experienced issues where the network drive was not visible in File Explorer, different references in my search mentioned using the<em> -Persist and -Scope Global<\/em> parameters with <em>New-PSDrive<\/em>, but I still experienced issues with the drive not being persistent.<\/p>\n\n\n\n<p>Using the good old <em>net use<\/em> command seemed to produce better results. <br>So, I ended up creating my own network drive mapper script, based on <em>net use<\/em> and a JSON file to provide the network drive UNC path, username, password and persistence configurations, as I didn&#8217;t want to change the script for each mapped network drive.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"413\" src=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Script-01-Description-1024x413.jpg\" alt=\"\" class=\"wp-image-1803\" srcset=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Script-01-Description-1024x413.jpg 1024w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Script-01-Description-300x121.jpg 300w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Script-01-Description-768x310.jpg 768w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Script-01-Description.jpg 1368w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>You can find the script and JSON file on my Github &#8211; <a href=\"https:\/\/github.com\/kaspersmjohansen\/Microsoft-Intune\/tree\/master\/Scripts\/Map%20Network%20Drive\">Microsoft-Intune\/Scripts\/Map Network Drive at master \u00b7 kaspersmjohansen\/Microsoft-Intune<\/a><\/p>\n\n\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Disclaimer!<\/mark><\/strong> I know that it is not good practice to have the username and password as clear text in a script or a JSON configuration file and I recommend that if you go with this solution to store the JSON configuration file in a secure location. Also, make sure that the local windows account only has the least privileged access to map the network drive<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Configuration_and_Win32_app\"><\/span>Configuration and Win32 app<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In the JSON file, configure the network drive letter, the UNC path, the username and password and whether it&#8217;s a persistent network drive by providing either &#8220;yes&#8221; or &#8220;no&#8221;.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">{\n    \"NetworkDriveInfo\":{\n                    \"NetworkDriveLetter\":  \"Z:\",\n                    \"NetworkPath\":  \"\\\\servername\\\\sharename\",\n                    \"Username\":\"username\",\n                    \"Password\": \"password\",\n                    \"Persistent\": \"Yes\"\n                }\n}<\/pre>\n\n\n\n<p>Upon a successful network drive map, the script will create a .tag file in the folder configured as the log folder. By default, the log folder is in the user&#8217;s profile folder, this tag file can be used as a detection method in Intune. If the network drive map for some reason fails, the .tag file is not created. The log folder also contains the log files generated in the network drive map process.<\/p>\n\n\n\n<p>Here is an example of how to configure the install and uninstall commands:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1009\" height=\"323\" src=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-01-InstallUninstall.jpg\" alt=\"\" class=\"wp-image-1800\" srcset=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-01-InstallUninstall.jpg 1009w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-01-InstallUninstall-300x96.jpg 300w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-01-InstallUninstall-768x246.jpg 768w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bat\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">%SystemRoot%\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe -NoLogo -WindowStyle Hidden -Executionpolicy \"Bypass\" -File \"NetworkDriveMapping.ps1\" -NetworkDrive \"Create\"<\/pre>\n\n\n\n<p>In the install command the -NetworkDrive &#8220;Create&#8221; is provide to map the network drive.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bat\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">%SystemRoot%\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe -NoLogo -WindowStyle Hidden -Executionpolicy \"Bypass\" -File \"NetworkDriveMapping.ps1\" -NetworkDrive \"Remove\"<\/pre>\n\n\n\n<p>In the uninstall command the -NetworkDrive &#8220;Remove&#8221; is provided to remove the network drive. This also removes the .tag file.<\/p>\n\n\n\n<p>Here is an example of the file-based detection method:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"231\" src=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-02-DetectionMethod-1024x231.jpg\" alt=\"\" class=\"wp-image-1801\" srcset=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-02-DetectionMethod-1024x231.jpg 1024w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-02-DetectionMethod-300x68.jpg 300w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-02-DetectionMethod-768x173.jpg 768w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-02-DetectionMethod-1536x346.jpg 1536w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2024\/11\/Intune-02-DetectionMethod.jpg 1690w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This concludes the article. Feel free to reach out to me on&nbsp;<a href=\"https:\/\/twitter.com\/KasperMJohansen\">X<\/a>&nbsp;or on&nbsp;<a href=\"https:\/\/www.linkedin.com\/in\/kaspermjohansen\/\">LinkedIn<\/a>&nbsp;if you have any comments or questions.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I am working with a client on moving them to modern managed Windows 11 cloud only devices, using Microsoft Intune and Autopilot. Like most other clients I have worked with, &#8230;<\/p>\n","protected":false},"author":2,"featured_media":1810,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,32],"tags":[],"class_list":["post-1792","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-intune","category-scripts"],"_links":{"self":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts\/1792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/comments?post=1792"}],"version-history":[{"count":11,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts\/1792\/revisions"}],"predecessor-version":[{"id":1806,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts\/1792\/revisions\/1806"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/media\/1810"}],"wp:attachment":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/media?parent=1792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/categories?post=1792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/tags?post=1792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}