A couple of months ago, I had a conversation with a company that wanted to start with Entra Hybrid Join. I needed to convince them to skip the HAADJ and just go full Entra, aka Cloud-Native. One important part of that conversation was the need for drive mappings until they could move the data to SharePoint.
At first, I showed you how to configure those Intune drive mappings in the Deliver Us from Hybrid blog. I decided to remove that part and dedicate a unique blog to it so that both of these blogs could get the attention they need.
Let’s look at what I needed to come up with to convince the customer to go Cloud Native and still use some network drives by using the Drive Letter ADMX!
1. Intune Drive Mapping ADMX
How will we mount or remove drive letters to our on-premises file servers when we have not yet migrated the data to SharePoint? Are we going to map some old-fashioned drive letters using PowerShell? I guess everyone has deployed Adminless and Applocker, and of course, you made sure your Applocker policy will block PowerShell for regular users. What do we do now?
Assuming we all have the Azure Ad connect requirement in place to get SSO from our AADJ devices to our on-premises environment let’s go forth!
In some older blogs, I showed you how to ingest some ADMX templates to configure additional settings, so why not do the same for the drive mappings?
The only thing you will need is the Drive mapping ADMX and ADML file, which you will find here:
To make sure we can configure some drive letters on our device, we have two options at our disposal
- Intune Import ADMX
- CSP
1.1 Intune Import ADMX
With the latest update to Intune, we now have the possibility to upload our own ADMX to Intune.
As shown above, you need to click on Import ADMX and select the ADMX and the ADML file you got from the zip file
If importing/uploading the ADMX is giving you a failure, as shown below, you will need to take an additional step
When this upload error occurs, you will probably need to import Windows.Admx first, as I am mentioning here:
ADMX Upload Error: Missing Microsoft.Policies.Windows ADMX (call4cloud.nl)
1.2 CSP Option
Of course, when we don’t want to use the new wonderful feature to import the ADMX we could also configure a good old CSP to make sure the ADMX is imported
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/DriveMapping/Policy/DriveMappingAdmx
Data Type: String
Value: content of the drivemapping.admx file
2. Adding the Drive Letters
Now we have added the required ADMX with a CSP or the new “ADMX Import” functionality in Intune, we need to configure some more settings to make sure we can map a drive letter on the device itself. Just like with the ADMX we also have two options available
- Imported Administrative Templates
- CSP
2.1 Imported Administrative Templates
After we have uploaded our ADMX and ADML files to Intune, we can create a new device configuration profile. To do so, we need to choose the “template” option on Windows 10 and later platforms.
When scrolling down the list of templates, we notice a new preview template has been added. As shown below, we need to select the “Imported Administrative Templates (Preview)” template.
After we select this new template, we can start configuring all the drive letters we would like to mount by selecting the proper drive letter and configuring the remote path!
2.2. CSP
When you want to add drive mappings with the CSP option, you could create a new CSP, as shown below.
OMA-URI: ./user/Vendor/MSFT/Policy/Config/DriveMapping~Policy~DriveMapping/Drive_H
Data Type: String
Value: <enabled/>
<data id="Drive_H_RemotePath" value="\\fileserver\fileshare"/>
While waiting for the custom-made policy to apply, look at the registry to check if you already can find the ADMX policy inside the HKLM\Software\Microsoft\Policymanager\Admxinstalled registry key
As shown above, the ADMX Intune drive mapping is installed without any problems, and within a few minutes, the drive mapping itself started showing up in the registry. HKLM\Software\Microsoft\Policymanager\Current\SIDId
After logging off and logging on again, the drive mappings popped up and were ready for use.
2.3 Removing the Drive Letters with a CSP
When you want to remove some of the Drive Letters, please make sure you change “Enabled” value to “Disabled” instead of removing it or changing it to not configured.
OMA-URI: ./user/Vendor/MSFT/Policy/Config/DriveMapping~Policy~DriveMapping/Drive_H
Data Type: String
Value: <disabled/>
<data id="Drive_H_RemotePath" value="\\fileserver\fileshare"/>
Why? I guess it’s all about the tattooing issue still exist
https://call4cloud.nl/2021/03/the-device-with-the-dragon-tattoo
3. Solving the Red Cross and Disconnection Warnings
Okay, we have our drive mappings, but what about the disconnection warnings and the red crosses? Let’s fix it.
3.1: RestoreConnection
Please make sure you also add this CSP to make sure you don’t get any reconnection warning
OMA URI: ./user/Vendor/MSFT/Policy/Config/DriveMapping~Policy~DriveMapping/ReconnectNetworkDrivesWarning
Value: <disabled/>
Another possibility would be to deploy a PowerShell script to the devices with this content
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider -Name RestoreConnection -PropertyType DWord -Value 0 -Force
3.2. Solving the Red Cross/Disconnection issue
Sometimes, you could end up with this red cross error. It looks like you can’t open the drive letter.
To solve this stupid issue, you must ensure the Network Drive ProviderFlags is set to 1. This “key” controls the recovery of network shares. When stored in the registry, your drive mappings will use Server Message Block (SMB) version 1. Again, there are 2 options to configure this setting.
If you have opened the ADMX file, you will notice I already have added these “ProviderFlags” for you! So you won’t have to.
Please Note: It’s enabled by default, if you want to disable it please change the “Value” back to 0
Again, another possibility would be to create a PowerShell script to change this registry key. You will need to make sure it’s targetted at the HKCU
REG ADD “HKCU\Network\P” /v “ProviderFlags” /t REG_DWORD /d “1” /f
(change the P to one of the drive letters you are experiencing the issue with)
4. Making the Drive Letter Names more Beautiful
Totally forgot to mention this part. Looking at the drivenames… it doesn’t really look that nice, does it?
If you want to specify a nice name for it, we need to open the registry first and browse to:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
You will notice, that all of your configured Drive Letters you define in the Drive Mapping policy show up here.
I decided to export them first
I opened the export reg file and added the _LabelFromReg with a nice name to each mountpoint.
When you are blocking PowerShell you can deploy this reg file to your device by using this trick, you could even create proactive remediation to be sure the drive letters are always having a nice description.
If you don’t block PowerShell, it’s a lot easier of course. Just create a PowerShell script that is deployed to the user context
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##servername#sharename” /f /v “_LabelFromReg” /t REG_SZ /d “NewLabel”
You will need to change the server name and share name to the value you have seen in the registry key
Result:
5. How to deal with those weird characters!
Of course, we all know that sometimes we could have some weird characters in our shared name. Luckily, spaces are not one of them, but unfortunately, the & is. Like an example “\\fileserver\engineering & research”. So, how do you deal with that? Luckily we could also add those in the CSP
& –> &
So let’s take our example and change the CSP, so it is going to work
\\fileserver\engineering & research6. Home Shares and the %username%
When you still need to map some drive letters to your on-premises file server, for the time being, you maybe need to map a drive letter for the user’s home folder.
I guess we all know the variable to make this happen when your home folders look like this \\fileserver\homefolders\rudyooms. When running the login script/GPO in the user context the variable to do so is %username%
But unfortunately this “could” be hard to do with the ADMX, unless you add something to each element
To make sure you can use the %username% you will need to add this expandable=”true” to each element in the ADMX you ingested!
Please Note: You could end up in a situation in which the devices suddenly start showing the Home drive to be connected to a SYSTEM folder instead of the user folder!
Luckily in the ADMX, I showed you, I already changed the ProviderFlags to 1. When you run into this issue, please check out the ProviderFlags value in your ADMX
7. Sharepoint Drive Mapping
I did some tests to see if it would also work when you want to map a drive letter for a SharePoint site, but unfortunately, it doesn’t (yet?) map the drive letters with the web protocol, so I needed to change some stuff… Go read the blog
https://call4cloud.nl/2021/05/drive-letters-the-demon-barber-of-sharepoint-street
8. Drive Mappings gone missing!
I guess I also need to add this part, as we have seen this happening from time to time. Let me tell you the issue first.
After migrating the data to SharePoint, we ensured we configured the existing values to be disabled. For 90% of all devices, this went totally okay! no problem whatsoever but on 10% of the devices, all the drive letters were missing.
After expecting everything we noticed that these users were made local admin by the local it department before. That’s totally not okay! Somehow the drive mapping didn’t show up in the explorer session of the user. It’s all because of UAC. Luckily Microsoft has a good article about this issue
Mapped drives are not available – Windows Client | Microsoft Docs
So for now we created the DWORD EnableLinkedConnections with the value of 1 in this reg key to fix it at this moment.
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “EnableLinkedConnections” -Type DWord -Value 1
Please Note: If this option arrives at Intune, I will update the blog
Conclusion:
Apparently, after talking to the wonderful Mark Thomas, He was the one who wrote the initial ADMX. So respect and hats off! He did an amazing job writing the initial ADMX in the first place.
In one of the blogs I am working on, I will explain how you could create the ADMX yourself… Creating a new ADMX with a simple HCKU register setting will be just a matter of minutes
When going full cloud, there is still a possibility you will need to make sure your users could access the old-school file servers. As I showed in the deliver us from the Hybrid blog, you can do so with SSO. But why not provide your users a nice drive letter until you can move all the data to OneDrive/SharePoint?