Windows-10 on Nicola Suter

Automating network drive mapping configuration with Intune

Fri, 19 Jul 2019 07:32:46 +0000

I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.

The intune-drive-mapping-generator is your tool of choice to:

Generate an Intune PowerShell script to map network drives on Azure AD joined devices
Seamlessly migrate existing network drive mapping group policies
Generate a network drive mapping configuration from scratch
Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script

This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.

Architecture
#

This tool is designed to work best with the following components although it can be useful for other purposes(?) :

Azure AD Joined and Intune enrolled Windows 10 devices
Synced user account from Active Directory to Azure Active Directory (Azure AD Connect)
On-premises file servers

Howto
#

Export existing group policy
#

To convert your existing drive mapping group policy configuration, save the GPO as XML report with the group policy management console.

Intune configure lid close action

Sun, 19 May 2019 19:08:00 +0000

When using your notebooks and portable devices together with a docking station your users might like to close the lid. The Windows 10 1903 release introduces additional power CSP settings. One of them allows you to configure the lid close action while on ac power - so the device doesn’t switch to hibernate mode as by default.

Policy CSP configuration
#

To configure this policy with Microsoft Intune use the following OMA-URI configuration within a new custom device configuration:

Other possible values are:

0 - Take no action
1 - Sleep
2 - System hibernate sleep state
3 - System shutdown

End user experience
#

After the next MDM policy refresh the configured policy takes effect and is visible under the power options in control panel:

Introducing the OneDrive AutoMountTeamSites setting

Sun, 17 Mar 2019 16:03:09 +0000

Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices.

Updated on 12.07.2019: Included the Intune administrative template configuration

The setting is officially described as follow:

This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft)

If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft)

Prerequisites
#

In order to get things up an running we need at least:

OneDrive sync client version 19.012.0121.0011 or newer
Windows 10 Version 1709 or newer
OneDrive Files On-Demand enabled (described below)

Be aware that this feature is not supported with on-premises SharePoint sites and not recommended to enable this setting for more than 1'000 devices. The device limit is related to the Windows Push Notification Service which tells the OneDrive clients when a file change occurs on a server side. When you exceed that limit clients will find themselves in a polling mode. Hans Brender explains this behavior well on his blog.

Intune map network drives and execute PowerShell script on each user logon

Fri, 11 Jan 2019 20:51:36 +0000

Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.

Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune.

Direct link to the final scripts

Lets assume we have the following scenario:

- Customer with hybrid user-identities (Azure AD Connect) - On premise ressources with legacy file shares - Devices are Azure AD joined ( **not** hybrid joined) - MDM managed with Intune - [Optional] Always on VPN for external on-premise resource access - [Optional] Windows Hello for Business deployment as described [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso)

Architecture
#

With my colleague Alain Schneiter I designed the following solution:

Main PowerShell script stored on Azure blob storage which handles the drive mapping - driveletters, UNC paths and descriptions can be configured within the script
Client side script deployed with Intune which triggers the main script during logon. The main script is not stored locally which makes it easy to customize (no updates oder changes needed on client side)
Deployment is user targeted via Azure AD group and Intune

Azure blob storage configuration
#

We wanted to store the script within Azure because the customer was already using Azure blob storage. It’s also possible to store the PowerShell script on GitHub if you don’t want to use Azure.

Deploy OneDrive KFM with Microsoft Intune OMA-URI

Thu, 06 Sep 2018 18:37:21 +0000

OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.

Updated on 04.08.2019: Added administrative template configuration

This post is based on a great article from Oliver Kieselbach about Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive. I used his blog to play around with the admx ingestion.

Prerequisites
#

To automatically deploy OneDrive Known Folder Move the following prerequisites must be met:

OneDrive sync client with build 18.111.0603.0004 or greater
Azure AD Joined or Hybrid Azure AD Joined Windows 10 Device Running Windows 10 1709 or later

Intune Configuration
#

Configure SilentAccountConfig
#

Option #1 - ADMX Templates
#

With SilentAccountConfig enabled OneDrive for Business gets automatically configured with the current user account who’s signing in to Windows.

Windows 10 1709 Cannot Access SMB2 Share Guest Access

Thu, 19 Oct 2017 17:51:57 +0000

After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:

An error occurred while reconnecting X: to \\nas\data Microsoft Windows Network: You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

Cause
#

Starting with Windows 10 1709, Windows prevents you from accessing network shares with guest access enabled. Guest access means connecting to network shares without authentication, using the built-in “guest” account.

This has no reference to the SMB1 protocol which was disabled in the latest Windows 10 release.

Resolution
#

To enable guest access again, configure the following GPO:

Computer configuration > administrative templates > network > Lanman Workstation: "Enable insecure guest logons" = Enabled

Registry Key
#

The according registry key is located under:

Windows-10 on Nicola Suter

Automating network drive mapping configuration with Intune

Architecture #

Howto #

Export existing group policy #

Intune configure lid close action

Policy CSP configuration #

End user experience #

Introducing the OneDrive AutoMountTeamSites setting

Prerequisites #

Intune map network drives and execute PowerShell script on each user logon

Architecture #

Azure blob storage configuration #

Deploy OneDrive KFM with Microsoft Intune OMA-URI

Prerequisites #

Intune Configuration #

Configure SilentAccountConfig #

Option #1 - ADMX Templates #

Windows 10 1709 Cannot Access SMB2 Share Guest Access

Cause #

Resolution #

Registry Key #

Architecture
#

Howto
#

Export existing group policy
#

Policy CSP configuration
#

End user experience
#

Prerequisites
#

Architecture
#

Azure blob storage configuration
#

Prerequisites
#

Intune Configuration
#

Configure SilentAccountConfig
#

Option #1 - ADMX Templates
#

Cause
#

Resolution
#

Registry Key
#