Mapping legacy files shares for Azure AD joined devices

More and more of my customers are moving their devices from a traditional IT model to a Modern Desktop build directly in Azure AD, managing devices via Microsoft Intune rather than Group Policy or System Center Configuration Manager. The move to this modern approach of delivering IT services usually sits alongside of moving the organisation’s unstructured file data to OneDrive and SharePoint online which is the logical place to store this data instead of sat on a file server in an office or datacentre.

What if, however, that you still have a large volume of data that remains on your on premises file servers. Users will still require access to these shares but there is no native way of connecting to file shares within the Intune console. This is the challenge I have had for a customer in recent weeks and have developed a couple of PowerShell scripts that can be run to map drives when a user logs in and supports both dedicated and shared devices.

The Challenge

Looking back at a legacy IT approach, drive mappings were done through either Group Policy Preferences but also through login scripts such as batch or KIX. Both processes follow a similar method:

  1. User signs into a device
  2. GPP or login script runs containing list of mapped drives aligned to security groups of users who should have access
  3. If the user signing into the device is in the relevant groups the drive letter is mapped to the shared location

This method has worked for years and IT admins maintain one or the other process to give users access to corporate data. If we now look forward to the modern managed IT environment, there are a few issues when working with the legacy file servers:

  • There is no native construct in Intune that maps UNC file paths for users
  • Whilst you can run a PowerShell script that could run a New-PSDrive cmdlet this will only execute once on the device and never again.

You may think that the second piece isn’t an issue, simply create a couple of scripts to map the network drives to the file shares and they will run once and remain mapped. What if the devices are shared and multiple users need to sign into the computer or if you need to amend the drive mappings? We needed a solution that could map drives at user sign in and be easy to change as the organisation moves away from file servers.

The Solution

As with most things, I started looking at what was on the Internet and quickly came across these blogs from Nicola Suter and Jos Lieben but neither really did what I needed for my customer (they have >100 different network drives). I set about looking for scripts that would deliver what I needed for the customer.

My requirements for the new drive mapping script were as follows:

  • Work natively with Azure AD joined devices
  • support users on dedicated or shared workstations
  • process the drive mappings sequentially as a traditional GPP or Login script would execute

Let’s start with the actual drive mapping script itself

Drive mapping script

For the drive mapping script to work, it needs to run silently and also enumerate the groups that the user has access to. Sounds easy, but PowerShell and AzureAD doesn’t natively have a way of matching these. I settled on making use of Microsoft’s Graph API listMemberOf function as this can be called to pull the groups that a user is a member of into a variable that can work with the drive mapping. The function requires a minimum permission of Directory.ReadAll which needed to be granted through an App Registration in Azure AD. Step forward my next web help in the form of Lee Ford’s blog on using Graph API with PowerShell

Configure Azure AD

First sign into Azure Portal and navigate to Azure AD and Application Registrations (Preview) to create a new App Registration. Give the app a name

Create new App Registration

When its created you will be shown the new app details. make sure that you note down the Directory ID and the Application (client) ID as you will need these in the script.

App and Directory ID values will be used in the script

As well as these ID values, you also need a Redirect URI that is referenced in the script, click on Add a Redirect URI and choose the item in the screenshot below then click Save.

Now that the app is registered, we need to add permissions to read data from Graph API. Click on the API Permissions heading to grant the required Directory.ReadAll delegated permission.

Add the Directory.ReadAll permission to the App Registration

By default the user’s making a connection to the API will be required to consent to the permissions change. To make this seamless, we can use our administrative account to grant this consent on behalf of all organisation users.

Grant Admin consent

This is the setup of the Azure AD Application that will be used to access the Graph API, we can now focus on the PowerShell script that will map the drives.

The Drive Mapping Script

The Drive mapping script is made up of several parts:

  • Configuration section where you setup the Application Registration and drive mappings that will be run for each user
  • Connection to the Graph API
  • Enumeration of group membership for the user
  • Iterating through all drive maps and mapping those that the user is a member of.

I will share the script in full further down this post but have included the key snippets in each location.

First we define the variables for the app registration we created earlier.

Once these are in place we setup our array of drive mappings. In this section there are four attributes that can be defined:

  • includeSecurityGroup – this is the group of users who should have the drive mapped
  • excludeSecurityGroup – this is a group of users who shouldnt have the drive mapped (this is optional)
  • driveLetter – this is the alphabetical letter that will be used as part of the drive mapping
  • UNCPath – this is the reference to the file share that should be mapped to the drive letter.

The code in the script looks like this:

You can add as many lines in the $Drivemappings variable as you have groups that need mapping, just make sure that the final line doesn’t have a comma at the end of the line.

Next we create the connection to Graph API. I use the code from Lee’s blog earlier and it worked first time:

Now we need to use the token we generated and query the Graph API to get the list of groups that our user is a member of

Finally we need to check if the user can see the domain (there’s no point executing the script if they are out of the office) and for each group the user is a member of, map the drives using the New-PSDrive cmdlet

That’s it, the script when executed will run as the user and map the drives. We now need to host this script somewhere that can be referenced from any device with an Internet connection.

Uploading the script to Azure

We will host the drive mapping script in a blob store in Azure. Sign into your Azure Portal and click on Storage Accounts and create a new one with the following settings

Once created we need to add a Container that will store the script

and finally we upload the script to the container

Once uploaded we need to get the URL for the script so we can use this in the Intune script later.

The Intune Script

Now that we have our drive mapping script and its uploaded to the Azure blob, we need a way of calling this every time a user signs into the computer. This script will:

  • Be run from the Intune Management Extension as the SYSTEM account
  • Create a new Scheduled Task that will execute a hidden PowerShell window at logon which will download and run the previous script

The only variable we need to change in this script is the URL to the drive mapping script and the name of the scheduled task that is created. The whole script looks like:

This now needs to be added to Intune so that it can be executed on the devices. Navigate to Intue, Device Configuration, PowerShell scripts and add a new script

Once the file is uploaded, click on Configure to check how the script should be run

Once complete click Save and the script will be uploaded.

Finally we need to assign the script to users or devices. In my example all my computers are deployed via Autopilot so I assign the script to my Autopilot security groups which contain all the computer accounts.

The end result

When the Intune script runs on the endpoint it will check if the scheduled task exists and whether the script it will execute matches what was in any previous configuration. If there is no task, it is created and if there are changes, the old task is deleted and a new task is created.

When a user signs in they will see a popup window as the auth token is generated and then, if they are connected to the corporate network, their network drives will be mapped.

If you need to change the drives that a user has access to (either as you migrate to a more appropritae cloud service or you change the servers that host the data) simply amend the script in the blob store and the new drives will be mapped at logon.

The Intune script can be re-used for any other code that you want to run at user logon, simply reference the link to the script in the blob store and the name of the scheduled task you wish to use.

The scripts in full

Drive Mapping Script

Intune Scheduled Task Script




Install Vista without a CD key

Daniel Petri comes up with another great tip and insight into the way Microsoft’s software can be manipulated to do things you want to do. In this case how to trial different versions of Windows Vista. Once the activation deadline is reached you must put your legal key in for the version you installed to continue but… it does let you try the different versions first!

read more | digg story

Windows Vista – give me back my computer

A couple of weeks ago I decided that I would like to try the Windows Vista RC1 release to see whether it is going to be worth my while reformatting my PC again to get it up to date with the latest Windows OS. I currently run Windows Server 2003 and find that it is much nicer, and more stable, than Windows XP and thought that it would be an interesting time to compare the old with the new to see what Microsoft has managed to develop this time.

Microsoft seem to have once more lifted the basic UI from the latest OS X and then applied a paint brush to it is evident. Just go to your My Documents and see how you navigate through it. There are also a new set of icons that are bigger and take up more of your desktop as a result. The Sidebar is another OS X rip off – Apple introduced the widgets idea a couple of years ago and suddenly it has appeared in the latest version of Windows!
The Start Menu has been upgraded and now sports a built in find/run bar at the bottom making it even quicker to load a command prompt or notepad or…. It has however put a button that “looks like” the Shutdown button in the corner but is actually a standby/sleep button instead. In order to shut down your computer you need to click the arrow to the right and then click shut down from there. This is incredibly annoying!

Adding further to this annoyance is that the computer automatically protects your system from anything you try to change. “Windows has detected that you are trying to open the Device Manager. Are you sure?” Of course I’m sure – I just clicked on it!!!! This happens all over the system wherever you see a little shield next to an option Windows will ask you for permission to use it. Well why not just disable it? I did and for about 20 minutes I had a more relaxed time looking around the computer. Then I had to reboot. When Vista started back up again a nice red warning was sitting in my system tray. “You have turned off the features you just disabled. Im going to tell you about it with this annoying balloon popup” There seems to be no “I’ll monitor it myself” option as per Windows XP SP2 Security Centre and this became even more irritating.

The aforementioned reboot had been due to the installation of GriSoft’s free AVG – a really quite useful alternative to McAfee, Norton or Sophos. This however brought about my next grievance. The idea of automatically updating your anti-virus when you log on is a fairly standard practice. Vista is now so paranoid that when AVG is trying to update in the background it stops you from what you were doing to alert you to the fact that “A program is running in the background. Do you want to check what it’s doing?” NO ITS MY ANTI VIRUS LET IT RUN IN PEACE. I can see the use of this however – it can help people to see when malicious programs are running in the background that shouldn’t be there but I didnt feel that i needed it running and I didnt want to face a barrage of “Do you want to do….” as I searched for a way to turn it off.

One of the more positive things that I had noticed about Vista a while ago was that if you setup user accounts for children then you could stop them having access to system functionality (like Device Manager) and as an administrator you would need to enter your password to give them access. I didnt get a chance to test if this was still a feature but I am fairly sure that it is which means that this new OS will become a success with the home users who want to make sure that their precious little children arent looking at the latest erotic website or buying viagra off ths internet.

Vista doesn’t strike me however as an instantaneous replacement for Windows XP in the workplace. XP & Server2003 work well together and I can see that for the larger corporations to shell out on site licenses for Vista to install on all their workstations is a while off because they will need to trial it on a small group first to check for teething problems. After which they will probably keep to the old WinXP because the process of upgrading an entire workplace would be more trouble than it’s worth.

After a week of using it I have decided that IE7 is no improvement on IE except for the addition of tabbed browsing which isn’t as nice as Firefox anyway so no need for that. WMP 11 is nasty and so completly different from WMP10 that it’s hard to understand where half the options have gone to so I wont be using it anyway.

Windows Vista does make a lot of improvements over the WinXP interface but at the end of the day I still like to be in control of my computer and when I give it an instruction it shouldn’t question me about it. Amazon have been listing the different variants on its website for a couple of months now and the Ultimate version which I was testing comes in at £325 which is an insane amount of money to spend for a very small upgrade.

If you really want that Vista look download a visual style that has been made to look the part and use that – it then gives you £325 to spend on something more useful!

M3100 arrives tomorrow

After a while of waiting I should hopefully be able to get my new mobile phone tomorrow.

The desire for a new, preferably a 3G, phone has been going since the end of April when my contract came up for renewal. Back then I was faced with the £130 for the N80, £50 for the V3i and £99 for the M600. [ Original post ] Since then I had been waiting for the appropriate phone to come into stock so that I could order it. On the 7th September my M600 arrived. During the 7 day “cooling off” period I found the M3100 was available and on the 15th September I sent it back.

When Orange received the M600 back the M3100 was out of stock and I was placed upon the waiting list for the new phone. At about 4pm this afternoon I received a call from Orange Customer Services to say that the phone was in stock and would be with me tomorrow. All I had to do was spend £50 to get it sent to me. So, as I write this the new phone is in the post and should be here between 9am and 5pm tomorrow.

When it arrives I will write more about it and compare it to the phone it is replacing. Needless to say I am incredibly happy.

Orange SPV M600 is here

my new phone has arrived and as usual I have ignored the “please ensure you charge your phone for at least 16 hours” advice that the people at Orange always give.

So far it has worked really well. I have put all my contacts into Outlook 2003 and they are synced with the phone. I had a slight problem when the phone tried to call +4401372****** (my home number) and found that this wasn’t dialing. After a quick edit of the phone book to remove those number-breaking 0’s I now have a full set of contacts on my phone again.

I have also found out that the phone isn’t powerful enough to support Skype mobile which is a shame as I had planned to let my phone double as a WiFi Skype phone when im at home. Instead I shall just have to make do with the normal dialing of numbers and talking over GSM rathar than VoIP.

I could always try to get an M3100 instead which has the 400Mhz processor and see if that is any better than the M600 – but that depends on whether or not Orange are willing to do it as an upgrade phone.

I have 7 working days to try this out now and see whether or not I want to keep it

New phone tomorrow but why didn’t someone tell me about the other one…

Each year around the start of May I start to decide what the latest must-have mobile is. I currently have the Motorola V3 RAZR which has served me very well until now. It has been able to take any abuse from me spliing things on it to accidentally throwing it across the floor. It’s only recent floor has been that the battery life has been reduced from around 5 days to 5 minutes. As soon as a call is made it starts to flash “Low Battery” and beep every few minutes to remind me that if I don’t plug it back in soon then it will have no battery but it is happy to waste its precious resources and tell me this. As a result it spends most of its time connected to the mains and when I go out I hope that if anybody tries to call me it will be for about 10 seconds otherwise they will be cut off.

My other activity at this time is to see if Orange can give me more minutes/texts than i previously had and, at the same time, reduce my monthly bill. I tend to find that this helps a huge amount when trying to get the latest phone for free! However this year Orange refused to budge and when I threatened to leave for another network they told me that they had already put me on their best plan last year when I was upgrading from my V600.

So, i’m not getting a better deal on my calls but maybe they will give me a free phone anyway – afterall I have been with them for 7 years now. No. In order to get the same model phone (V3i) just with a slightly upgraded camera I would have to pay them £50 for the privilege. Furthermore if I wanted to have a more powerful phone such as the Nokia N80 this would set me back £120. It was then that I remembered about the phone one of my friends had. The O2 MDA mini was a PDA smartphone running Windows Mobile 5 and would let you send emails as well as make calls, send text messages, take photos etc. The closest phone Orange had to the MDA was the SPV M600 which was the same size, looked the same and had similar features. The only noticable difference was that the M600 didnt have the qwerty keyboard to aid in message writing. The M600 also would have set me back £100 so I decided to leave it until after my exams and then see what was happening when I got back from Durham.

Upon my return to Leatherhead I found that the M600 was no longer in stock. I phoned Orange every couple of days to see if it was available – No luck. They said they would contact me when one came into stock – i missed their call. Checking the Orange website I noticed it had come down in price and was now free – it was still “Out of stock”. By now it was too close to my holiday in Africa. I decided that there was no point ordering one in case it arrived whilst I was away. Instead I waited and on my return the answers were the same – out of stock.
Now, after almost four months of waiting for the phone to be available a chance call to Orange this afternoon has revealed that it is IN STOCK and will be free. I have agreed to a 12 month extension of contract (I’m not about to throw away 500 mins and 120 txts/month) and I will be able to take receipt of the precious at some point tomorrow between 9am & 5:30pm.

I was overjoyed that this was now available to me but upon finding a link to the phone for this blog I have discovered that Orange have now made a shinier precious that is the same size and dimensions as the M600 and features the qwerty keyboard that I had wanted. The Orange SPV M3100 is the same as the MDA mini except they have put different coloured plastic on the front and back. If I hadn’t checked to for the link in the full Pay Monthly section I would not have known about it. I now want this phone!

Thankfully I am allowed a 7 day cooling off period to decide whether or not I like the phone. If, after the week, I am dissatisfied with the phone I have decided to upgrade to I can arrange to have it sent back to Orange and trial a new one! I will try to see whether or not the M3100 is available as an upgrade. If not then I may try the old “Well I could leave and rejoin Orange” tactic to see what happens!

Either way I will eventually get a nice shiny smartphone to replace the battered old V3.

Intel Core 2 Duo & Windows XP Professional Corporate

Well this works fine

No problems with the install, no broken USB, no audio issues!

It seems that there is just no software available for Windows XP Professional x64 so I guess I will have to send this back to Overclockers and try to exchange it for a copy of 32-bit Windows XP Professional as this just seems like a much better option at the moment. I just hope that the PC will still be able to make full use of the available resources!

Intel Core 2 Duo & Windows XP Professional x64

What a waste of time that seemed to be

Intel’s brand new motherboard doesnt have RAID, XP Pro x64 doesnt seem to have working USB support, all is going down the pan for what was looking at being a very nice new computer for my neighbour.

The system is fully cased up and looking very nice but I am suffering from the problem of the 64-bit architecture of WinXP being completely incompatible with any of the other pieces of software most “normal” people would want to run on their computer.

Now I am by no means a fan on Symantec or their Norton Products (give me Sophos all the way) but for a “normal” home user it is the best of the standard products available on the market. There is however no support for Norton Internet Security 2006 in 64-bit Windows. Having checked the Symantec Website I found that “Symantec AntiVirus Corporate Edition 10.0 will support Windows XP Professional x64 Edition and Windows Server 2003 x64 Editions, available today“… But I don’t want “Corporate Edition” so I did more digging and found an article entitled Compatibility of Symantec consumer products with Microsoft Windows operating systems which stated that “Windows XP Professional x64 Edition or Windows 2003 Server – There are currently no consumer products that are compatible with Windows XP Professional x64 Edition or Windows 2003 Server.” Bring on GriSoft.

GriSoft is my second favourite AV engine (after Sophos of course) as it has a free version that can be loaded onto most computers and provide decent anti-virus protection for no costs. However after downloading and copy a number of files around the HDD I was told that only the paid version of GriSoftAVG supports x64. Time for the big guns

Sophos would, at least, do the decent thing of installing but I found myself unable to start up the InterCheck Monitor which meant that I had no onaccess scans available. Another worthless installation.

Next I tried to install the Intel chipset drivers off the supplied driver CD. This not only refused to install the audio drivers but also successfully managed to break the USB root hubs for all USB ports on the system. Which in turn meant that I thought the system was hanging on boot as I was getting a NumLock light on the keyboard through the KVM but no mouse activity. I plugged the PS2 keyboard and USB mouse from my brothers PC into the new system and I had working KB but still no mouse.

A quick trip to the Intel site to get their Chipset Identification Utility proved that Intel can’t recognise their own hardware, either that or XP x64 was preventing it from detecting properly, so I searched by mobo part number and found the BIOS update, chipset drivers and other software. Flashing the Bios has helped speed up boot time but not solved the faulty USB problem.

Checking Microsoft’s XP x64 FAQ’s there is no support for 32-bit drivers in the 64-bit OS as this would cause everything to fuck up.

As there was no RAID setup I was able to use the second hard drive to install 32 bit XP Pro onto to see if this would be any better behaved… It’s installing now so will publish results soon

Microsoft Windows XP activation

Having re-cased a computer for a neighbour I was shocked to find out that it wouldnt simply re-activate (the only change to the hardware was the motherboard). In order to get through the activation process I had to:

  1. Phone Microsoft
  2. Key in the Activation Number given by the XP Activation Wizard
  3. Be told it was invalid
  4. Get transferred to a “Customer Services Representative”
  5. Read them the activation number
  6. Tell them it was an OEM key from a manufactured PC
  7. Change the product key (from something to the one on the old case)
  8. Generate a new activation key
  9. Read this back to the CSR
  10. Have them enter it incorrectly
  11. Re-read it to them
  12. Confirm they made a mistake
  13. Enter their half of the key
  14. Finsh

Or so I thought! The new problem came when I tried to Windows Update and I was told that somebody was trying to give me a counterfeit key and that I should look for a genuine key.

Only after a few reboots and ignoring their “you are illegal” messages did I successfully get it to WU and repatch itself

Why can MS not just make a system that works first time!