How To Map a Shared Drive Using Microsoft Endpoint Manager Instead of GPOs

Welcome to another MEM how to article. Among Microsoft Endpoint Manager’s wonderful capabilities I see this as a big win towards promoting it’s modern device management capabilities.

This will simply supersede the local AD, OUs and GPMC that used to manage drive mappings to user sessions.

Update [03 Sep 2022]

Microsoft have recently announced the Import ADMX feature which is in preview at the time of this writing and I did an updated blog post on that. Please check below.

A reasonable assumption

If you are using network shares with AD and GPOs and if you thinking about moving to MEM or already in MEM, this means the Windows devices are already Hybrid Azure AD joined because you still need the local ADDS functionality and not yet ready to move in to that state where the devices are treated as fully managed by cloud. This is the majority of the organizations as they are in the journey to cloud.

Please read my previous articles on how to bring the devices to Hybrid AAD joined state from here

Modern Device Management

There is no concept of OUs in the Azure AD and the modern management is mainly done via Azure AD Security Groups. Using the MEM’s MDM capabilities and Azure AD Security groups, you can easily manage this totally from the cloud.

1. Create the Azure AD Security Group

Create your Azure AD Security groups that have the user groups.

Dynamic Groups are best if you need to automate the drive mapping to the user according to the department they are in.

2. Ingest the ADMX to MEM

This is where you tell the MEM what to do so it will start mapping your network shares. As MEM is not capable of managing some of the on-premises resources out of the box, the specific rules have to be ingested into the MEM instance of your organization.

Credits to https://github.com/Weatherlights for uploading the admx file in a readable format

  • Unzip the file and open the admx file from notepad
  • Copy all the content and keep it handy as you need it in the next step
  • Go to https://endpoint.microsoft.com
  • Devices > Configuration Profiles > Create Profile >
  • Platform: Windows 10 and later | Profile type: Templates > Select Custom > Create
  • Give a meaningful name > Press Next
  • Lets add the OMA-URI for the drive mapping as this is a custom setting
  • Press Add and set the below sections
  • OMA-URI:

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/DriveMapping/Policy/DriveMappingAdmx

  • Data type: String
    • Value: Paste the copied ADMX content
    • Hit Save and press Next
  • Assign it to your Users or Devices Azure AD group which you created in the Step 1

3. Create the Drive Mapping Policy

Now that the main policy has been setup, let’s create the individual drive mappings. This will be the same as above where you create a Configuration Profile > Selecting Templates and Custom > Give a meaningful name and start adding the OMA-URI rows to reflect the drives you require.

OMA-URI row as below. In there I have highlighted D as that’s my desired drive letter

OMA-URI:

./user/Vendor/MSFT/Policy/Config/DriveMapping~Policy~DriveMapping/Drive_D
Change the bold D according to the drive letter you require

Data type: String
Value:<enabled/>
<data id=Drive_D_RemotePath” value=”\\path_to_the_network_share”/>
<data id=Drive_D_RemotePath_IsDFS” value=”False”/>

You can add more rows with the same config if you have more drives that needs to be available to the same set of users

4. Assign the policy to the AAD Security Group

Now we finally come to the Assignment part. This is where you add this drive mapping to the set of users. This can be done by simply adding the Azure AD groups created in step 1.

Once its done and once the policy has been synced. It will be visible on the users end they will start seeing the mapped drives on their Hybrid AAD Joined Windows devices.

Final Words

OMA-URIs are the 1st step towards bringing a lot of on-premises capabilities to the cloud. Also these settings make modern management easy and make admins creative.
Use a device filter if you need to make sure the drives won’t get mapped when the user logs in to a specific workstation. See my post on how to create MEM device filters. I hope this article was helpful and I will see you in the next one.

Feature image from: Network Vectors by Vecteezy

6 thoughts on “How To Map a Shared Drive Using Microsoft Endpoint Manager Instead of GPOs

  1. Hello,
    How are you?
    Thanks for the material but I would like to take a question.
    I am applying the method in my testing environment and i check that it is not working. I believe it’s something related to AD Connect credential synchronization. Would there be any prerequisites for synchronization? None of my stations are able to map. Thank you

    Like

    1. Hi, Thnx for your message. Actually AD sync is not a must in this case. If your computer is connected to the local domain in this case Hybrid AAD Joined, the computer has access to both Azure AD and local AD. Check the downloaded version of the ADMX file, latest is recommended.
      As long as the ADMX file is ingested as I’ve explained in t he post, network access is available and user has the permissions, this should work.
      Hope this helps.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.