Welcome to another MEM how to article. Among Microsoft Endpoint Manager’s wonderful capabilities I see this as a big win towards promoting it’s modern device management capabilities.
This will simply supersede the local AD, OUs and GPMC that used to manage drive mappings to user sessions.
Update [03 Sep 2022]
Microsoft have recently announced the Import ADMX feature which is in preview at the time of this writing and I did an updated blog post on that. Please check below.
A reasonable assumption
If you are using network shares with AD and GPOs and if you thinking about moving to MEM or already in MEM, this means the Windows devices are already Hybrid Azure AD joined because you still need the local ADDS functionality and not yet ready to move in to that state where the devices are treated as fully managed by cloud. This is the majority of the organizations as they are in the journey to cloud.
Please read my previous articles on how to bring the devices to Hybrid AAD joined state from here
Modern Device Management
There is no concept of OUs in the Azure AD and the modern management is mainly done via Azure AD Security Groups. Using the MEM’s MDM capabilities and Azure AD Security groups, you can easily manage this totally from the cloud.
1. Create the Azure AD Security Group
Create your Azure AD Security groups that have the user groups.
Dynamic Groups are best if you need to automate the drive mapping to the user according to the department they are in.
2. Ingest the ADMX to MEM
This is where you tell the MEM what to do so it will start mapping your network shares. As MEM is not capable of managing some of the on-premises resources out of the box, the specific rules have to be ingested into the MEM instance of your organization.
- Download the mapping network shares ADMX from here – download ADMX file
Credits to https://github.com/Weatherlights for uploading the admx file in a readable format
- Unzip the file and open the admx file from notepad
- Copy all the content and keep it handy as you need it in the next step
- Go to https://endpoint.microsoft.com
- Devices > Configuration Profiles > Create Profile >
- Platform: Windows 10 and later | Profile type: Templates > Select Custom > Create
- Give a meaningful name > Press Next
- Lets add the OMA-URI for the drive mapping as this is a custom setting
- Press Add and set the below sections
- OMA-URI:
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/DriveMapping/Policy/DriveMappingAdmx
- Data type: String
- Value: Paste the copied ADMX content
- Hit Save and press Next
- Assign it to your Users or Devices Azure AD group which you created in the Step 1
3. Create the Drive Mapping Policy
Now that the main policy has been setup, let’s create the individual drive mappings. This will be the same as above where you create a Configuration Profile > Selecting Templates and Custom > Give a meaningful name and start adding the OMA-URI rows to reflect the drives you require.
OMA-URI row as below. In there I have highlighted D as that’s my desired drive letter
OMA-URI:
./user/Vendor/MSFT/Policy/Config/DriveMapping~Policy~DriveMapping/Drive_D
Change the bold D according to the drive letter you require
Data type: String
Value:<enabled/>
<data id=Drive_D_RemotePath” value=”\\path_to_the_network_share”/>
<data id=Drive_D_RemotePath_IsDFS” value=”False”/>
You can add more rows with the same config if you have more drives that needs to be available to the same set of users
4. Assign the policy to the AAD Security Group
Now we finally come to the Assignment part. This is where you add this drive mapping to the set of users. This can be done by simply adding the Azure AD groups created in step 1.
Once its done and once the policy has been synced. It will be visible on the users end they will start seeing the mapped drives on their Hybrid AAD Joined Windows devices.
Final Words
OMA-URIs are the 1st step towards bringing a lot of on-premises capabilities to the cloud. Also these settings make modern management easy and make admins creative.
Use a device filter if you need to make sure the drives won’t get mapped when the user logs in to a specific workstation. See my post on how to create MEM device filters. I hope this article was helpful and I will see you in the next one.
EMS Route - Shehan Perera 
Hello,
How are you?
Thanks for the material but I would like to take a question.
I am applying the method in my testing environment and i check that it is not working. I believe it’s something related to AD Connect credential synchronization. Would there be any prerequisites for synchronization? None of my stations are able to map. Thank you
LikeLike
Hi, Thnx for your message. Actually AD sync is not a must in this case. If your computer is connected to the local domain in this case Hybrid AAD Joined, the computer has access to both Azure AD and local AD. Check the downloaded version of the ADMX file, latest is recommended.
As long as the ADMX file is ingested as I’ve explained in t he post, network access is available and user has the permissions, this should work.
Hope this helps.
LikeLike
Hi, would you please advise if this works for only AAD joined device through intune? Customer is currently syncing AD to AAD via Microsoft Server Essentials.
LikeLike
This will extend the On-premises GPO to cloud. So ideally the device should be in HAADJ mode to access the shared drive else the NTFS permissions will not work.
LikeLike
Wrong AAD joined devices can access file server resources using kerberos but you need AAD Connect server as prereq: https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
LikeLiked by 1 person
Will this work for SMB Azure File Shares?
LikeLiked by 1 person
Hi Jason,
Azure files share are also added to the computers via the standard method (\\sharename) so technically it should be possible to add the path of that too.
LikeLiked by 1 person
Thanks – for some reason the ADMX digestion did not go well. I am using the older method and that now works, but I receive an error. Will post a comment on the other post!
LikeLiked by 1 person
Oops, I now realize this is the older blog post! My apologies. haha
I have created the first policy above. InTune gives a success message, but when I go to HKLM\Software\Microsoft\PolicyManager\AdmxDefault\{GUID}\DriveMapping~Policy~DriveMapping, the policy does not show up there.
LikeLiked by 2 people