Welcome to another MEM how to article. Among Microsoft Endpoint Manager’s wonderful capabilities I see this as a big win towards promoting it’s modern device management capabilities.
This will simply supersede the local AD, OUs and GPMC that used to manage drive mappings to user sessions.
Update [03 Sep 2022]
Microsoft have recently announced the Import ADMX feature which is in preview at the time of this writing and I did an updated blog post on that. Please check below.
A reasonable assumption
If you are using network shares with AD and GPOs and if you thinking about moving to MEM or already in MEM, this means the Windows devices are already Hybrid Azure AD joined because you still need the local ADDS functionality and not yet ready to move in to that state where the devices are treated as fully managed by cloud. This is the majority of the organizations as they are in the journey to cloud.
Please read my previous articles on how to bring the devices to Hybrid AAD joined state from here
Modern Device Management
There is no concept of OUs in the Azure AD and the modern management is mainly done via Azure AD Security Groups. Using the MEM’s MDM capabilities and Azure AD Security groups, you can easily manage this totally from the cloud.
1. Create the Azure AD Security Group
Create your Azure AD Security groups that have the user groups.
Dynamic Groups are best if you need to automate the drive mapping to the user according to the department they are in.
2. Ingest the ADMX to MEM
This is where you tell the MEM what to do so it will start mapping your network shares. As MEM is not capable of managing some of the on-premises resources out of the box, the specific rules have to be ingested into the MEM instance of your organization.
- Download the mapping network shares ADMX from here – download ADMX file
Credits to https://github.com/Weatherlights for uploading the admx file in a readable format
- Unzip the file and open the admx file from notepad
- Copy all the content and keep it handy as you need it in the next step
- Go to https://endpoint.microsoft.com
- Devices > Configuration Profiles > Create Profile >
- Platform: Windows 10 and later | Profile type: Templates > Select Custom > Create
- Give a meaningful name > Press Next
- Lets add the OMA-URI for the drive mapping as this is a custom setting
- Press Add and set the below sections
- Data type: String
- Value: Paste the copied ADMX content
- Hit Save and press Next
- Assign it to your Users or Devices Azure AD group which you created in the Step 1
3. Create the Drive Mapping Policy
Now that the main policy has been setup, let’s create the individual drive mappings. This will be the same as above where you create a Configuration Profile > Selecting Templates and Custom > Give a meaningful name and start adding the OMA-URI rows to reflect the drives you require.
OMA-URI row as below. In there I have highlighted D as that’s my desired drive letter
Change the bold D according to the drive letter you require
Data type: String
<data id=Drive_D_RemotePath” value=”\\path_to_the_network_share”/>
<data id=Drive_D_RemotePath_IsDFS” value=”False”/>
You can add more rows with the same config if you have more drives that needs to be available to the same set of users
4. Assign the policy to the AAD Security Group
Now we finally come to the Assignment part. This is where you add this drive mapping to the set of users. This can be done by simply adding the Azure AD groups created in step 1.
Once its done and once the policy has been synced. It will be visible on the users end they will start seeing the mapped drives on their Hybrid AAD Joined Windows devices.
OMA-URIs are the 1st step towards bringing a lot of on-premises capabilities to the cloud. Also these settings make modern management easy and make admins creative.
Use a device filter if you need to make sure the drives won’t get mapped when the user logs in to a specific workstation. See my post on how to create MEM device filters. I hope this article was helpful and I will see you in the next one.