Map Azure File Share using Intune PowerShell script

Published by yvez on

You need some imagination to solve a problem. Microsoft frequently creates problems. Thus, a lot of creativity is needed. Mapping Azure File Shares using Intune PowerShell demands a little imagination.

What seems to be the problem?

Goal: You need to map an Azure File Share as a network drive in Windows Explorer.

Easy as pie right? You just use the automatically generated script that maps the network drive and reconnects the drive when logging off and on.

Mount the Azure file share

That works a charm! However, there is one small detail that prevents us from just deploying this PowerShell snippet as an Intune script. Somewhere noted in the documentation you can find following nice remark…

To connect to this Azure file share from Windows, run these PowerShell commands from a normal (not elevated) PowerShell terminal:

Note that we don’t want administrator permissions!
Example text

Why is this an issue?

When you execute the PowerShell snippet as administrator, the network drive is not mapped for the current user. An easy solution would be to just run it as a normal user. Then, the script works fine.

But Intune scripts work a bit differently. Here you have some choices to make as an admin. Namely, do we want to run this script using the logged on credentials? This is important, since, from the documentation above, we know that we need to run it unelevated. So SYSTEM is a no-go.

Create a script policy and assign it

Run this script using the logged on credentials: Select Yes to run the script with the user’s credentials on the device. Choose No (default) to run the script in the system context. Many administrators choose Yes. If the script is required to run in the system context, choose No.

Yes, we want to run this script using the logged on credentials.

A complication we can find a bit lower in the documentation.

When scripts are set to user context and the end-user has administrator rights, by default, the PowerShell script runs under the administrator privilege.

This is an issue…

Oh-oh… this is an issue… If a user has administrator rights, by, default the PowerShell script runs under the administrator privilege. And, the Azure File Share PowerShell script demands execution under normal privileges.

Solution time

First things first, we need to know if the user that we will point our script to, has administrator rights. My PowerShell prompt already has this functionality built-in. This little function returns $true if we have administrator privileges and $false otherwise.

function Test-Administrator {
    $User = [Security.Principal.WindowsIdentity]::GetCurrent();
    (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}

This creates 2 cases. Let’s do the easy one first.

We don’t have administrator rights –> $false

Ok, no issues here. We can just execute our script provided in the Azure Portal.

We do have administrator rights –> $true

This is where creativity comes in handy! The script we are running, runs elevated.. So we can do a lot of things! Example given, we could create a scheduled task. Let’s do exactly that!

These steps are taken:

  • Create a new .ps1 file on a accessible location. In this case we use localappdata.
  • Write the script to the .ps1 file
  • Determine the current user username
  • Create a scheduled task that runs only on log on for the current user
  • Start the scheduled task
$ScriptDirectory = $env:APPDATA + "\Intune"
# Check if directory already exists.
if (!(Get-Item -Path $ScriptDirectory)) {
    New-Item -Path $env:APPDATA -Name "Intune" -ItemType "directory"
}

# Logfile
$ScriptLogFilePath = $ScriptDirectory + "\ConnectAzureFileShare.log"

if (Test-Administrator) {
    # If running as administrator, create scheduled task as current user.
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Running as administrator.")

    $ScriptFilePath = $ScriptDirectory + "\ConnectAzureFileShare_K.ps1"

    $Script = '$connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
    if ($connectTestResult.TcpTestSucceeded) {
        # Save the password so the drive will persist on reboot
        cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
        # Mount the drive
        New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist
    } else {
        Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
    }'

    $Script | Out-File -FilePath $ScriptFilePath

    $PSexe = Join-Path $PSHOME "powershell.exe"
    $Arguments = "-file $($ScriptFilePath) -WindowStyle Hidden -ExecutionPolicy Bypass"
    $CurrentUser = (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
    $Action = New-ScheduledTaskAction -Execute $PSexe -Argument $Arguments
    $Principal = New-ScheduledTaskPrincipal -UserId (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
    $Trigger = New-ScheduledTaskTrigger -AtLogOn -User $CurrentUser
    $Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal

    Register-ScheduledTask ConnectAzureFileShare_K -Input $Task
    Start-ScheduledTask ConnectAzureFileShare_K
}

Map Azure File Share using Intune script

Of course, the script below is not functional, since the Azure File Share does not exist. So, add your own script to create a working solution 😉 Remember, you need to insert your Azure File Share snippet twice.

Also, some logging is added and a test at the end tells Intune if the mapping succeeded.

function Test-Administrator {
    $User = [Security.Principal.WindowsIdentity]::GetCurrent();
    (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}

$ScriptDirectory = $env:APPDATA + "\Intune"
# Check if directory already exists.
if (!(Get-Item -Path $ScriptDirectory)) {
    New-Item -Path $env:APPDATA -Name "Intune" -ItemType "directory"
}

# Logfile
$ScriptLogFilePath = $ScriptDirectory + "\ConnectAzureFileShare.log"


if (Test-Administrator) {
    # If running as administrator, create scheduled task as current user.
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Running as administrator.")

    $ScriptFilePath = $ScriptDirectory + "\ConnectAzureFileShare_K.ps1"

    $Script = '$connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
    if ($connectTestResult.TcpTestSucceeded) {
        # Save the password so the drive will persist on reboot
        cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
        # Mount the drive
        New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist
    } else {
        Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
    }'

    $Script | Out-File -FilePath $ScriptFilePath

    $PSexe = Join-Path $PSHOME "powershell.exe"
    $Arguments = "-file $($ScriptFilePath) -WindowStyle Hidden -ExecutionPolicy Bypass"
    $CurrentUser = (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
    $Action = New-ScheduledTaskAction -Execute $PSexe -Argument $Arguments
    $Principal = New-ScheduledTaskPrincipal -UserId (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
    $Trigger = New-ScheduledTaskTrigger -AtLogOn -User $CurrentUser
    $Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal

    Register-ScheduledTask ConnectAzureFileShare_K -Input $Task
    Start-ScheduledTask ConnectAzureFileShare_K
}

Else {
    # Not running as administrator. Connecting directly with Azure script.
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Not running as administrator.")

    $connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
    if ($connectTestResult.TcpTestSucceeded) {
        # Save the password so the drive will persist on reboot
        cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
        # Mount the drive
        New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist -Scope "Global"
    } else {
        Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
    }
}

If (Get-PSDrive -Name K) {
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "K-Drive mapped successfully.")
}

Else {
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Please verify installation.")
}
Categories: AzureIntuneNetworkingOffice 365PowershellScriptingWindowsWindows 10Windows Server
Tags: