How do I map an Azure Files drive with a SAS key using Intune?

Question

How do I map an Azure Files drive with a SAS key using Intune?

Lee Hubble 15

Hi all

I am trying to map an Azure files drive using a SAS key being pushed out by Intune. I have taken the script that is given from the Connect page in the storage account and put it into both Scripts in Intune and created an .intunewin file but neither work. The script is the following and checks if the reg key HKEY CURRENT USER\Network\Y exists:

$connectTestResult = Test-NetConnection -ComputerName drivemappingtest.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
    # Save the password so the drive will persist on reboot
    cmd.exe /C "cmdkey /add:`"<location>.file.core.windows.net`" /user:`"<username>`" /pass:`"<password>`""
    # Mount the drive
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<location>.file.core.windows.net\test" -Persist
} else {
    Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

Sometimes it appears briefly as a disconnected drive and then disappears upon a reboot. I also found another script that adds another line at the top but this also doesn't seem to work.

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'Imcompatibilitylevel' -Value "3" -PropertyType DWORD -Force
cmd.exe /C "cmdkey /add:`"<location>.file.core.windows.net`" /user:`"<username>`" /pass:`"<password>`""
New-PSDrive -Name Y -PSProvider FileSystem -Root "\\<location>.file.core.windows.net\test" -Persist

Any help on this would be greatly appreciated.

Raviraj Nallasivam 170

Just a confirmation, are you passing the appropriate username and password to below script? Username will be storage account name and password will be storage account key.

$connectTestResult = Test-NetConnection -ComputerName drivemappingtest.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
    # Save the password so the drive will persist on reboot
    cmd.exe /C "cmdkey /add:`"<location>.file.core.windows.net`" /user:`"<username>`" /pass:`"<password>`""
    # Mount the drive
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<location>.file.core.windows.net\test" -Persist
} else {
    Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

Lee Hubble 15 Reputation points

2023-04-04T08:39:10.9266667+00:00

Yes I am but I put placeholders in otherwise anyone would be able to connect to the storage account.
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator

2023-04-13T04:32:02.93+00:00

@Lee Hubble Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. I am checking on this thread!

2 answers

Your answer

Raviraj Nallasivam 170 Reputation points

2023-04-03T18:12:18.99+00:00

Just a confirmation, are you passing the appropriate username and password to below script? Username will be storage account name and password will be storage account key.

$connectTestResult = Test-NetConnection -ComputerName drivemappingtest.file.core.windows.net -Port 445 if ($connectTestResult.TcpTestSucceeded) { # Save the password so the drive will persist on reboot cmd.exe /C "cmdkey /add:`"<location>.file.core.windows.net`" /user:`"<username>`" /pass:`"<password>`"" # Mount the drive New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<location>.file.core.windows.net\test" -Persist } else { Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port." }
Lee Hubble 15 Reputation points

2023-04-04T08:39:10.9266667+00:00

Yes I am but I put placeholders in otherwise anyone would be able to connect to the storage account.
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator

2023-04-13T04:32:02.93+00:00

@Lee Hubble Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. I am checking on this thread!

Answer 1

Using the following article I have found the solution to the problem. If a user has administrator rights, by, default the PowerShell script runs under the administrator privilege and, the Azure File Share PowerShell script demands execution under normal privileges. The script below checks if the logged in user is an adminstrator. If they are not, then the script runs as normal. If they are a scheduled task

https://yvez.be/2020/11/04/map-azure-file-share-using-intune-powershell-script/

function Test-Administrator {
    $User = [Security.Principal.WindowsIdentity]::GetCurrent();
    (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}

$ScriptDirectory = $env:APPDATA + "\Intune"
# Check if directory already exists.
if (!(Get-Item -Path $ScriptDirectory)) {
    New-Item -Path $env:APPDATA -Name "Intune" -ItemType "directory"
}

# Logfile
$ScriptLogFilePath = $ScriptDirectory + "\ConnectAzureFileShare.log"


if (Test-Administrator) {
    # If running as administrator, create scheduled task as current user.
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Running as administrator.")

    $ScriptFilePath = $ScriptDirectory + "\ConnectAzureFileShare_K.ps1"

    $Script = '$connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
    if ($connectTestResult.TcpTestSucceeded) {
        # Save the password so the drive will persist on reboot
        cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
        # Mount the drive
        New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist
    } else {
        Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
    }'

    $Script | Out-File -FilePath $ScriptFilePath

    $PSexe = Join-Path $PSHOME "powershell.exe"
    $Arguments = "-file $($ScriptFilePath) -WindowStyle Hidden -ExecutionPolicy Bypass"
    $CurrentUser = (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
    $Action = New-ScheduledTaskAction -Execute $PSexe -Argument $Arguments
    $Principal = New-ScheduledTaskPrincipal -UserId (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
    $Trigger = New-ScheduledTaskTrigger -AtLogOn -User $CurrentUser
    $Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal

    Register-ScheduledTask ConnectAzureFileShare_K -Input $Task
    Start-ScheduledTask ConnectAzureFileShare_K
}

Else {
    # Not running as administrator. Connecting directly with Azure script.
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Not running as administrator.")

    $connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
    if ($connectTestResult.TcpTestSucceeded) {
        # Save the password so the drive will persist on reboot
        cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
        # Mount the drive
        New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist -Scope "Global"
    } else {
        Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
    }
}

If (Get-PSDrive -Name K) {
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "K-Drive mapped successfully.")
}

Else {
    Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Please verify installation.")
}

David Hooks 16 Reputation points

2023-11-01T16:39:12.96+00:00

Just a note to say thanks for this code and pointer. Used it as the basis for our solution and it was extremely helpful. One thing to note is that for us our users are all local admins on the laptops as they are not domain joined, hence needing to use SAS keys, so creating a Scheduled Task was definitely the way to go, but I got inconsistent results and the reason was the execution policy for scripts on the system. So I had to do a couple of things that others finding this thread might find useful.

On the command line:

$Arguments = "-file $($ScriptFilePath) -WindowStyle Hidden -ExecutionPolicy -Scope CurrentUser Bypass"

And also to set a device configuration policy to allow local and remote signed scripts. That then allowed the script to work when run.

The other bit some might find helpful was that on the multisession VMs we have in place the device config policy doesn't work, even if you target it at a user group. There is a way to solve that though, use a remediation script to check for the existence of the scheduled task and if that isn't there then run the above script.

$taskName = "ConnectAzureFileShares" $taskstatus = get-scheduledtask | Where-object {$_.taskName -eq $taskName} if (!$taskstatus){ Write-Host "Scheduled task does not exist - remediation required" Exit 1 } Else { write-host "no remediation required" Exit 0 }

Answer 2

Syed Shiraz Shahid 290

To map an Azure Files drive with a SAS key using Intune, you can create a PowerShell script that contains the required commands and then deploy it as an Intune device configuration profile. Here are the steps to follow: null


$storageAccountName = "<storage-account-name>"
$shareName = "<file-share-name>"
$sasToken = "<sas-token>"
$context = New-AzureStorageContext -StorageAccountName $storageAccountName -SasToken $sasToken
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\$storageAccountName.file.core.windows.net\$shareName" -Persist -Context $context

Replace the placeholders in the script with your own values for the storage account name, file share name, and SAS token. nullnullnullnull

After you deploy the configuration profile, the PowerShell script will run on each device in the assigned group, mapping the Azure Files drive with the specified SAS key. The drive will appear as a network drive on the device, allowing users to access files stored in the Azure Files share.

Lee Hubble 15 Reputation points

2023-04-04T08:38:13.2733333+00:00

As far as I can see -context is not a parameter in New-PSDrive and -credential only accepts a username.
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator

2023-04-27T05:58:42.2566667+00:00

@Lee Hubble Apologies for the delay response!

I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com (AzCommunity@microsoft.com) referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.
Thanks for your patience and co-operation.

Share via

How do I map an Azure Files drive with a SAS key using Intune?

2 answers

Your answer