How do I map an Azure Files drive with a SAS key using Intune?

Lee Hubble 15 Reputation points
2023-04-03T14:12:41.09+00:00

Hi all

I am trying to map an Azure files drive using a SAS key being pushed out by Intune. I have taken the script that is given from the Connect page in the storage account and put it into both Scripts in Intune and created an .intunewin file but neither work. The script is the following and checks if the reg key HKEY CURRENT USER\Network\Y exists:

$connectTestResult = Test-NetConnection -ComputerName drivemappingtest.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
    # Save the password so the drive will persist on reboot
    cmd.exe /C "cmdkey /add:`"<location>.file.core.windows.net`" /user:`"<username>`" /pass:`"<password>`""
    # Mount the drive
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<location>.file.core.windows.net\test" -Persist
} else {
    Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

Sometimes it appears briefly as a disconnected drive and then disappears upon a reboot. I also found another script that adds another line at the top but this also doesn't seem to work.

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'Imcompatibilitylevel' -Value "3" -PropertyType DWORD -Force
cmd.exe /C "cmdkey /add:`"<location>.file.core.windows.net`" /user:`"<username>`" /pass:`"<password>`""
New-PSDrive -Name Y -PSProvider FileSystem -Root "\\<location>.file.core.windows.net\test" -Persist

Any help on this would be greatly appreciated.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,424 questions
Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Lee Hubble 15 Reputation points
    2023-05-08T15:03:10.6833333+00:00

    Using the following article I have found the solution to the problem. If a user has administrator rights, by, default the PowerShell script runs under the administrator privilege and, the Azure File Share PowerShell script demands execution under normal privileges. The script below checks if the logged in user is an adminstrator. If they are not, then the script runs as normal. If they are a scheduled task

    https://yvez.be/2020/11/04/map-azure-file-share-using-intune-powershell-script/

    function Test-Administrator {
        $User = [Security.Principal.WindowsIdentity]::GetCurrent();
        (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
    }
    
    $ScriptDirectory = $env:APPDATA + "\Intune"
    # Check if directory already exists.
    if (!(Get-Item -Path $ScriptDirectory)) {
        New-Item -Path $env:APPDATA -Name "Intune" -ItemType "directory"
    }
    
    # Logfile
    $ScriptLogFilePath = $ScriptDirectory + "\ConnectAzureFileShare.log"
    
    
    if (Test-Administrator) {
        # If running as administrator, create scheduled task as current user.
        Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Running as administrator.")
    
        $ScriptFilePath = $ScriptDirectory + "\ConnectAzureFileShare_K.ps1"
    
        $Script = '$connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
        if ($connectTestResult.TcpTestSucceeded) {
            # Save the password so the drive will persist on reboot
            cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
            # Mount the drive
            New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist
        } else {
            Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
        }'
    
        $Script | Out-File -FilePath $ScriptFilePath
    
        $PSexe = Join-Path $PSHOME "powershell.exe"
        $Arguments = "-file $($ScriptFilePath) -WindowStyle Hidden -ExecutionPolicy Bypass"
        $CurrentUser = (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
        $Action = New-ScheduledTaskAction -Execute $PSexe -Argument $Arguments
        $Principal = New-ScheduledTaskPrincipal -UserId (Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object -expand UserName)
        $Trigger = New-ScheduledTaskTrigger -AtLogOn -User $CurrentUser
        $Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal
    
        Register-ScheduledTask ConnectAzureFileShare_K -Input $Task
        Start-ScheduledTask ConnectAzureFileShare_K
    }
    
    Else {
        # Not running as administrator. Connecting directly with Azure script.
        Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Not running as administrator.")
    
        $connectTestResult = Test-NetConnection -ComputerName temporaryfile.file.core.windows.net -Port 445
        if ($connectTestResult.TcpTestSucceeded) {
            # Save the password so the drive will persist on reboot
            cmd.exe /C "cmdkey /add:`"example.file.core.windows.net`" /user:`"Azure\example`" /pass:`"mlkfquivIPIUHeljvPIUVeepReallycomplicatedstring==`""
            # Mount the drive
            New-PSDrive -Name K -PSProvider FileSystem -Root "\\example.file.core.windows.net\example" -Persist -Scope "Global"
        } else {
            Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
        }
    }
    
    If (Get-PSDrive -Name K) {
        Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "K-Drive mapped successfully.")
    }
    
    Else {
        Add-Content -Path $ScriptLogFilePath -Value ((Get-Date).ToString() + ": " + "Please verify installation.")
    }
    
    2 people found this answer helpful.

  2. Syed Shiraz Shahid 290 Reputation points
    2023-04-03T22:06:06.8133333+00:00

    To map an Azure Files drive with a SAS key using Intune, you can create a PowerShell script that contains the required commands and then deploy it as an Intune device configuration profile. Here are the steps to follow: null

    
    $storageAccountName = "<storage-account-name>"
    $shareName = "<file-share-name>"
    $sasToken = "<sas-token>"
    $context = New-AzureStorageContext -StorageAccountName $storageAccountName -SasToken $sasToken
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\$storageAccountName.file.core.windows.net\$shareName" -Persist -Context $context
    

    Replace the placeholders in the script with your own values for the storage account name, file share name, and SAS token. nullnullnullnull

    After you deploy the configuration profile, the PowerShell script will run on each device in the assigned group, mapping the Azure Files drive with the specified SAS key. The drive will appear as a network drive on the device, allowing users to access files stored in the Azure Files share.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.