After enrolling endpoint device in Intune / endpoint manager drive mapping gpp no longer working

Jan De Smet 66 Reputation points
2022-05-11T09:51:07.667+00:00

Hello,

We are currently enrolling some windows 10 devices in Intune / endpoint manager (auto enrollment / SCP). The devices are joined to local ad domain, and hybrid joined. The device is visible in MEM portal.
When a device is enrolled, it seems the GPP drive map is no longer working. When we run gpupdate /force this takes a very long time to process, and we get an error message: '0x80070005 Access Denied.'
For other devides, not enrolled this continues to work.

GPP drive map is configured: replace and does not run in user security context.
domain is azerty.azerty.com (local domain)
devices are connected through wifi.

We have access to the sysvol share from the problematic device.

dsregcmd / status shows enrollment was successful

any next steps, other issue to look for?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,041 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,313 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 45,896 Reputation points Microsoft Vendor
    2022-05-12T02:15:48.427+00:00

    @Jan De Smet , From your description, it seems the drive mapping is failed with permission issue after we enroll into Intune. if there's any misunderstanding, please let us know.

    To clarify our issue, we suggest choose one Hybrid Azure AD join device which is not enrolled into Intune to test to apply the GPP drive map and see if it works.

    Meanwhile, I notice the GPP drive map does not run in user securoty context. Could you confirm if it means "Run in logged-on user's security context (user policy option)" is not selected? Based on my research, if this option is not selected, Group Policy processes user preferences using the security context of the SYSTEM account. In this security context, the preference extension is limited to environment variables and system resources available only to the computer. This can cause access denied when it try to access network share. Given the situation, we suggest to select this option to see if it can work
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789194(v=ws.11)#run-in-logged-on-users-security-context-user-policy-option

    Please try the above suggestions and if there's any update, feel free to let us know.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Jan De Smet 66 Reputation points
    2022-05-16T07:29:23.167+00:00

    @ Crystal-MSFT, Hi, Thank you for following up. We have indeed tested with the suggested settings. We encounter the same issue. When the device auto enrolls, the gpo fails.

    we are still testing some other settings; I will update this thread with the results.