Use Intune Remediations to map printers and drives on Entra Joined devices

by ·

In this blog post, I will show you how to use Intune Remediations to map printers and drives on Windows Entra Joined devices. Intune Remediations are script packages that can detect and fix common support issues on a user’s device. I have created a remediation script that will create a scheduled task that will map printers or drives when user logon or connect VPN.

Prerequisites

Before you can use Intune Remediations, you need to meet the following requirements:

  • Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and run Enterprise or Professional edition
  • Remediations requires users of the devices to have Windows E3 or E5 license

The Script – Detect and Remediate

I have written a script that will map objects based on an array of objects in @MapObjects. You can find the script on my GitHub:

Intune/Intune – Drive Mapping.ps1 at master · Mr-Tbone/Intune (github.com)

Intune/Intune – Printer Mapping.ps1 at master · Mr-Tbone/Intune (github.com)

The script will first detect if it runs as a detection or remediation script in Intune remediations:

if ($PSCommandPath -like "*detect*"){[Bool]$Remediation = $false}

else{[Bool]$Remediation = $true}

This small code will make it possible to run the same script as detect and remediate in Intune Remediation. If running in detection mode, nothing will be done except detecting if all things are configured. If running in Remediation mode, the script will then detect if running as user or as system. If running as system, the script will:

  1. Detect if a script already exist in $corpdatapath and if it has an older version
    If it does not exist, it will copy the script to $corpdata
  2. Detect if a vbs script exist in $corpdata
    If it does not exist, copy vbs script to $corpdata
  3. Detect if Schedules task exist in task scheduler
    If it does not exist, create the schedule task

The schedule task is configured to trigger on Login to windows or connect to VPN.

The Script – Object mapping

The script will detect if running as system or user. If the script is triggered by the schedule task, it will run as the logged on user, thereby running the part to map objects. The object mapping part of the script will map network printers or drives on Windows devices that are Entra ID Joined. The script will map objects based on the $MapObject variable in the script that can look like this:

Printers

$MapObjects = @()
$MapObjects+=@{PrinterName= "Printer1" ;Default=$false ;Path= "\Printserver.tbone.se\Printer1" ;ADGroups= "Sales" }
$MapObjects+=@{PrinterName= "Printer2" ;Default=$false ;Path= "\Printserver.tbone.se\Printer2" ;ADGroups= "Consultant"}
$MapObjects+=@{PrinterName= "Printer3" ;Default=$true ;Path= "\Printserver.tbone.se\Printer3" ;ADGroups= "" }

Drives

$MapObjects = @()
$MapObjects+=@{Letter="S";Persistent=$true;Path="\\fileserver.tbone.se\Sales"	    ;ADGroups=	"Sales"	        ;Label="Sales"      }
$MapObjects+=@{Letter="C";Persistent=$true;Path="\\fileserver.tbone.se\Consult"     ;ADGroups=	"Consultants"   ;Label="Consultants"}
$MapObjects+=@{Letter="W";Persistent=$true;Path="\\fileserver.tbone.se\Common"	    ;ADGroups=	"Loc_ESC"       ;Label=""           }

You need to modify the script to suit your environment and requirements.

The script will then find out what groups the user belongs to with function Get-ADGroupMembership. The function will rely on access to a local domain controller. If no domain controller is available, no objects will be mapped. If the device is Entra ID Joined, you also need to configure Kerberos Cloud Trust to get access to local resources.

Next it will start mapping the objects in the $mapObjects variable using the Map-Printer and Map-Drive functions.

The script – Logging

The script will use a Transcript logging to record the execution of the script.

I have a custom model for logging in the script where I catch the errors by using a custom variable instead of try catch. With this model I can catch a better error message and get a better logging:

$vbsScript | Out-File -FilePath $vbsSavePath -Force -ErrorAction SilentlyContinue -ErrorVariable errorvar
if ($errorvar.count -eq 0){write-verbose -verbose "$(Get-Date -Format 'yyyy-MM-dd'),$(Get-Date -format 'HH:mm:ss'),info,Success to save the vbscript in corpdata folder"}
else{write-verbose -verbose "$(Get-Date -Format 'yyyy-MM-dd'),$(Get-Date -format 'HH:mm:ss'),Error,Failed to save vbscript in corpdata folder with error: $($errorvar)";$errorvar=$null;$Global:EventId=12;$Global:EventType="error"}

The script will then save the transcript log in $corpdataPath folder.

Finely, it will create a log entry in Eventviewer Program log. Makes it easy to find for helpdesk in case of problems.

How to deploy the script packages

To deploy the script packages, you need change the $mapObjects variable to match your mappings.

$MapObjects = @()
$MapObjects+=@{Letter="S";Persistent=$true;Path="\\fileserver.tbone.se\Sales"	    ;ADGroups=	"Sales"	        ;Label="Sales"      }
$MapObjects+=@{Letter="C";Persistent=$true;Path="\\fileserver.tbone.se\Consult"     ;ADGroups=	"Consultants"   ;Label="Consultants"}
$MapObjects+=@{Letter="W";Persistent=$true;Path="\\fileserver.tbone.se\Common"	    ;ADGroups=	"Loc_ESC"       ;Label=""           }

Then create the remediation by follow these steps:

  1. Sign in to the Microsoft Intune admin center.
  2. Select Devices > Remediations > Create script package.
  3. On the Basics page, enter a name and description for the script package, and select Next.
  4. On the Settings page, add the same script on both detection and remediation.
  5. Configure the following options:
    • Run this script using the logged-on credentials: No
    • Enforce script signature check: No (You can of course sign it yourself)
    • Run script in 64-bit PowerShell: Yes
  6. Select Next.
  7. On the Assignments page, select the groups of devices that you want to assign the script package to, and select Next.
  8. On the Review + create page, review the settings and select Create.

The script package will be deployed to the assigned devices and run according to the schedule that you configured. You can monitor the status and results of the script package from the Microsoft Endpoint Manager admin center.

Conclusion

In this blog post, I showed you how to use Intune Remediations to map printers and drives on Windows Entra ID Joined devices. I hope you found this useful and learned something new. Thank you for reading!

About The Author

Mr T-Bone

Torbjörn Tbone Granheden is a Solution Architect for Modern Workplace at Coligo AB.
Most Valuable Professional (MVP) on Enterprise Mobility. Certified in most Microsoft technologies and over 23 years as Microsoft Certified Trainer (MCT)

See author's posts

Tags:

Mr T-Bone

Torbjörn Tbone Granheden is a Solution Architect for Modern Workplace at Coligo AB. Most Valuable Professional (MVP) on Enterprise Mobility. Certified in most Microsoft technologies and over 23 years as Microsoft Certified Trainer (MCT)

You may also like...

2 Responses

  1. niklasekbladh says:
    2023-11-24 at 14:08

    Hello Torbjörn, how does it handle group in group memberships? The scenario I am working has members in alot of different subgroups that are members in the group that I define in the script.

    • Mr T-bone says:
      2023-11-28 at 08:44

      Hi Niklas,
      Yes it should get all groups from active directory, including the nested groups.
      If it doesn´t, give me a ping and i will look into it.