Intune: Auto Reconnect Mapped Drives

Mapping drives on Intune managed devices is a bit of a hassle as there are no native CSP’s to make you able to do this. There are alot of different community based solutions out there such as the ADMX files you can import/ingest or Powershell scripts you can deploy.

I went down the rout of mapping drives using the ADMX ingest method as described by Rudi Ooms in this excellent blog: https://call4cloud.nl/2021/03/willy-wonka-and-the-drive-letter-factory/

It map’s all the drives just nicely and I thought that would be the end of it (oh man was I wrong :D).

The Problem:

The downside using this method is that the drives wont automatically connect even though there is line of sight to the file server. All the drives will be mapped but will show up as disconnected.
As seen from “File Explorer”:

As seen from “CMD”:

As you can see, there is no access to the drive even thought in this case the device does have line of sight to the file share. In Rudi’s blog he mentions how to solve this using the “ProviderFlags” attribute in chapter “3.2. Solving the Red Cross/Disconnection issue”. But unfortunatly this does not always work. In my case, never actually.

To establish an active connection the user has to open File Explorer, doubleclick on the drive they want to connect to and voila, now they have an active connection:
As seen from “File Explorer”:

As seen from “CMD”:

That’s ok for most users. We however have a lot of programmers who needs the connections to be there as soon as the device has line of sight to the file share. So how to make that happen?

The Solution:

I came up with a solution which is comprised of serveral components. First of I needed a method to force drives to reconnect if they have line of sight to the file share(s). This is where Microsoft came to the rescue as described in this article:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/mapped-network-drive-fail-reconnect

Next up I needed a method to trigger the script during logon, during connecting to VPN and when the device switched network. I use the excellent PowerShell Application Deployment Toolkit (PSADT) to set this up on the device.

But first things first. Start by creating a file named “AutoReconnectMappedDrives.ps1” with the following content:

$i=3
while($True){
    $error.clear()
    $MappedDrives = Get-SmbMapping |where -property Status -Value Unavailable -EQ | select LocalPath,RemotePath
    foreach( $MappedDrive in $MappedDrives)
    {
        try {
            New-SmbMapping -LocalPath $MappedDrive.LocalPath -RemotePath $MappedDrive.RemotePath -Persistent $True
        } catch {
            Write-Host "There was an error mapping $MappedDrive.RemotePath to $MappedDrive.LocalPath"
        }
    }
    $i = $i - 1
    if($error.Count -eq 0 -Or $i -eq 0) {break}

    Start-Sleep -Seconds 30
}

Next up, download PSADT from here: https://psappdeploytoolkit.com/

Then copy you newly created “AutoReconnectMappedDrives.ps1” file to the “Files” folder in your PSADT package as you will need the file to be copied to the device(s) for subsequent execution.

Then add the following script to the “Installation” section of the “Deploy-Application.ps1” file:

New-Folder -Path "C:\Scripts\PowerShell\Auto Reconnect Mapped Drives"
Copy-File -Path "$dirFiles\AutoReconnectMappedDrives.ps1" -Destination "C:\Scripts\PowerShell\Auto Reconnect Mapped Drives\AutoReconnectMappedDrives.ps1"

$ShedShortName = "AutoReconnectMappedDrives"

$trigger1 = New-ScheduledTaskTrigger -AtLogOn

$class = cimclass MSFT_TaskEventTrigger root/Microsoft/Windows/TaskScheduler
$trigger2 = $class | New-CimInstance -ClientOnly
$trigger2.Enabled = $True
$trigger2.Subscription = '<QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[Provider[@Name=''Microsoft-Windows-NetworkProfile''] and EventID=10002]]</Select></Query></QueryList>'

$trigger3 = $class | New-CimInstance -ClientOnly
$trigger3.Enabled = $True
$trigger3.Subscription = '<QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[Provider[@Name=''Microsoft-Windows-NetworkProfile''] and EventID=4004]]</Select></Query></QueryList>'
     
$action = New-ScheduledTaskAction -Execute 'PowerShell' -Argument "-NoLogo -WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass & 'C:\Netcompany\Scripts\PowerShell\Auto Reconnect Mapped Drives\AutoReconnectMappedDrives.ps1'"
$trigger = @(
            $($trigger1),
            $($trigger2),
            $($trigger3)
            )
$principal = New-ScheduledTaskPrincipal -GroupId S-1-5-32-545
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
$task = New-ScheduledTask -Action $action -Trigger $trigger -Principal $principal  -Settings $settings
Register-ScheduledTask $ShedShortName -InputObject $task
Start-ScheduledTask $ShedShortName

Set-RegistryKey -Key "HKEY_LOCAL_MACHINE\SOFTWARE\$ShedShortName" -Name 'Version' -Value $appVersion

This will copy the “AutoReconnectMappedDrives.ps1” script to the device and create a Schedule Task that will run the script during logon (trigger1), when a VPN connection is established (trigger2) and when the device switches network (trigger3). And last but not least a registry is created for easily setting up a detection method in Intune.

And of couse you will need an “Uninstallation” script as well, so here you go:

$ShedShortName = "AutoReconnectMappedDrives"
Execute-Process -Path $exeSchTasks -Parameters "/delete /tn $ShedShortName /f" -WindowStyle 'Hidden'  -CreateNoWindow -ErrorAction 'Stop'
Remove-Folder -Path 'C:\Scripts\PowerShell\Auto Reconnect Mapped Drives'

Remove-RegistryKey -Key "HKEY_LOCAL_MACHINE\SOFTWARE\$ShedShortName" -Name 'Version'

In my scenario I don’t want the script deployed to everyone. So I simply made the application available in the Company Portal for users to install if they need to “Auto Reconnect Mapped Drives”.

Now after a logoff/logon, the drives are connected and ready to use (and will continue to be, as long as there is line of sight to the file server).