question

JanDeSmet-2132 avatar image
0 Votes"
JanDeSmet-2132 asked Crystal-MSFT commented

After enrolling endpoint device in Intune / endpoint manager drive mapping gpp no longer working

Hello,

We are currently enrolling some windows 10 devices in Intune / endpoint manager (auto enrollment / SCP). The devices are joined to local ad domain, and hybrid joined. The device is visible in MEM portal.
When a device is enrolled, it seems the GPP drive map is no longer working. When we run gpupdate /force this takes a very long time to process, and we get an error message: '0x80070005 Access Denied.'
For other devides, not enrolled this continues to work.

GPP drive map is configured: replace and does not run in user security context.
domain is azerty.azerty.com (local domain)
devices are connected through wifi.

We have access to the sysvol share from the problematic device.

dsregcmd / status shows enrollment was successful

any next steps, other issue to look for?

windows-group-policymem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@JanDeSmet-2132, From your description, it seems the drive mapping is failed with permission issue after we enroll into Intune. if there's any misunderstanding, please let us know.

To clarify our issue, we suggest choose one Hybrid Azure AD join device which is not enrolled into Intune to test to apply the GPP drive map and see if it works.

Meanwhile, I notice the GPP drive map does not run in user securoty context. Could you confirm if it means "Run in logged-on user's security context (user policy option)" is not selected? Based on my research, if this option is not selected, Group Policy processes user preferences using the security context of the SYSTEM account. In this security context, the preference extension is limited to environment variables and system resources available only to the computer. This can cause access denied when it try to access network share. Given the situation, we suggest to select this option to see if it can work
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789194(v=ws.11)#run-in-logged-on-users-security-context-user-policy-option

Please try the above suggestions and if there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@JanDeSmet-2132, Hope things are going well. I am writing to see if there's any update on our issue. If yes, feel free to let us know.

0 Votes 0 ·
JanDeSmet-2132 avatar image
0 Votes"
JanDeSmet-2132 answered Crystal-MSFT commented

@ Crystal-MSFT, Hi, Thank you for following up. We have indeed tested with the suggested settings. We encounter the same issue. When the device auto enrolls, the gpo fails.

we are still testing some other settings; I will update this thread with the results.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@JanDeSmet-2132, Thanks for letting us know the latest status. We will wait for your next update.

Have a nice day!

0 Votes 0 ·
JanDeSmet-2132 avatar image JanDeSmet-2132 Crystal-MSFT ·

Hello, it seems recreating the drivemapping gpo solved the issue.
We are still testing, but first results are positive.

thanks for the advise.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT JanDeSmet-2132 ·

@JanDeSmet-2132, Thanks for the update. I am glad to hear that recreating the GPO makes it work. As you are still testing, if there's any more finding, feel free to post back.

Thanks for your time and have a nice day!

0 Votes 0 ·