Copy Files from a Computer to Azure Files Over CMG

With many employees now working remote, the situation may arise where you need to copy files from a remote computer to a location where they can be accessed by IT staff. When a computer is not remote, this is usually done by just accessing the computer’s admin share, but this is not always possible when a computer is remote.

This post will detail a method of using the ConfigMgr scripts feature to copy directories to a Azure Files. This post will detail setting up the Azure Files share, and provide a sample script to use to copy the files. You will need ConfigMgr with a CMG setup to complete this post.

Setup Azure Files

First, we need to configure an Azure Files share. Azure Files is a good solution to use since it can be made available from the internet and does not require a domain login. Though using a domain login is possible, I would recommend NOT doing this, and instead use a shared access signature, which you can and should set to expire when not in use.

To create the Azure Files share, you will first need a storage account. If you already have a storage account and want to reuse it, you can proceed to the next section.

1. In the Azure portal, search for Storage Accounts and open its service.
2. Click Add.
3. Select the Subscription and Resource group for your storage account. Give your storage account a name and Location. Leave Performance, Account kind, and Replication as-is.

4. Click Review + create to create your storage account.

Now that you have your storage account, we need to create the Azure Files share.

1. Open your storage account and select File shares from the left pane.
2. Click the add File share button.

3. Give your file share a Name and set a Quota. I also recommend setting the Tiers to Hot or Cool, as we shouldn’t be actively doing much with these files.

4. Click Create.

Azure Files is now set up.

Obtain Shared access signature

Now that we have our Azure file share, we need to generate a Shared access signature (SAS). This will allow us to access the file share without the need for domain credentials.

1. In your storage account, select Shared access signature from the left pane.

2. Uncheck all boxes under Allowed Services EXCEPT File.
3. Under Allowed resource types, select Object.
4. Leave Allowed permissions as-is. Technically you can dial back the permissions here, but that is out of the scope of this post.
5. Set a Start and expiry date/time. I would suggest not allowing this SAS key for longer than 1 day. Ideally this key would only work for time needed.
6. Leave the remaining settings as-is and click Generate SAS and connection string.

7. Copy the SAS token to Notepad (we’ll need it later).

ConfigMgr Script

This process uses ConfigMgr Run Scripts to execute a script on the computer. The computer will go out and download the AZ Copy utility from Microsoft and use this utility to copy up the Documents and Desktop folders for each user on a computer. You can modify the copy part of the script to copy whichever directories you want. Prior to uploading into Azure Files, the script will zip what’s being copied and upload the zip. This is to save bandwidth and consume less storage in Azure.

Here is the script:

Param(
[Parameter(Mandatory=$True)]
[string]$saskey
)

$az_files_url = "https://azsccmfiles.file.core.windows.net/sccmcmgfiles"

$comp_name = $env:COMPUTERNAME
$date = get-date -format yyyy-MM-ddTHH-mm-ss

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("https://aka.ms/downloadazcopy-v10-windows","$env:SystemRoot\TEMP\azcopy.zip")

Expand-Archive -LiteralPath "$env:SystemRoot\TEMP\azcopy.zip" -DestinationPath "$env:SystemRoot\TEMP\azcopy" -force
$extract_dir = (get-childitem "$env:SystemRoot\TEMP\azcopy").name
$azcopy = "$env:SystemRoot\TEMP\azcopy\" + $extract_dir

cd $azcopy

$user_folders = (get-childitem $env:systemdrive\users | where-object -filterscript {$_.Name -ne "ADMINI~1"}).name

$output_dir = "$env:SystemRoot\TEMP\azcopy$comp_name-$date"
new-item -type directory $output_dir | out-null

ForEach ($user in $user_folders) {
new-item -type directory "$output_dir$user-desktop" | out-null
copy-item -path "$env:systemdrive\users$user\Desktop\*" -destination "$output_dir$user-desktop" -recurse

new-item -type directory "$output_dir$user-documents" | out-null
copy-item -path "$env:systemdrive\users$user\Documents\*" -destination "$output_dir$user-documents" -recurse
}

$archive_file = "$env:SystemRoot\TEMP\azcopy$comp_name-$date.zip"
compress-archive -path $output_dir -destinationpath $archive_file

$env:AZCOPY_LOG_LOCATION="$env:SystemRoot\TEMP\azcopy"
$dest_path = $az_files_url + $saskey
$arguement_list_doc = 'copy "' + $archive_file + '" "' + $dest_path + '" --recursive --cap-mbps 20'
start-process -filepath "azcopy.exe" -ArgumentList $arguement_list_doc -wait -windowstyle:hidden

sleep -s 1

cd $env:SystemRoot
remove-item -path $env:SystemRoot\TEMP\azcopy -recurse -force
remove-item -path $env:SystemRoot\TEMP\azcopy.zip -recurse -force

At each launch, the script will prompt you for the SAS key. On line 6, you need to change the az_files_url variable to match your storage account and file share name. Just replace azsccmfiles with the name of your storage account and sccmcmgfiles with the name of the file share. HINT: you can get this entire URL by going to the storage account in Azure, selecting the file share, and clicking Properties.

All you should have to do now is add this as a script in ConfigMgr. Once added, you can execute it against computers that are remote.

Disclaimer

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.