Disconnect Mapped Drives

What the mapped drive disconnection Worklet does

This Automox Worklet™ disconnects specified mapped network drives from all user accounts on a Windows endpoint. Mapped drives are network locations that appear as drive letters in File Explorer, providing quick access to shared folders on network servers.

The Worklet uses PowerShell to enumerate user profiles, load each user's registry hive, and remove drive mappings matching your configured list. It works across all user accounts on the endpoint, including temporary mappings created by domain policies or user actions.

You customize which drive letters to disconnect by editing the $removeDrives variable in the Worklet configuration. This gives you precise control over which network connections are removed.

Why disconnect mapped drives from your network

Outdated or obsolete mapped drives create security and operational risks. Network shares that are no longer in use can become access vectors if the source server is compromised, breached, or decommissioned. Disconnecting unused mappings reduces your attack surface and prevents users from accessing deprecated resources.

From an operational perspective, orphaned drive mappings clutter File Explorer, confuse users, and consume registry space. When you revoke access to deprecated storage locations during departmental restructures, facility closures, or vendor transitions, you maintain compliance with the principle of least privilege.

This Worklet automates the disconnection process across your endpoint fleet simultaneously, eliminating the time and cost of manual intervention on individual machines.

How mapped drive removal works

1. Evaluation phase: The Worklet queries the HKEY_USERS registry hive to find all user accounts on the endpoint. It loads each user's ntuser.dat registry file and scans the Network subkey for drive mappings. If any drive letter in your configured $removeDrives list exists on any user account, the Worklet flags the endpoint as non-compliant and triggers remediation.

2. Remediation phase: The Worklet iterates through each user account and deletes the registry keys corresponding to the matching drive letters. Once the entries are removed from each user's registry profile, the mapped drives are disconnected. The Worklet performs cleanup, removing the temporary registry connections it created.

Mapped drive disconnection requirements

• Windows 8 or later (includes Windows 10, Windows 11, Server 2012 and later)

• PowerShell 3.0 or later

• Local administrator privileges to modify registry keys and load user hives

• Drive letters configured in the $removeDrives variable (default is empty; you must customize this value)

• Same drive letters configured in both evaluation and remediation scripts for proper operation

Expected endpoint state after disconnection

After the Worklet runs successfully, the specified mapped drives are removed from all user accounts on the endpoint. You can verify this change by checking the specific setting this Worklet modifies. The drive letters no longer appear in File Explorer, and users can no longer access the disconnected network shares. Note that endpoints may require a reboot for the changes to be fully visible in the user interface, though the registry changes take effect immediately.

On subsequent evaluations, the Worklet will find the endpoint compliant because the configured drive mappings no longer exist. If users or domain policies create new mappings with the same drive letters, the Worklet will detect them and remove them again on the next scheduled run.

How to validate disconnect mapped drives changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disconnect mapped drives.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-CimInstance, New-PSDrive, Out-Null.

4. Validate remediation effects from script operations such as Get-CimInstance, New-PSDrive, Out-Null, then rerun evaluation for compliance.