MEM – Deploying Trusted Sites
In this post, we will demonstrate how to deploy IE trusted sites via Microsoft Endpoint Manager (aka Intune), we will demonstrate two methods, one for complete control which will lock down the trusted sites location within Internet Settings and the other to maintain user choice, by simply adding an additional trusted sites to end users existing configuration.
Objectives
- Force standard list of trusted sites and prevent end users from editing (Full Control)
- Add additional trusted sites to existing setup and allow end users to edit (One-time entry)
Full Control Method
As mentioned above, this the full control method is so administrators can control which sites are to be added to the trusted sites list, end users will not be able to add, edit or delete the entries, to get started, log into the MEM portal with your administrative account and browse to Devices, then Configuration Profiles and select Create Profile:
Select the platform to Windows 10 and later and profile to Administrative Templates:
Name and create the profile description:
In the next section, decide if this is going to be a Computer or User settings, in my case, I’m going to chose computer, browse to Computer Configuration, then Windows Components, Internet Explorer, Internet Control Panel and finally Security Page. From here select the Site to Zone Assignment List setting:
Within the setting, select Enabled and enter in the domains that you wish to add to the zone, in my case, I am going to add in https://letsconfigmgr.com/ and select a value of 2:
The available values are as follows:
- 1 = Intranet
- 2 = Trusted Sites
- 3 = Internet Zone
- 4 = Restricted Sites
Deploy the configuration profile to a test computer group and verify the results on the device, by going to Control Panel, Internet Settings, Security, Trusted Sites and confirm that the desired sites are listed, note that you cannot add \ edit \ remove configurations:
One-Time Entry Method
Some administrators may want to allow end users to control the trusted sites list, a great way to allow this via MEM and still add entries is to deploy a PowerShell script, to do this within the MEM portal, go to Devices, Scripts and select Add:
Select Windows 10, name and set a description:
Copy the below code and save as a .ps1 file, edit lines 1, 5 and 7 to the domain that you wish to add to zones, for an example, I have added letsconfigmgr.com, note the value of 2 on the 7th line, which reflects adding the site to the trusted sites zone, the options are:
- 1 = Intranet
- 2 = Trusted Sites
- 3 = Internet Zone
- 4 = Restricted Sites
if (-not (Test-Path -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letsconfigmgr.com'))
{
New-Item -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letsconfigmgr.com'
Set-ItemProperty -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letsconfigmgr.com' -Name https -Value 2 -Type DWord
}
Within script settings, upload your script and select Run this script using the logged on credentials:
Once completed, assign the script to your test device and verify the results, by going to Control Panel, Internet Settings, Security, Trusted Sites and confirm that the desired sites are listed, note that you can add \ edit \ remove configurations:
Notes
A quick note on PowerShell scripts, once the scripts have run successfully, they won’t execute again, so be aware of this if an end-user removes an entry, the only way to execute the script again, if successful previously, is to edit the existing script and re-upload or create a new script with the same contents and redeploy.
Additionally, if you’re also using security baselines within MEM, I have discovered that the Windows 10 MDM baseline for May 2019 will block the ability for end-users to add \ edit \ remove \ view trusted sites with the default settings applied, if you wish for this ability then the following settings need to be edited within the baseline to allow this:
- Internet Explorer security zones use only machine settings = Disabled
- Internet Explorer users adding sites = Enabled
- Internet Explorer users changing policies = Enabled
Be sure to check the above settings with your security team to ensure that there are no security concerns before making changes to the security baselines and ensure that all settings have been tested fully prior to rolling out to production clients.