Forum Discussion

ablake2035's avatar
ablake2035
Copper Contributor
May 04, 2020

intune manage IE trusted sites

I have a config policy that allows 3 trusted sites in IE, however this blocks the user from adding there own if they want to. Is there a way to allow users to edit the trusted sites list while having...
Intune
mobile device management (mdm)
SamSONACA's avatar
SamSONACA
Copper Contributor
Apr 04, 2021

Moe_Kinani 

 

Hi Moe,

 

I have pushed the PS script and can confirm it did create the registry keys as intended, however:

1- Users are still unable to modify or add new trusted sites.

2- Although the keys can be viewed in the registry, they are NOT showing up in "Internet Options", Trusted Sites.

 

Any suggestions?

Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Apr 06, 2021

SamSONACA 

 

The first thing to check if the OLD CSP is no longer tattooed to the device

Open the registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\

Best practise is to make sure the CSP is configured to disabled 

When I configure the setting to disabled/ within a few minutes I can add websites again.

After you can add website manually again, you can add them with the powershell script mentioned earlier

 

$RegLoc1 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com"

$RegLoc2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com\child"

$Name = "https"

New-Item -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com"

New-Item -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com\child"

 

New-ItemProperty -Path $RegLoc2 -Name $Name -PropertyType Dword -Value 2

 

 

 

 

 

  • SamSONACA's avatar
    SamSONACA
    Copper Contributor
    Apr 06, 2021

    Rudy_Ooms_MVP 

     

    Hi Rudy,

     

    Although the old CSP was deleted a while ago, we still see the below keys.  I can confirm that if/when I delete the keys, I would be able to add the trusted sites, however, as soon as I sync with Intune, all the keys do come back!!

     

    Checking the Intune sites, the CSP has been removed, so not sure how the keys are getting the old values.

     

    Please review the keys that show the old values after re-syncing with Intune.

     

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\InternetExplorer
    ---
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\0FA8DA3E-8FE8-4E82-B46C-450D345BE532\default\Device\InternetExplorer
    ---
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\6604
    ---
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
    --
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    --
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
    ---
    Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit

     

     

Resources