May 04 2020 09:11 AM
I have a config policy that allows 3 trusted sites in IE, however this blocks the user from adding there own if they want to. Is there a way to allow users to edit the trusted sites list while having this config profile enabled? or does this profile lock it down?
May 04 2020 04:24 PM - edited May 04 2020 04:26 PM
You have to add it from your side whether using Intune Administrative templates or OMI profile (like your screenshot), which makes it grayed out for end user.
The only workaround is to run Intune PS and add Trusted Sites registries that you want to add. With this option, the user can still add sites from his end (check screenshot) Example of Registry in PS:
Hope this helps!
Moe
$RegLoc1 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com"
$RegLoc2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com\child"
$Name = "https"
New-Item -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com"
New-Item -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com\child"
New-ItemProperty -Path $RegLoc2 -Name $Name -PropertyType Dword -Value 2
May 05 2020 06:46 AM
Apr 03 2021 05:49 PM
Hi Moe,
I have pushed the PS script and can confirm it did create the registry keys as intended, however:
1- Users are still unable to modify or add new trusted sites.
2- Although the keys can be viewed in the registry, they are NOT showing up in "Internet Options", Trusted Sites.
Any suggestions?
Apr 05 2021 12:06 AM
Apr 05 2021 11:49 AM
Apr 06 2021 01:08 AM
Apr 06 2021 04:43 AM - edited Apr 06 2021 04:44 AM
The first thing to check if the OLD CSP is no longer tattooed to the device
Open the registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\
Best practise is to make sure the CSP is configured to disabled
When I configure the setting to disabled/ within a few minutes I can add websites again.
After you can add website manually again, you can add them with the powershell script mentioned earlier
$RegLoc1 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com"
$RegLoc2 = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com\child"
$Name = "https"
New-Item -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com"
New-Item -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\example.com\child"
New-ItemProperty -Path $RegLoc2 -Name $Name -PropertyType Dword -Value 2
Apr 06 2021 10:12 AM
Hi Rudy,
Although the old CSP was deleted a while ago, we still see the below keys. I can confirm that if/when I delete the keys, I would be able to add the trusted sites, however, as soon as I sync with Intune, all the keys do come back!!
Checking the Intune sites, the CSP has been removed, so not sure how the keys are getting the old values.
Please review the keys that show the old values after re-syncing with Intune.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\InternetExplorer
---
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\0FA8DA3E-8FE8-4E82-B46C-450D345BE532\default\Device\InternetExplorer
---
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\6604
---
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
--
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
--
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
---
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit
Jan 06 2022 10:58 AM