Use Remediations to set Security Zones.

Matias

The Why:

When adding Security Zones like Intranet Sites or Trusted Sites using the Settings Catalog, the settings in Internet Options becomes grayed out and users become unable to add their own sites to the list. This may be fine in some environments but not so much in others.

In order to set Security Zones and still allow users to add their own sites to the lists we can use Intune remediations as described below.

The How:

First make sure that you know about the different Security Zones and how to create and use remediations in Intune.

Next up, download the detection & remediation scripts from Github or copy them from here.

The detection script:

# Template for Remediations

#Try-Catch for error handling
Try {
    # After you export the RegKey, be sure you copy/paste it HERE: https://reg2ps.azurewebsites.net/
    # This will create the detection script and the remediation script. 
    # Reg2CI (c) 2021 by Roger Zander

    if(-NOT (Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\computer")){ Exit 1 };
	if(-NOT (Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\intranet")){ Exit 1 };
	if(-NOT (Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\trusted")){ Exit 1 };
	if(-NOT (Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\internet")){ Exit 1 };
	if(-NOT (Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\restricted")){ Exit 1 };
	
    if((Get-ItemPropertyValue -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\computer' -Name 'https' -ea SilentlyContinue) -eq 0) {  } else { Exit 1 };
	if((Get-ItemPropertyValue -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\intranet' -Name 'https' -ea SilentlyContinue) -eq 1) {  } else { Exit 1 };
	if((Get-ItemPropertyValue -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\trusted' -Name 'https' -ea SilentlyContinue) -eq 2) {  } else { Exit 1 };
	if((Get-ItemPropertyValue -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\internet' -Name 'https' -ea SilentlyContinue) -eq 3) {  } else { Exit 1 };
	if((Get-ItemPropertyValue -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\restricted' -Name 'https' -ea SilentlyContinue) -eq 4) {  } else { Exit 1 };

}Catch{
    #captures and reports the exception errors of the script
    Write-Host $_.Exception
    Exit 2000
}

The remediation script: 

# Template for Remediations


#Try-Catch for error handling
Try {
    # After you export the RegKey, be sure you copy/paste it HERE: https://reg2ps.azurewebsites.net/
    # This will create the detection script and the remediation script. 
    # Reg2CI (c) 2021 by Roger Zander

    if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\computer") -ne $true) {  New-Item "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\computer" -force -ea SilentlyContinue };
	if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\intranet") -ne $true) {  New-Item "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\intranet" -force -ea SilentlyContinue };
	if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\trusted") -ne $true) {  New-Item "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\trusted" -force -ea SilentlyContinue };
	if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\internet") -ne $true) {  New-Item "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\internet" -force -ea SilentlyContinue };
	if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\restricted") -ne $true) {  New-Item "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\restricted" -force -ea SilentlyContinue };
	
    New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\computer' -Name 'https' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
	New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\intranet' -Name 'https' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
	New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\trusted' -Name 'https' -Value 2 -PropertyType DWord -Force -ea SilentlyContinue;
	New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\internet' -Name 'https' -Value 3 -PropertyType DWord -Force -ea SilentlyContinue;
	New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\restricted' -Name 'https' -Value 4 -PropertyType DWord -Force -ea SilentlyContinue;
    
}Catch{
    #captures and reports the exception errors of the script
    Write-Host $_.Exception
    Exit 2000
}

Running the detection script will check the registry for the Security Zones defined in the script. If it finds the registry keys it will return “Exit 0” and do no more. If they are not found, the script will return “Exit 1” or “Exit 2000” and run the remediation script.

Running the remedition script will create the registry keys in the current users hive. You can check the different Security Zones by opening “Internet Options” and go through the different sites lists (or check the registry):

When you have modified the scripts to fit you needs, make sure to create the remediation in Inune, upload the scripts and configure it as follows:

And I highly suggest that you target “All Users” or an AAD group with users (if you abolutely have to) as these settings are targeting the current user hive.

Also make sure to configure your assignment to run on the schedule that suites you. I have set mine to run daily.

Tip:

If you already have a registry key with all your Security Zones available, you can use this nifty tool to quickly convert the URL’s into PowerShell and thus quickly copy/paste it into your script. Just remember to replace the return $false with Exit 1 at the end of each line in the Detection script.

One thought on “Use Remediations to set Security Zones.

  1. Pingback: Intune Newsletter - 14th July 2023 - Andrew Taylor

Leave a comment