Two ways to set trusted locations and UNC paths using Intune

Introduction

In this scenario we have the problem that we want to access an SMB file share with an AAD device. This may be the case if you are still dependent on this server in a larger project. It becomes particularly problematic if an application needs to access this share. So we need to set trusted locations on the client device.

Security Warning Message

The following security message may appear in the background without the user noticing. Two different ways of dealing with this problem are explained here.

Why manage with Microsoft Intune?

The answer is obvious: We can simply distribute the configuration globally or granularly by group assignment and monitor their configuration status. We simply reduce the administration effort many times over! Since we don’t have a local domain controller, we can do this with the Intune Portal. We do nothing but the following configurations in the Internet options:

Using PowerShell Script

There is the first possibility to set the configurations via scripts. I have made a combined version for you once. From this you can also tinker together the individual functions. To set your servers as trusted, you only change the IP addresses.

This script must be executed on the device with administrative privileges!

Path to Internet Options Registry
$regPath = "HKCU:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
Name of the DWORD value
$valueName = "UNCAsIntranet"
Enabled value
$enabledValue = 1
Disabled value
$disabledValue = 0
List of server IP addresses to be added to the local intranet zone
$serverIPs = @("192.168.100.3", "192.168.100.2")
Check if the registry path exists, and create it if necessary
if ((Test-Path $regPath) -eq $false) {
try {
New-Item -Path $regPath -Force | Out-Null
Write-Host "Registry path created: $regPath"
} catch {
Write-Host "Failed to create registry path: $_"
exit 1
}
}
Set the registry value
try {
Set-ItemProperty -Path $regPath -Name $valueName -Value $enabledValue -Type DWORD -Force | Out-Null
Write-Host "Registry value '$valueName' set to '$enabledValue'"
} catch {
Write-Host "Failed to set registry value: $_"
exit 1
}
Add server IP addresses to the local intranet zone
foreach ($ip in $serverIPs) {
$zoneKey = "$regPath\Domains\$ip"
try {
New-Item -Path $zoneKey -Force | Out-Null
Set-ItemProperty -Path $zoneKey -Name "*" -Value $enabledValue -Type DWORD -Force | Out-Null
Write-Host "Added IP address '$ip' to the local intranet zone."
} catch {
Write-Host "Failed to add IP address '$ip' to the local intranet zone: $_"
}
}
Update Internet Explorer processes
$ieProcesses = Get-Process | Where-Object { $_.ProcessName -eq "iexplore" -or $_.ProcessName -eq "explorer" }
foreach ($process in $ieProcesses) {
$process.Refresh()
}
Write-Host "The 'Include all network paths (UNC)' checkbox was set accordingly.."

This script can now be released and rolled out in Intune to the device group you selected

Important: Make sure that the script is not executed with the logged in User. Use system context to run the script

Using the Intune configuration profile

So we go to the Intune configuration profile menu:

We select Windows 10 and later, and can enter the configuration with the Settings catalog. It is also possible with the Administrative Templates, this is optional.

We now start searching for our desired functions. These are:
Site to Zone Assignment List and Intranet Sites: Include all network paths (UNCs)

It should look something like this:

Value – A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

You should see the final result here:

Possible malfunction

It is possible that the set hook will fall out again without a specifically recognizable pattern. In this case, it is worthwhile to take a look at the security baselines. You can also find a configuration there, which might cause problems for us. You can find a detailed configuration catalog for the Internet Explorer there again!

Conclusion

This simple method allows administrators to store trusted servers in the Internet Options on the local intranet. This can be handy if you want to access an SMB or UNC share provided by linux from a Windows machine.

Recent Posts

Lars Omlin

Writer & Blogger

Be the First in Line!

Sign up for a Newsletter.

You have been successfully Subscribed! Ops! Something went wrong, please try again.

© 2023 Copyright