Thursday, May 24, 2012

Windows 7 Trusted Sites for all users - Active Setup

On a recent deployment of laptops I needed to add a certain domain to trusted sites for all user accounts (local and domain) on a number of domain attached computers.  Idealy I would use GPO to do this, but I also had to hit the local user accounts (in fact, local accounts would be used almost exclusively for these laptops).

With Windows XP we could do this by adding the proper keys to HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\etc.  This would apply the domain to the trusted sites for all users on the computer (note that the site was not visible in Internet Options, but still applied), but in Windows 7 the HKLM option doesn't work anymore.  Of course adding the value to HKCU functioned the same as in the past, but I can't do this for each local account all on these computers. Not to mention should I ever need to change it.

Note: There is a GPO to add trusted sites, but when it's enabled it removes the ability for the end user to then add to the list (greyed out).

After poking around I found several mentions of using Active Setup which sounded very promising.  Only problem was no one (that I read) really points out how to use it.

To start, here's a great writeup of what Active Setup is:
And this wiki site briefly hits on it:

But again, neither of these really says how to use it.  So, by looking at the sites above we get a brief rundown of how it works.  blah blah blah by checking on user logon the values in the HKCU with the values in HKLM it knows if it's been applied and runs if it hasn't.

Cool, so if we add a value to HKLM and it hasn't be added to HKCU then it applies, yeah!  Even better, we CAN manage HKLM from GPO.  So, using Active Setup we can apply settings to the Local Users using Computer Configuration GPO's.

To add an Active Setup key:
  1. Navigate to regedit
  2. HKLM\Software\Microsoft\Active Setup\Installed Components
  3. Here you see the list of GUID's from other software / setups
  4. Add a new key, in my example I'm going to call it {newtrustedsite}.  It can be called anything, but has to be unique (duh)
  5. Within this add a new string value named "Version"
  6. Give Version a value, but don't use period.  Use commas instead. For instance "1,0,1"
  7. New string named "StubPath". Here what you want it to do.  Could be an application to execute, script, other cmd line something.
  8. We're going to add a trusted site so my StubPath looks like this "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\" /v https /d 2 /t REG_DWORD /f

All done.

User logs in and it detects that it hasn't been "installed" and runs the command adding the key.  Now the user checks his trusted sites via the GUI and see's it and can even modify (to include delete the key you just added).  When you want to updated the key you just make your changes to the StubPath and increment the Version value.

Now to push via GPO you just use either an adm or push with registry preferences under Computer Configuration.


  1. We're a bunch of volunteers and opening a new scheme in our community. Your web site offered us with helpful information to work on. You've done an impressive
    process and our whole community might be grateful to you.
    My web site - MS Surface Price

  2. This is awesome but actually, you do need the brackets.

  3. Thanks for pointing it out. I corrected.

  4. Aaron,
    Building on your work I wrote this SCCM-based Powershell script and wanted to share it:

    # The following line sets the path to Active Setup registry keys - do not change this
    $ACTIVESETUPREG = "HKLM:\Software\Microsoft\Active Setup\Installed Components\"
    # The following line sets an array of sites that should be added to Trusted Sites - this should be modified
    $SITES = @("","","")
    Foreach($SITE in $SITES){
    $stubpath = 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\'
    # The following line can be modified if the sites are HTTPS or HTTP however be careful with the quotes or the string will not be formed correctly
    $argument = '" /v http /d 2 /t REG_DWORD /f'
    $completecommand = $stubpath + $SITE + $argument
    set-location $ACTIVESETUPREG
    If(!(Test-Path $SITE)){
    new-item $SITE -Force}
    set-location $SITE
    New-ItemProperty . -Name "Version" -Value "1,0" -PropertyType String -Force
    New-ItemProperty . -Name "StubPath" -Value "$completecommand" -PropertyType String -Force
    The magic behind Active Setup is that each time a user logs in, Windows examines the contents of this registry section to see if the "Installed Components" have been executed for the current user. If they have not then they are executed. In this way, every user on the computer will get the settings however any Trusted Sites the users has set will remain and the user will retain the ability to modify the list. Now of course if the user removes one or all of the sites you added this way they will not get them back. It is also possible to read a site list from a text file rather than encoding the list into the script. This is especially useful if you need to add new sites over time.
    Remember that when you deploy this script via SCCM, you will need to create a package with three programs and make the programs dependent. The programs should have the following command lines:
    powershell Set-ExecutionPolicy Unrestricted -force
    powershell .\scriptname.ps1
    powershell Set-ExecutionPolicy Restricted -force
    Deploy the restricted program and make sure it is set to run the script program first and then in the script program you have to have it set to run the unrestricted program first. In this way you will allow the unsigned script to run and when the script is finished you will restore your security settings. Of course if you sign the script with a signing certificate then you won't have to use these extra programs.