PowerShell: Add Root Domain to Trusted Sites

Windows Servers often have ‘hard admin’ modes, where accesses to external websites are painstakingly restricted. To address this issue, you need to do what I do: copy/paste this function to add certain root domains onto ‘Trusted sites’ to achieve this result.

Moreover, the intention is to preempt this type of error from Internet Explorer:

An error occurred. Contact your administrator for more information. 
Error details
•Activity ID: 08532cac-edff-4b9f-e768-0080000000cd
•Relying party: KimConnect CRM IFD Relying Party Trust
•Error time: Sat, 11 Jul 2020 23:38:40 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
function addDomainToTrustedSites($url){
        $httpType=.{[void]($url -match '^(https{0,1})');$matches[1]}
        $domain=([uri]$url).Host
        $rootDomain=$domain.split('.')[-2..-1] -join '.' # This is assuming that the TLD is one-dotted (e.g. .com) not two-dotted (e.g. co.uk)
            # The more advanced function to retrieve this value is at https://kimconnect.com/powershell-extract-root-domain-from-url
        $dwordValue=2 # value of true correlates to 'enable'
        $domainRegistryPath='HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains'
        #EscDomains key applies to those protocols that are affected by the Enhanced Security Configuration (ESC)
        $domainRegistryPath2='HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains'
        if(!(test-path $domainRegistryPath2)){New-Item -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap' -ItemType File -Name 'EscDomains'}
        if (!(test-path "$domainRegistryPath\$rootDomain")){$null=New-Item -Path "$domainRegistryPath" -ItemType File -Name "$rootDomain"}
        $null=Set-ItemProperty -Path "$domainRegistryPath\$rootDomain" -Name $httpType -Value $dwordValue
        $null=Set-ItemProperty -Path "$domainRegistryPath2\$rootDomain" -Name $httpType -Value $dwordValue

        # Also add {about:blank} record as that doesn't seem to have been added by default
        if (!(test-path "$domainRegistryPath\blank")){
            $null=New-Item -Path "$domainRegistryPath" -ItemType File -Name 'blank'
            $null=Set-ItemProperty -Path "$domainRegistryPath\blank" -Name 'about' -Value $dwordValue
            }
        if (!(test-path "$domainRegistryPath2\blank")){
            $null=New-Item -Path "$domainRegistryPath2" -ItemType File -Name 'blank'
            $null=Set-ItemProperty -Path "$domainRegistryPath2\blank" -Name 'about' -Value $dwordValue
            }                     
            
        $valueAfterChanged=(Get-ItemProperty "$domainRegistryPath\$rootDomain")."$httpType"
        $value2AfterChanged=(Get-ItemProperty "$domainRegistryPath2\$rootDomain")."$httpType"
        if ($valueAfterChanged -eq 2 -and $value2AfterChanged -eq 2 ){
            write-host "$rootDomain has been added to Internet Explorer"
            return $true
            }
        else{
            write-warning "$rootDomain has NOT been added to Internet Explorer."
            return $false
            }
    }

function allowActiveX($zone){
    #Source: http://support.microsoft.com/KB/182569
    #Value    Setting
    #------------------------------
    #0        My Computer
    #1        Local Intranet Zone
    #2        Trusted sites Zone
    #3        Internet Zone
    #4        Restricted Sites Zone
    $trustedDomains='HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zones\2'
    Set-Location $trustedDomains
    #ActiveX controls and plug-ins: Allow ActiveX Filtering = Enable (2702)
    new-itemproperty . -Name 2702 -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Allow previously unused ActiveX controls to run without prompt = Enable (1208)
    new-itemproperty . -Name 1208 -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Allow Scriptlets = Enable (1209)
    new-itemproperty . -Name 1209 -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Automatic prompting for ActiveX controls = Disable (2201)
    new-itemproperty . -Name 2201 -Value 3 -Type DWORD -Force
    #ActiveX controls and plug-ins: Binary and script behaviors = Enable (2000)
    new-itemproperty . -Name 2000 -Value 0 -Type DWORD -Force
    #Display video and animation on a webpage that does not use external media player = Enable (120A)
    new-itemproperty . -Name 120A -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Download signed ActiveX controls = Enable (1001)
    new-itemproperty . -Name 1001 -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Download unsigned ActiveX controls = Enable (1004)
    new-itemproperty . -Name 1004 -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Initialize and script ActiveX controls not marked as safe for scripting = Enable (1201)
    new-itemproperty . -Name 1201 -Value 0 -Type DWORD -Force
    #Only allow approved domains to use ActiveX without prompt = Disable (120B)
    new-itemproperty . -Name 120B -Value 3 -Type DWORD -Force
    #ActiveX controls and plug-ins: Run ActiveX controls and plug-ins = Enable (1200)
    new-itemproperty . -Name 1200 -Value 0 -Type DWORD -Force
    #ActiveX controls and plug-ins: Script ActiveX controls marked as safe for scripting = Enable (1405)
    new-itemproperty . -Name 1405 -Value 0 -Type DWORD -Force
    cd c:
}

addDomainToTrustedSites $url
allowActiveX -zone '2'

This is the longer version to accommodate for many currently known top level domain name suffixes. It is advisable to refactor this snippet into ‘production’ code base, instead of the shorter version above.

$url='https://crm.kimconnect.com.vn'

$domainsDictionary=@{
    '.ac'='Ascension Island'
    '.ac.uk'='Second-level domain for United Kingdom (.uk) and most often used for academic sites.'
    '.ad'='Andorra'
    '.ae'='United Arab Emirates'
    '.aero'='Air Transportation Industry'
    '.af'='Afghanistan'
    '.ag'='Antigua and Barbuda'
    '.ai'='Anguilla'
    '.al'='Albania'
    '.am'='Armenia'
    '.an'='Netherlands Antilles'
    '.ao'='Angola'
    '.aq'='Antarctica'
    '.ar'='Argentina'
    '.arpa'='Internet infrastructure TLD'
    '.as'='American Somoa'
    '.asia'='Asian countries'
    '.at'='Austria'
    '.au'='Australia'
    '.aw'='Aruba'
    '.ax'='Aland Islands - part of Finland'
    '.az'='Azerbaijan'
    '.ba'='Bosnia and Herzegovinia'
    '.bb'='Barbados'
    '.bd'='Bangladesh'
    '.be'='Belgium'
    '.bf'='Burkina Faso'
    '.bg'='Bulgaria'
    '.bh'='Bahrain'
    '.bi'='Burundi'
    '.biz'='United States business site.'
    '.bj'='Benin'
    '.bm'='Bermuda'
    '.bn'='Brunei Darussalam'
    '.bo'='Bolivia'
    '.br'='Brazil'
    '.bs'='Bahamas'
    '.bt'='Bhutan'
    '.bv'='Bouvet Island'
    '.bw'='Botswana'
    '.by'='Belarus and Byelorussia'
    '.bz'='Belize'
    '.ca'='Canada'
    '.cat'='Catalan'
    '.cc'='Cocos Islands - Keelings'
    '.cd'='Democratic Republic of the Congo'
    '.cf'='Central African Republic'
    '.cg'='Congo'
    '.ch'='Switzerland'
    '.ci'='Cote dIvoire'
    '.ck'='Cook Islands'
    '.cl'='Chile'
    '.cm'='Cameroon'
    '.cn'='China'
    '.co'='Colombia'
    '.co.uk'='Second-level domain for United Kingdom (.uk) and most often used for commercial sites.'
    '.com'='United States commercial website.'
    '.coop'='Business cooperatives and organizations.'
    '.cr'='Costa Rica'
    '.cs'='Former Czechoslovakia'
    '.cu'='Cuba'
    '.cv'='Cape Verde'
    '.cw'='Curaçao'
    '.cx'='Christmas Island'
    '.cy'='Cyprus'
    '.cz'='Czech Republic'
    '.dd'='East Germany'
    '.de'='Germany'
    '.dj'='Djibouti'
    '.dk'='Denmark'
    '.dm'='Dominica'
    '.do'='Dominican Republic'
    '.dz'='Algeria'
    '.ec'='Ecuador'
    '.edu'='United States education site.'
    '.ee'='Estonia'
    '.eg'='Egypt'
    '.eh'='Western Sahara'
    '.er'='Eritrea'
    '.es'='Spain'
    '.et'='Ethiopia'
    '.eu'='European Union'
    '.fi'='Finland'
    '.firm'='Internet site for business or firm.'
    '.fj'='Fiji'
    '.fk'='Falkland Islands and Malvinas'
    '.fm'='Micronesia'
    '.fo'='Faroe Islands'
    '.fr'='France'
    '.fx'='Metropolitan France'
    '.ga'='Gabon'
    '.gb'='Great Britain'
    '.gd'='Grenada'
    '.ge'='Georgia'
    '.gf'='French Guiana'
    '.gg'='Guernsey'
    '.gh'='Ghana'
    '.gi'='Gibraltar'
    '.gl'='Greenland'
    '.gm'='Gambia'
    '.gn'='Guinea'
    '.gov'='United States Government site.'
    '.gov.uk'='Second-level domain for United Kingdom (.uk) and most often used for government sites.'
    '.gp'='Guadeloupe'
    '.gq'='Equatorial Guinea'
    '.gr'='Greece'
    '.gs'='South Georgia and South Sandwich Islands.'
    '.gt'='Guatemala'
    '.gu'='Guam'
    '.gw'='Guinea-Bissau'
    '.gy'='Guyana'
    '.hk'='Hong Kong'
    '.hm'='Heard and McDonald Islands'
    '.hn'='Honduras'
    '.hr'='Croatia/Hrvatska'
    '.ht'='Haiti'
    '.hu'='Hungary'
    '.id'='Indonesia'
    '.ie'='Ireland'
    '.il'='Israel'
    '.im'='Isle of Man'
    '.in'='India'
    '.info'='United States information site with no restrictions.'
    '.int'='International institute site.'
    '.io'='British Indian Ocean Territory'
    '.iq'='Iraq'
    '.ir'='Iran'
    '.is'='Iceland'
    '.it'='Italy'
    '.je'='Jersey - Channel Islands a UK dependency'
    '.jm'='Jamaica'
    '.jo'='Jordan'
    '.jobs'='Job related sites.'
    '.jp'='Japan'
    '.ke'='Kenya'
    '.kg'='Kyrgyzstan'
    '.kh'='Cambodia'
    '.ki'='Kiribati'
    '.km'='Comoros'
    '.kn'='Saint Kitts and Nevis'
    '.kp'='North Korea'
    '.kr'='South Korea'
    '.kw'='Kuwait'
    '.ky'='Cayman Islands'
    '.kz'='Kazakhstan'
    '.la'='Laos'
    '.lb'='Lebanon'
    '.lc'='Saint Lucia'
    '.li'='Liechtenstein'
    '.lk'='Sri Lanka'
    '.lr'='Liberia'
    '.ls'='Lesotho'
    '.lt'='Lithuania'
    '.ltd.uk'='Second-level domain for United Kingdom (.uk) and most often used for limited company sites.'
    '.lu'='Luxembourg'
    '.lv'='Latvia'
    '.ly'='Libya'
    '.ma'='Morocco'
    '.mc'='Monaco'
    '.md'='Moldova'
    '.me'='Montenegro'
    '.me.uk'='Second-level domain for United Kingdom (.uk) and most often used for personal sites.'
    '.mg'='Madagascar'
    '.mh'='Marshall Islands'
    '.mil'='United States Military site.'
    '.mk'='Macedonia'
    '.ml'='Mali'
    '.mm'='Myanmar'
    '.mn'='Mongolia'
    '.mo'='Macau'
    '.mobi'='Mobile devices'
    '.mod.uk'='Second-level domain for United Kingdom (.uk) and most often used for military of defence sites.'
    '.mp'='Northern Mariana Islands'
    '.mq'='Martinique'
    '.mr'='Mauritania'
    '.ms'='Montserrat'
    '.mt'='Malta'
    '.mu'='Mauritius'
    '.museum'='Worldwide museums'
    '.mv'='Maldives'
    '.mw'='Malawi'
    '.mx'='Mexico'
    '.my'='Malaysia'
    '.mz'='Mozambique'
    '.na'='Namibia'
    '.name'='Individual and family names'
    '.nato'='NATO site.'
    '.nc'='New Caledonia'
    '.ne'='Niger'
    '.net'='United States Internet administrative site. See the .net definition for alternative definitions.'
    '.net.uk'='Second-level domain for United Kingdom (.uk) and most often used for network company sites.'
    '.nf'='Norfolk Island'
    '.ng'='Nigeria'
    '.nhs.uk'='Second-level domain for United Kingdom (.uk) and most often used for national health service institutions'
    '.ni'='Nicaragua'
    '.nl'='Netherlands'
    '.no'='Norway'
    '.nom'='Personal site'
    '.np'='Nepal'
    '.nr'='Nauru'
    '.nt'='Neutral Zone'
    '.nu'='Niue'
    '.nz'='New Zealand'
    '.om'='Oman'
    '.org'='Organization (non-profit) sites.'
    '.org.uk'='Second-level domain for United Kingdom (.uk) and most often used for non-profit sites.'
    '.pa'='Panama'
    '.pe'='Peru'
    '.pf'='French Polynesia'
    '.pg'='Papua New Guinea'
    '.ph'='Philippines'
    '.pk'='Pakistan'
    '.pl'='Poland'
    '.plc.uk'='Second-level domain for United Kingdom (.uk) and most often used for public limited company sites.'
    '.pm'='St. Pierre and Miquelon'
    '.pn'='Pitcairn'
    '.post'='sTLD (sponsored top-level domain) available exclusively for the postal sector.'
    '.pr'='Puerto Rico'
    '.pro'='United States professional site for accountants'
    '.ps'='Palestinian territories'
    '.pt'='Portugal'
    '.pw'='Palau'
    '.py'='Paraguay'
    '.qa'='Qatar'
    '.re'='Reunion'
    '.ro'='Romania'
    '.rs'='Republic of Serbia'
    '.ru'='Russian Federation'
    '.rw'='Rwanda'
    '.sa'='Saudi Arabia'
    '.sb'='Solomon Islands'
    '.sc'='Seychelles'
    '.sch.uk'='Second-level domain for United Kingdom (.uk) and most often used for school sites.'
    '.sd'='Sudan'
    '.se'='Sweden'
    '.sg'='Singapore'
    '.sh'='Saint Helena'
    '.si'='Slovenia'
    '.sj'='Svalbard and Jan Mayen Islands'
    '.sk'='Slovakia'
    '.sl'='Sierra Leone'
    '.sm'='San Marino'
    '.sn'='Senegal'
    '.so'='Somalia'
    '.sr'='Suriname'
    '.ss'='South Sudan'
    '.st'='Sao Tome and Principe'
    '.store'='United States domain for retail business site.'
    '.su'='Former USSR'
    '.sv'='El Salvador'
    '.sy'='Syria'
    '.sz'='Swaziland'
    '.tc'='Turks and Caicos Islands'
    '.td'='Chad'
    '.tel'='Internet communication services'
    '.tf'='French Southern Territory and Antarctic Lands.'
    '.tg'='Togo'
    '.th'='Thailand'
    '.tj'='Tajikistan'
    '.tk'='Tokelau'
    '.tl'='East Timor'
    '.tm'='Turkmenistan'
    '.tn'='Tunisia'
    '.to'='Tonga'
    '.tp'='East Timor'
    '.tr'='Turkey'
    '.travel'='Travel related sites.'
    '.tt'='Trinidad and Tobago'
    '.tv'='Tuvalu'
    '.tw'='Taiwan'
    '.tz'='Tanzania'
    '.ua'='Ukraine'
    '.ug'='Uganda'
    '.uk'='United Kingdom'
    '.um'='United States minor outlying islands.'
    '.us'='United States'
    '.uy'='Uruguay'
    '.uz'='Uzbekistan'
    '.va'='Vatican City State'
    '.vc'='Saint Vincent and the Grenadines'
    '.ve'='Venezuela'
    '.vg'='British Virgin Islands'
    '.vi'='United States Virgin Islands'
    '.vn'='Vietnam'
    '.com.vn'='Vietnam'
    '.vu'='Vanuatu'
    '.web'='Internet site about the World Wide Web.'
    '.wf'='Wallis and Futuna Islands'
    '.ws'='Samoa'
    '.xxx'='Adult entertainment domain'
    '.ye'='Yemen'
    '.yt'='Mayotte'
    '.yu'='Yugoslavia'
    '.za'='South Africa'
    '.zm'='Zambia'
    '.zr'='Zaire'
    '.zw'='Zimbabwe'
}
 
function getRootDomain($url){
    $domain=([uri]$url).Host
    $matchedTwoDottedDomain=$domainsDictionary.keys|?{$domain -match "$_$"}|?{$_ -match '\.\w+\.'}
    $rootDomain=if(!$matchedTwoDottedDomain){$domain.split('.')[-2..-1] -join '.'}
                else{$domain.split('.')[-3..-1] -join '.'}
    return $rootDomain
}

function addDomainToTrustedSites($url){
        $httpType=.{[void]($url -match '^(https{0,1})');$matches[1]}
        $domain=([uri]$url).Host
        $rootDomain=getRootdomain $url
        $dwordValue=2 # value of true correlates to 'enable'
        $domainRegistryPath='HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains'
        #EscDomains key applies to those protocols that are affected by the Enhanced Security Configuration (ESC)
        $domainRegistryPath2='HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains'
        if(!(test-path $domainRegistryPath2)){New-Item -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap' -ItemType File -Name 'EscDomains'}
        if (!(test-path "$domainRegistryPath\$rootDomain")){$null=New-Item -Path "$domainRegistryPath" -ItemType File -Name "$rootDomain"}
        $null=Set-ItemProperty -Path "$domainRegistryPath\$rootDomain" -Name $httpType -Value $dwordValue
        $null=Set-ItemProperty -Path "$domainRegistryPath2\$rootDomain" -Name $httpType -Value $dwordValue

        # Also add {about:blank} record as that doesn't seem to have been added by default
        if (!(test-path "$domainRegistryPath\blank")){
            $null=New-Item -Path "$domainRegistryPath" -ItemType File -Name 'blank'
            $null=Set-ItemProperty -Path "$domainRegistryPath\blank" -Name 'about' -Value $dwordValue
            }
        if (!(test-path "$domainRegistryPath2\blank")){
            $null=New-Item -Path "$domainRegistryPath2" -ItemType File -Name 'blank'
            $null=Set-ItemProperty -Path "$domainRegistryPath2\blank" -Name 'about' -Value $dwordValue
            }                     
            
        $valueAfterChanged=(Get-ItemProperty "$domainRegistryPath\$rootDomain")."$httpType"
        $value2AfterChanged=(Get-ItemProperty "$domainRegistryPath2\$rootDomain")."$httpType"
        if ($valueAfterChanged -eq 2 -and $value2AfterChanged -eq 2 ){
            write-host "$rootDomain has been added to Internet Explorer"
            return $true
            }
        else{
            write-warning "$rootDomain has NOT been added to Internet Explorer."
            return $false
            }
    }
addDomainToTrustedSites $url 

Leave a Reply

Your email address will not be published. Required fields are marked *