Configure URLs for Office 365 Using Group Policy and the Registry

Author by Michael Epping

Single Sign On with Office 365 requires that users' domain joined workstations trust certain URLs.  Otherwise the ADFS server can't log the user in with the Windows Session credentials and will prompt them to re-enter their username and password.  The solution to configuring this in a larger environment is to use Group Policy to push these URLs out to workstations automatically. The best way to configure the Intranet and Trusted Site zones in Internet Explorer is through the use of Group Policy Preferences.  The problem with Group Policy Preferences is that Domain Controllers on Server 2008 R2 and below can't configure them for Windows 8 workstations.  When there are many Windows 8 workstations and older domain controllers the Group Policy settings become a little trickier.  Instead of using group Policy Preferences we will have to configure the Intranet Zone using registry entries.
  • Log onto a Domain Controller or another workstation with the Group Policy Management Console installed.  Open the console and expand out your domain
  • You need to create a new Group Policy Object.  I put mine on the OU my user accounts are in, but you could put it at the root of the domain if you have user accounts all over the place
2013-06-11 15_06_40
  • Choose a name and click OK.  I chose "Office 365 URLs"
  • Right click the new GPO you created and choose Edit.  This will open the Group Policy Management Editor console.
  • Go to User Configuration --> Preferences --> Windows Settings --> Registry.  Right click in the Registry menu and select New --> Registry Item.
2013-06-11 15_13_08
  • In the New Registry Properties menu set Action as Update.
  • Set Hive as HKEY_CURRENT_USER
  • Set Key Path as SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmicrosoftonline.com
  • Set the Value Name as *
  • Set the Value type as REG_DWORD
  • Set the Base as Hexadecimal
  • Set the Value data as 00000001
  • Click OK.  Now any Authenticated Users in the OUs that your policy applies to will have *.microsoftonline.com put into their Intranet Zone when they receive their next Group Policy update
2013-06-11 15_28_08
  • Repeat the process for these additional domains by replacing the microsoftonline.com part of the key path with each domain name: outlook.com, sharepoint.com, dynamics.com, lynconline.com, and your domain (in my case that would be michaelepping.com)
  • If you don't want to put all of *.yourdomain.com into the Intranet Zone you can replace the * in the Value Name with the single name on your ADFS certificate (in my case that would be adfs.michaelepping.com, so I would put adfs in the Value Name field)
Now that these have been added these URLs will be added to the Intranet Zone in IE for users regardless of IE version, allowing for the configuration of zones on Windows 8 without Server 2012 Domain Controllers. 2013-06-11 15_31_18
Author

Michael Epping

Systems Engineer