Remove Domain from HSTS via GPO

TL;DR

Yes, you can remove a domain from an HSTS list deployed through Group Policy (GPO). This involves editing the relevant registry key within the policy and ensuring it’s updated on target machines. The process requires careful planning to avoid security issues.

How to Remove a Domain from HSTS via GPO

1. Identify the GPO: First, you need to find the Group Policy Object (GPO) that’s currently deploying the HSTS settings. This is usually found in your domain’s Group Policy Management Console (GPMC). Look for policies related to browser configuration or security settings.
   • Open Group Policy Management (gpmc.msc).
   • Navigate to the relevant OU where the policy is linked.
   • Examine existing GPOs, paying attention to those with descriptions mentioning HSTS or browser configuration.
2. Edit the GPO: Once you’ve located the GPO, edit it.
   • Right-click the GPO and select Edit.
   • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features (the exact path may vary slightly depending on your Windows version).
3. Locate the HSTS Setting: Within the Security Features section, find the setting called “Add websites to Intranet Zone” or a similar named policy related to HSTS preloading. This is where the domains are typically configured.
4. Remove the Domain from the Registry Key: The GPO modifies the registry key that contains the list of HSTS domains. You need to remove the domain you want to delete from this key.
   • Double-click the “Add websites to Intranet Zone” policy setting.
   • Set the policy to Not Configured or Disabled. This will prevent further additions, but won’t remove existing entries immediately.
   • Alternatively, if you need precise control and want to *remove* a specific entry, you can use a script (see step 6).
5. Update the GPO on Target Machines: After making changes to the GPO, you must update the policy on the target machines.
   • Open Command Prompt as an administrator.
   • Run

     gpupdate /force

     . This forces a refresh of the Group Policy settings.

   • Restart the affected browsers (Internet Explorer, Edge) to ensure the changes take effect.
6. Verify Removal (Optional – Scripting): To confirm removal, you can use PowerShell to check the registry key directly.

   powershell
   Get-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones3' | Select-Object HSTSPreloadedDomains
   

   This command will display the current list of preloaded domains. Verify that the domain you removed is no longer present.

7. Important Considerations:
   • Browser Compatibility: Different browsers handle HSTS differently. Ensure your changes are compatible with all browsers used in your environment.
   • Security Risks: Removing a domain from the HSTS list can introduce security vulnerabilities if that domain is no longer properly secured with HTTPS. Only remove domains you trust and have verified are correctly configured.
   • Testing: Thoroughly test the changes on a small group of machines before deploying them to your entire environment.