#Requires -RunAsAdministrator
<#
.SYNOPSIS
    Creates a GPO that adds \\SERVER and \\10.0.0.5 to the Local Intranet zone.
    Fixes PDF preview on network shares blocked by Oct 2025 security update.

.DESCRIPTION
    Uses the "Site to Zone Assignment List" policy under:
    Computer Config > Admin Templates > Windows Components > Internet Explorer >
    Internet Control Panel > Security Page

    Zone 1 = Local Intranet. Applies to all domain-joined machines.

.NOTES
    Run on SERVER (10.0.0.5) as Domain Admin.
    Ref: https://support.microsoft.com/en-us/topic/56d55920-6187-4aae-a4f6-102454ef61fb
#>

$ErrorActionPreference = 'Stop'
Import-Module GroupPolicy

$gpoName = 'Intranet Zone - File Server'
$domain = 'kittle.lan'

# Sites to add to Local Intranet (zone 1)
$sites = @(
    'file://SERVER'
    'file://10.0.0.5'
    '\\SERVER'
    '\\10.0.0.5'
)

# Registry path for the Site to Zone Assignment List policy
$policyKey = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey'

# Check if GPO already exists
$existing = Get-GPO -Name $gpoName -Domain $domain -ErrorAction SilentlyContinue
if ($existing) {
    Write-Host "GPO '$gpoName' already exists (ID: $($existing.Id)). Updating..." -ForegroundColor Yellow
} else {
    Write-Host "Creating GPO: $gpoName" -ForegroundColor Cyan
    New-GPO -Name $gpoName -Domain $domain -Comment 'Adds file server to Local Intranet zone for PDF preview on shares' | Out-Null
}

# Set each site to zone 1 (Local Intranet)
foreach ($site in $sites) {
    Set-GPRegistryValue -Name $gpoName -Domain $domain `
        -Key $policyKey `
        -ValueName $site `
        -Type String `
        -Value '1' | Out-Null
    Write-Host "  Added: $site -> Local Intranet" -ForegroundColor Green
}

# Link the GPO to the domain root (applies to all machines)
$linked = (Get-GPInheritance -Target $domain).GpoLinks | Where-Object { $_.DisplayName -eq $gpoName }
if (-not $linked) {
    New-GPLink -Name $gpoName -Target "DC=kittle,DC=lan" -LinkEnabled Yes | Out-Null
    Write-Host "`nGPO linked to $domain" -ForegroundColor Green
} else {
    Write-Host "`nGPO already linked to $domain" -ForegroundColor Yellow
}

# Summary
Write-Host "`n=== Done ===" -ForegroundColor Cyan
Write-Host "GPO '$gpoName' is active. Workstations will pick it up at next GP refresh."
Write-Host "To force now, run on workstations: gpupdate /force" -ForegroundColor Cyan
Write-Host "`nVerify: gpresult /r on a workstation should show '$gpoName' under Computer Settings" -ForegroundColor Cyan