Use Intune Policy CSP manage Windows 10 settings – Internet Explorer Site to Zone Assignment List

For start, I was actually testing ConfigMgr cloud gateway management and Client Installation over Internet, see this post

I did managed install ConfigMgr client on AAD joined Windows 10 (version 1709), but I also want configure some Internet Explorer settings to my AAD joined device.

Since Windows 10 (version 1703), we can use Intune Policy CSP to configure more settings, it call admx-backed policies

Here is how I make Site to Zone Assignment list setting using Intune OMA-URI

Test result:
Works only on Windows 10 version 1709


Works both Windows 10 version 1703 and 1709     


Let’s check first Policy CPS list, InternetExplorer/AllowSiteToZoneAssignmentList is the one we are looking for, it tells admx file name is inetres.admx

Open gpedit.msc in Windows 10 (version 1709). Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled, and Zone assignment list.

I use ADMX Migrator open inetres.admx, zone list Elements is ListBox, ID name is IZ_ZonemapPrompt, this is the ID I will need to use for assigning those zone list in Intune.
You can also just use notepad open inetres.admx, then search what is the ID you will need.

Go to Intune portal – Device configuration – Profiles – Create Profile

Click Add. Input the following information:

Name:              AllowSiteToZoneAssignmentList (you can use anything you want)
OMA-URI:      ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
Data type:       String
<Data id=”IZ_ZonemapPrompt” Value=”;2&#xF000;;2&#xF000;&#xF000;”/>


So if want to choose “Enabled”, value will be <enabled/>, if want to choose disabled, value will be <disabled/>

Because we need to input those sites to zone list,  ID name is IZ_ZonemapPrompt, so we use  <Data id=”IZ_ZonemapPrompt”

In this article Supported date type, it tells:

Multiple strings are separated by &#xF000; and ended with two &#xF000; – A query of this parameter returns a multistring type.

You can find more information from internet about &#xF000; (use search key word MDM &#xF000;)

In this case, I want to have in zone list 2 (trusted zone) and in zone list 2 (trusted zone), so I need to put &#xF000; between those strings, and also in the end &#xF000;&#xF000;

After create this profile, assign it to a user group. 

In my Windows 10 machine, open Settings – Accounts – Access work or school, click on Sync, because I was using ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList, so those are device settings, you can find it under registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

Generate Advanced Diagnostic Report

You should able to see this in your report.

Open Internet Explorer

If you can’t see your policy, check Event Viewer – Applications and services log – Microsoft – Windows – DeviceManagement-Enterprise-Diagnostics-Provider, see if there is any errors about the policy you created, then start trouble shooting.

Leave a Reply

Your email address will not be published. Required fields are marked *