For start, I was actually testing ConfigMgr cloud gateway management and Client Installation over Internet, see this post https://blogs.technet.microsoft.com/arnabm/2017/08/27/client-installation-over-internet/
I did managed install ConfigMgr client on AAD joined Windows 10 (version 1709), but I also want configure some Internet Explorer settings to my AAD joined device.
Since Windows 10 (version 1703), we can use Intune Policy CSP to configure more settings, it call admx-backed policies.
Here is how I make Site to Zone Assignment list setting using Intune OMA-URI
Test result:
Works only on Windows 10 version 1709
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
Works both Windows 10 version 1703 and 1709
./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
Let’s check first Policy CPS list, InternetExplorer/AllowSiteToZoneAssignmentList is the one we are looking for, it tells admx file name is inetres.admx
Open gpedit.msc in Windows 10 (version 1709). Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled, and Zone assignment list.
I use ADMX Migrator open inetres.admx, zone list Elements is ListBox, ID name is IZ_ZonemapPrompt, this is the ID I will need to use for assigning those zone list in Intune.
You can also just use notepad open inetres.admx, then search what is the ID you will need.
Go to Intune portal – Device configuration – Profiles – Create Profile
Click Add. Input the following information:
Name: AllowSiteToZoneAssignmentList (you can use anything you want)
OMA-URI: ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
Data type: String
Value:
<enabled/>
<Data id=”IZ_ZonemapPrompt” Value=”https://login.microsoftonline.com2https://sandyzeng.com1”/>
So if want to choose “Enabled”, value will be <enabled/>, if want to choose disabled, value will be <disabled/>
Because we need to input those sites to zone list, ID name is IZ_ZonemapPrompt, so we use <Data id=”IZ_ZonemapPrompt”
In this article https://docs.microsoft.com/en-us/windows/client-management/mdm/registry-csp Supported date type, it tells:
Multiple strings are separated by  and ended with two  – A query of this parameter returns a multistring type.
You can find more information from internet about  (use search key word MDM )
In this case, I want to have https://login.microsoftonline.com in zone list 2 (trusted zone) and https://sandyzeng.com in zone list 1 (local intra), so I need to put  between those strings, and also in the end 
After create this profile, assign it to a user group.
In my Windows 10 machine, open Settings – Accounts – Access work or school, click on Sync, because I was using ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList, so those are device settings, you can find it under registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device
Generate Advanced Diagnostic Report
You should able to see this in your report.
Open Internet Explorer
If you can’t see your policy, check Event Viewer – Applications and services log – Microsoft – Windows – DeviceManagement-Enterprise-Diagnostics-Provider, see if there is any errors about the policy you created, then start trouble shooting.
Thanks for this article. I notice that old (test) URL’s remain in the registry, even if I change the string . Is this by design ?
Hi, is the old (test) URL’s and new URLs are assigned with same policy or created a new policy for new URLs? I will test this and get back to you. Thanks.
Hi Sandy, I used the same policy. Thanks!
Hi Jan. I just tested it again. Using Windows 10 version 1709 Enterprise. URLs updated without issues. Tested remove old URLs, add new URLs, all worked. But it did take some time to update. I updated my post, because there are some typo and wrong print screen pictures. Event logs should show if the policy apply succeeded or failed.
Ok, thank you for testing.
I did a check on my settings, and fixed a typo. Works as expected now.
Thanks!
Hi Sandy, thanks for this article. Unfortunally I’m not able to let it work. I just configured it like your example. In the eventlog it says: EnrollmentID requesting set. At your screenshot is says merge. Do you have any idea?
Thanks.
Edward
Hello Edward, can you try do it again? When you copy and paste those settings from my post, please check again if those double quotes are correct. Would be better copy those to first to notepad++, and make sure those single or double quotes are correct, also no extra space, then copy them again back to Intune.
Those setting are still working, I just tested it few days ago.
Sandy.
The quotes was indeed the issue.
Thank you very much!
I modified my blog function, hope this quotes problem won’t happen again. 🙂
Hi,
Gone through the post ,could you please confirm whether this policy works for Windows 10 1803
Regards,
Arjun
Best way to find out is testing by yourself. 🙂 However, it still works in my Windows 10 1803 Enterprise version, not sure about Pro or others.
Pingback: ADMX Backed Policies – Quick(ish) Reference Guide – Modern Workplace Configuration with Intune