Skip to content

Use Intune Policy CSP manage Windows 10 settings – Internet Explorer Site to Zone Assignment List

For start, I was actually testing ConfigMgr cloud gateway management and Client Installation over Internet, see this post

I did managed install ConfigMgr client on AAD joined Windows 10 (version 1709), but I also want configure some Internet Explorer settings to my AAD joined device.

Since Windows 10 (version 1703), we can use Intune Policy CSP to configure more settings, it call admx-backed policies.

Here is how I make Site to Zone Assignment list setting using Intune OMA-URI

Test result:
Works only on Windows 10 version 1709


Works both Windows 10 version 1703 and 1709


Let’s check first Policy CPS list, InternetExplorer/AllowSiteToZoneAssignmentList is the one we are looking for, it tells admx file name is inetres.admx

Open gpedit.msc in Windows 10 (version 1709). Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled, and Zone assignment list.

I use ADMX Migrator open inetres.admx, zone list Elements is ListBox, ID name is IZ_ZonemapPrompt, this is the ID I will need to use for assigning those zone list in Intune.
You can also just use notepad open inetres.admx, then search what is the ID you will need.

Go to Intune portal – Device configuration – Profiles – Create Profile

Click Add. Input the following information:

Name:              AllowSiteToZoneAssignmentList (you can use anything you want)
OMA-URI:      ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
Data type:       String
<Data id=”IZ_ZonemapPrompt” Value=”;2&#xF000;;1&#xF000;&#xF000;”/>

So if want to choose “Enabled”, value will be <enabled/>, if want to choose disabled, value will be <disabled/>

Because we need to input those sites to zone list,  ID name is IZ_ZonemapPrompt, so we use  <Data id=”IZ_ZonemapPrompt”

In this article Supported date type, it tells:

Multiple strings are separated by &#xF000; and ended with two &#xF000; – A query of this parameter returns a multistring type.

You can find more information from internet about &#xF000; (use search key word MDM &#xF000;)

In this case, I want to have in zone list 2 (trusted zone) and in zone list 1 (local intra), so I need to put &#xF000; between those strings, and also in the end &#xF000;&#xF000;

After create this profile, assign it to a user group.

In my Windows 10 machine, open Settings – Accounts – Access work or school, click on Sync, because I was using ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList, so those are device settings, you can find it under registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

Generate Advanced Diagnostic Report

You should able to see this in your report.

Open Internet Explorer

If you can’t see your policy, check Event Viewer – Applications and services log – Microsoft – Windows – DeviceManagement-Enterprise-Diagnostics-Provider, see if there is any errors about the policy you created, then start trouble shooting.

12 thoughts on “Use Intune Policy CSP manage Windows 10 settings – Internet Explorer Site to Zone Assignment List”

  1. Thanks for this article. I notice that old (test) URL’s remain in the registry, even if I change the string . Is this by design ?

    1. Zeng Yinghua (Sandy)

      Hi, is the old (test) URL’s and new URLs are assigned with same policy or created a new policy for new URLs? I will test this and get back to you. Thanks.

        1. Hi Jan. I just tested it again. Using Windows 10 version 1709 Enterprise. URLs updated without issues. Tested remove old URLs, add new URLs, all worked. But it did take some time to update. I updated my post, because there are some typo and wrong print screen pictures. Event logs should show if the policy apply succeeded or failed.

  2. Hi Sandy, thanks for this article. Unfortunally I’m not able to let it work. I just configured it like your example. In the eventlog it says: EnrollmentID requesting set. At your screenshot is says merge. Do you have any idea?

    1. Hello Edward, can you try do it again? When you copy and paste those settings from my post, please check again if those double quotes are correct. Would be better copy those to first to notepad++, and make sure those single or double quotes are correct, also no extra space, then copy them again back to Intune.
      Those setting are still working, I just tested it few days ago.

            1. Best way to find out is testing by yourself. 🙂 However, it still works in my Windows 10 1803 Enterprise version, not sure about Pro or others.

  3. Pingback: ADMX Backed Policies – Quick(ish) Reference Guide – Modern Workplace Configuration with Intune

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.