Use Intune Policy CSP manage Windows 10 settings - Internet Explorer Site to Zone Assignment List

By | October 23, 2017

For start, I was actually testing ConfigMgr cloud gateway management and Client Installation over Internet, see this post

I did managed install ConfigMgr client on AAD joined Windows 10 (version 1709), but I also want configure some Internet Explorer settings to my AAD joined device.

Since Windows 10 (version 1703), we can use Intune Policy CSP to configure more settings, it call admx-backed policies

Here is how I make Site to Zone Assignment list setting using Intune OMA-URI

Test result:
Works only on Windows 10 version 1709


Works both Windows 10 version 1703 and 1709     


Let's check first Policy CPS list, InternetExplorer/AllowSiteToZoneAssignmentList is the one we are looking for, it tells admx file name is inetres.admx

Open gpedit.msc in Windows 10 (version 1709). Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled, and Zone assignment list.

I use ADMX Migrator open inetres.admx, zone list Elements is ListBox, ID name is IZ_ZonemapPrompt, this is the ID I will need to use for assigning those zone list in Intune.
You can also just use notepad open inetres.admx, then search what is the ID you will need.

Go to Intune portal - Device configuration - Profiles - Create Profile

Click Add. Input the following information:

Name:              AllowSiteToZoneAssignmentList (you can use anything you want)
OMA-URI:      ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
Data type:       String
<Data id="IZ_ZonemapPrompt" Value=";2&#xF000;;1&#xF000;&#xF000;"/>


So if want to choose "Enabled", value will be <enabled/>, if want to choose disabled, value will be <disabled/>

Because we need to input those sites to zone list,  ID name is IZ_ZonemapPrompt, so we use  <Data id="IZ_ZonemapPrompt"

In this article Supported date type, it tells:

Multiple strings are separated by &#xF000; and ended with two &#xF000; - A query of this parameter returns a multistring type.

You can find more information from internet about &#xF000; (use search key word MDM &#xF000;)

In this case, I want to have in zone list 2 (trusted zone) and in zone list 1 (local intra), so I need to put &#xF000; between those strings, and also in the end &#xF000;&#xF000;

After create this profile, assign it to a user group. 

In my Windows 10 machine, open Settings - Accounts - Access work or school, click on Sync, because I was using ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList, so those are device settings, you can find it under registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device



Generate Advanced Diagnostic Report

You should able to see this in your report.



Open Internet Explorer


If you can't see your policy, check Event Viewer - Applications and services log - Microsoft - Windows - DeviceManagement-Enterprise-Diagnostics-Provider, see if there is any errors about the policy you created, then start trouble shooting.

9 thoughts on “Use Intune Policy CSP manage Windows 10 settings - Internet Explorer Site to Zone Assignment List

  1. Jan

    Thanks for this article. I notice that old (test) URL’s remain in the registry, even if I change the string . Is this by design ?

    1. Zeng Yinghua (Sandy) Post author

      Hi, is the old (test) URL’s and new URLs are assigned with same policy or created a new policy for new URLs? I will test this and get back to you. Thanks.

        1. Zeng Yinghua (Sandy) Post author

          Hi Jan. I just tested it again. Using Windows 10 version 1709 Enterprise. URLs updated without issues. Tested remove old URLs, add new URLs, all worked. But it did take some time to update. I updated my post, because there are some typo and wrong print screen pictures. Event logs should show if the policy apply succeeded or failed.

          1. Jan

            Ok, thank you for testing.
            I did a check on my settings, and fixed a typo. Works as expected now.


  2. Edward

    Hi Sandy, thanks for this article. Unfortunally I’m not able to let it work. I just configured it like your example. In the eventlog it says: EnrollmentID requesting set. At your screenshot is says merge. Do you have any idea?

    1. Zeng Yinghua (Sandy) Post author

      Hello Edward, can you try do it again? When you copy and paste those settings from my post, please check again if those double quotes are correct. Would be better copy those to first to notepad++, and make sure those single or double quotes are correct, also no extra space, then copy them again back to Intune.
      Those setting are still working, I just tested it few days ago.

        1. Zeng Yinghua (Sandy) Post author

          I modified my blog function, hope this quotes problem won’t happen again. 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *