Manage Internet Explorer settings with Intune

In the past, Intune was only able to deploy a predefined set of device settings to MDM managed Windows devices. Fortunately Microsoft introduced ADMX-backed policies in the Windows 10 Creators update (version 1703). With those new MDM policies we are able to set a lot of policies using Policy CSP and with the Fall Creators Update (version 1709) even more settings are added.

A good, short explanation of what ADMX-backed policies are I found on Peter van der Woude his blog:

Starting with Windows 10, version 1703, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a GPO. Each administrative template specifies the registry keys, and their values, that are associated with a GPO and defines the policy settings that can be managed. Each setting in an administrative template corresponds to a specific registry value. Windows maps the name and category path of a GPO to a MDM policy area, and policy name, by parsing the associated ADMX-file, finding the specified GPO, and storing the metadata in the Policy CSP. When the MDM policy is referenced, this metadata is referenced and determines which registry keys are set or removed.

In this blog I will show you some examples of policies to manage Internet Explorer settings with Intune on a MDM managed device. Settings which could be done easily with GPO`s, but before ADMX-backed policies couldn`t be done with Intune.

Configure the Intune policies; Disable First run wizard

The first thing I will do for my users is blocking the “First run wizard“. On this site you will find a list of currently available Internet Explorer CSP policies. Search for the corresponding policy DisableFirstRunWizard. You will see the Windows versions on which the policy is supported, an explanation of the policy, a Tip and ADMX info.

Policy CSP

DisableFirstRunWizard

ADMX Info:
GP English name is the corresponding GPO name.
GP name is the corresponding GPO name which can be found in the corresponding ADMX file
GP Path is the path to the GPO
GP ADMX file name is corresponding ADMX file which can be found in %SystemRoot%\policydefinitions

To see the options available for this policy, open the Group Policy Editor and open the GPO Prevent running First Run Wizard. You can enable and disable the policy, when enabling the policy you have two options, Go directly to “Welcome to IE” page and Go directly to home page.

GPO

Prevent running first run wizard

Now open the inetres.admx file en search for the GP name NoFirstRunCustomise. Here on the first line you can find the corresponding registry key.
And you can find the values you need to set in your CSP policy in Intune. In red you can see the two values (options) which are corresponding to the options in the Group Policy Editor, Go directly to “Welcome to IE” page and Go directly to home page.

Inetres.admx

Now open the Intune tab in the Azure portal, go to Device Configuration, Profiles and click on Create profile.

Intune policy

Device configuration

Give the profile a Name, choose Windows 10 and later as Platform and choose Custom as Profile Type.
Now Click Add

Create profiel

Give this setting a name and description.
Add the OMA-URI: ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard
As you can see it is a user policy. The last part of the OMA-URI corresponds with  the policy you found on the list with Internet Explorer CSP Policies; InternetExplorer/DisableFirstRunWizard
As data type you choose string.
And in the value field you enter: <enabled/><data id=”FirstRunOptions” value=”1″ />

OMA-ARI settings

The first part of the value is enabled (you had two options for the GPO; disabled or enabled).
The second part is data id, this is equal to the enum id you can find in the inetres.admx file.
And I choose value 1, because I want to go directly to the HomePage

Inetres.admx

FirstRunOptions

Now save the policy ad assign the policy to a User group.
When we now switch over to the Windows 10 client, open Settings, Accounts, Access work or school and perform a Sync. After the sync is completed, choose Export your management log files and have a look at the file MDMDiagReport.html located in C:\Users\Public\Documents\MDMDiagnostics\
When you scroll down you can see the policy is applied to User02.

MDM Diagnostics

In the inetres.admx file we could also find the corresponding registry key; key=”Software\Policies\Microsoft\Internet Explorer\Main”
You can see the value is set to 1.

Registry

DisableFirstRunCustomize

Disable Home Page Change

The second setting I will set is Disable Home Page Change which sets the startpage (Home Page) to the url I want. Some customers want to open IE, for example, with the intranet site and not allowing the users to change it. In this example I set IE to open with this website. We first need to lookup the CSP policy at the Policy CSP list.


Policy CSP

DisableHomePageChange

You can open the Group Policy Editor to see what options you have to set. It`s only disabled or enabled, when enabled you can set a url.
Open the inetres.admx file and search for RestrictHomePage. You need the text id, marked in red, to set as Data id in the Intune Configuration Policy.

Inetres.admx

Now Open the Intune tab on the Azure portal and create a new Configuration policy or add a new row to an existing Policy.
The OMA-URI is ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange
In the value field fill in <enabled/><data id=”EnterHomePagePrompt” value=”https://inthecloud247.com” />
Off course, it starts with <enabled/> and the data id you found in the inetres.admx file. As value you enter an url between quotes.

OMA-URI Settings

When we have a look at the MDM Diagnostics Report on the Windows 10 client, you can see the policy is set.

MDM Diagnostics

Opening the Internet Explorer settings we see the url set at the Home Page.

IE Homepage

Allow Site To Zone Assignment List

Another request we often get is to manage the security zones in Internet Explorer, for example to mark an url as Local Intranet. On the CSP list you have to look for AllowSiteToZoneAssignmentList.
In the explanation you read there are 4 security zones (1-4) and which valuenames are accepted as url or IP-address.

Policy CSP

AllowSiteToZoneAssignmentList

When we configure this setting with a GPO you also need a value name (url) and value (on of the security zones).

GPO

Site to Zone Assignment List

Open inetres.admx and search for IZ_ZoneMaps. You need the value of list id to at in the Intune policy at Data id; IZ_ZonemapPrompt.

Inetres.admx

Switch over to Intune. Create an Intune Configuration Policy or edit an existing one.
The OMA-URI is ./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
In the value field fill in
<Enabled/><Data id=”IZ_ZonemapPrompt” value=”https://login.microsoftonline.com&#xF000;1″/>
We now know the value for Data id is found in the inetres.admx file.
The value contains the url and separated the security zone (1-4). The url and security zone needs to be separated with the (encoded) Unicode character &#xF000; 

OMA-URI Settings

When you want to associate multiple url`s with security zones, you also need to separate those values with the Unicode character &#xF000; With below example I associate two url`s with security zone 1 (Local Intranet) and the third url with security zone 2 (Trusted Sites):
<Enabled/><Data id=”IZ_ZonemapPrompt”

value=”https://login.microsoftonline.com&#xF000;1&#xF000;https://inthecloud247.com&#xF000;1&#xF000;https://www.interchange.nl&#xF000;2″/>

OMA-URI Settings

Again we can check the MDM Diagnostics report

MDM Diagnostics

And we can see the url`s are associated with the correct security zone.

Local intranet

Trusted Sites

19 Comments

  1. I deployed exactly same CSPs mentioned in the article, but no luck. I see event log in Windows 10 says “error”
    MDM ConfigurationManager: Command failure status. Configuration Source ID: (3EDD70EB-907E-46B9-959F-BA62A1EEA6FD), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard), Result: (Unspecified error).

    Any thoughts?

        • Hi Stef,
          I see only the first part of my comment on Devaki I added.

          But what I mean:
          Copy the example like this

          And replace the double quote`s by typing those yourself. For some reason WordPress fucked up the quotes in the article.
          If you send me an email I can also send you the correct example.

  2. Thanks for the nice post,

    I typed in exactly the same but it gives a -201681112 remediation error.

    • You should have a look at the event viewer. Have a look at DeviceManagement-Enterprise-Diagnostics-Provider, located under Applications and Services Logs, Microsoft, Windows.
      That will be of more help.

  3. What happens if you change the list? In my experience it will add the entry but it will not remove the old entry from the registry.

  4. Having real issues with policy, i just can’t get the AllowSiteToZoneAssignmentList to function correctly. It all points to missing registry entries as i get a remediation failure and when i debug it further it indicates missing template. I thought the whole point of this was you didn’t need to important any ADM templates like you do on a group policy.

    • Haven`t used this for long time myself, but this should work without deploying ADMX files. But don`t just copy past the policy from the website, as WordPress screws the quotation marks. Replace them yourself. Or send me an email and I can send you an example.

  5. Do we need to do IE ADMX ingestion first? I am currently configuring settings for ./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles
    It did not work

  6. Is there any way to turn off Required server verification (https:) for all sites in this zone for Trusted Sites?

    • I found a way to change it from Uncheck or Checked using the Registry
      Reg Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
      Value Name: Flags
      Value Type: REG_DWORD
      Value Data (in decimal): 67 (to uncheck) or 71 (to check)

      But, how do I add that to this?

Leave a Reply

Your email address will not be published.


*