In the past, Intune was only able to deploy a predefined set of device settings to MDM managed Windows devices. Fortunately Microsoft introduced ADMX-backed policies in the Windows 10 Creators update (version 1703). With those new MDM policies we are able to set a lot of policies using Policy CSP and with the Fall Creators Update (version 1709) even more settings are added.
A good, short explanation of what ADMX-backed policies are I found on Peter van der Woude his blog:
Starting with Windows 10, version 1703, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a GPO. Each administrative template specifies the registry keys, and their values, that are associated with a GPO and defines the policy settings that can be managed. Each setting in an administrative template corresponds to a specific registry value. Windows maps the name and category path of a GPO to a MDM policy area, and policy name, by parsing the associated ADMX-file, finding the specified GPO, and storing the metadata in the Policy CSP. When the MDM policy is referenced, this metadata is referenced and determines which registry keys are set or removed.
In this blog I will show you some examples of policies to manage Internet Explorer settings with Intune on a MDM managed device. Settings which could be done easily with GPO`s, but before ADMX-backed policies couldn`t be done with Intune.
Configure the Intune policies; Disable First run wizard
The first thing I will do for my users is blocking the “First run wizard“. On this site you will find a list of currently available Internet Explorer CSP policies. Search for the corresponding policy DisableFirstRunWizard. You will see the Windows versions on which the policy is supported, an explanation of the policy, a Tip and ADMX info.
ADMX Info:
GP English name is the corresponding GPO name.
GP name is the corresponding GPO name which can be found in the corresponding ADMX file
GP Path is the path to the GPO
GP ADMX file name is corresponding ADMX file which can be found in %SystemRoot%\policydefinitions
To see the options available for this policy, open the Group Policy Editor and open the GPO Prevent running First Run Wizard. You can enable and disable the policy, when enabling the policy you have two options, Go directly to “Welcome to IE” page and Go directly to home page.
Now open the inetres.admx file en search for the GP name NoFirstRunCustomise. Here on the first line you can find the corresponding registry key.
And you can find the values you need to set in your CSP policy in Intune. In red you can see the two values (options) which are corresponding to the options in the Group Policy Editor, Go directly to “Welcome to IE” page and Go directly to home page.
Now open the Intune tab in the Azure portal, go to Device Configuration, Profiles and click on Create profile.
Give the profile a Name, choose Windows 10 and later as Platform and choose Custom as Profile Type.
Now Click Add
Give this setting a name and description.
Add the OMA-URI: ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard
As you can see it is a user policy. The last part of the OMA-URI corresponds with the policy you found on the list with Internet Explorer CSP Policies; InternetExplorer/DisableFirstRunWizard
As data type you choose string.
And in the value field you enter: <enabled/><data id=”FirstRunOptions” value=”1″ />
The first part of the value is enabled (you had two options for the GPO; disabled or enabled).
The second part is data id, this is equal to the enum id you can find in the inetres.admx file.
And I choose value 1, because I want to go directly to the HomePage
Now save the policy ad assign the policy to a User group.
When we now switch over to the Windows 10 client, open Settings, Accounts, Access work or school and perform a Sync. After the sync is completed, choose Export your management log files and have a look at the file MDMDiagReport.html located in C:\Users\Public\Documents\MDMDiagnostics\
When you scroll down you can see the policy is applied to User02.
In the inetres.admx file we could also find the corresponding registry key; key=”Software\Policies\Microsoft\Internet Explorer\Main”
You can see the value is set to 1.
Disable Home Page Change
The second setting I will set is Disable Home Page Change which sets the startpage (Home Page) to the url I want. Some customers want to open IE, for example, with the intranet site and not allowing the users to change it. In this example I set IE to open with this website. We first need to lookup the CSP policy at the Policy CSP list.
You can open the Group Policy Editor to see what options you have to set. It`s only disabled or enabled, when enabled you can set a url.
Open the inetres.admx file and search for RestrictHomePage. You need the text id, marked in red, to set as Data id in the Intune Configuration Policy.
Now Open the Intune tab on the Azure portal and create a new Configuration policy or add a new row to an existing Policy.
The OMA-URI is ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange
In the value field fill in <enabled/><data id=”EnterHomePagePrompt” value=”https://inthecloud247.com” />
Off course, it starts with <enabled/> and the data id you found in the inetres.admx file. As value you enter an url between quotes.
When we have a look at the MDM Diagnostics Report on the Windows 10 client, you can see the policy is set.
Opening the Internet Explorer settings we see the url set at the Home Page.
Allow Site To Zone Assignment List
Another request we often get is to manage the security zones in Internet Explorer, for example to mark an url as Local Intranet. On the CSP list you have to look for AllowSiteToZoneAssignmentList.
In the explanation you read there are 4 security zones (1-4) and which valuenames are accepted as url or IP-address.
When we configure this setting with a GPO you also need a value name (url) and value (on of the security zones).
Open inetres.admx and search for IZ_ZoneMaps. You need the value of list id to at in the Intune policy at Data id; IZ_ZonemapPrompt.
Switch over to Intune. Create an Intune Configuration Policy or edit an existing one.
The OMA-URI is ./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
In the value field fill in
<Enabled/><Data id=”IZ_ZonemapPrompt” value=”https://login.microsoftonline.com1″/>
We now know the value for Data id is found in the inetres.admx file.
The value contains the url and separated the security zone (1-4). The url and security zone needs to be separated with the (encoded) Unicode character 
When you want to associate multiple url`s with security zones, you also need to separate those values with the Unicode character  With below example I associate two url`s with security zone 1 (Local Intranet) and the third url with security zone 2 (Trusted Sites):
<Enabled/><Data id=”IZ_ZonemapPrompt”
value=”https://login.microsoftonline.com1https://inthecloud247.com1https://www.interchange.nl2″/>
Again we can check the MDM Diagnostics report
And we can see the url`s are associated with the correct security zone.
19 Comments
Does CSP work in Interner Explorer 11 (Windows 10)
Yes, the policies described in this article are for use with IE11
I deployed exactly same CSPs mentioned in the article, but no luck. I see event log in Windows 10 says “error”
MDM ConfigurationManager: Command failure status. Configuration Source ID: (3EDD70EB-907E-46B9-959F-BA62A1EEA6FD), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard), Result: (Unspecified error).
Any thoughts?
Hi Devaki,
Don`t copy the value like
Hello Peter,
What do you mean? I’ve got the same problem
Hi Stef,
I see only the first part of my comment on Devaki I added.
But what I mean:
Copy the example like this
And replace the double quote`s by typing those yourself. For some reason WordPress fucked up the quotes in the article.
If you send me an email I can also send you the correct example.
Peter,
Send you the e-mail. (peter @ inthecloud247.com )
Stef
Thanks for the nice post,
I typed in exactly the same but it gives a -201681112 remediation error.
You should have a look at the event viewer. Have a look at DeviceManagement-Enterprise-Diagnostics-Provider, located under Applications and Services Logs, Microsoft, Windows.
That will be of more help.
What happens if you change the list? In my experience it will add the entry but it will not remove the old entry from the registry.
If you mean “AllowSiteToZoneAssignmentList”, no I don`t recognize this. On my testing it removes the old site and puts in the new site.
Does this apply to Intnue-managed AAD Joined Surface Hubs? with the exception of ./Device instead of ./User ?
Unfortunately I have no experience with managing a Surface Hub. If the CSP policy is supported, than I think you should try with Device. If that doesn`t work, remove device and try it without ./Device and without ./User like in the example in this document https://docs.microsoft.com/en-us/surface-hub/manage-settings-with-mdm-for-surface-hub#example-manage-surface-hub-settings-with-system-center-configuration-manager
Having real issues with policy, i just can’t get the AllowSiteToZoneAssignmentList to function correctly. It all points to missing registry entries as i get a remediation failure and when i debug it further it indicates missing template. I thought the whole point of this was you didn’t need to important any ADM templates like you do on a group policy.
Haven`t used this for long time myself, but this should work without deploying ADMX files. But don`t just copy past the policy from the website, as WordPress screws the quotation marks. Replace them yourself. Or send me an email and I can send you an example.
Do we need to do IE ADMX ingestion first? I am currently configuring settings for ./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles
It did not work
No, should not be necessary. But keep in mind, the end of support for IE is near within less than a year.
Is there any way to turn off Required server verification (https:) for all sites in this zone for Trusted Sites?
I found a way to change it from Uncheck or Checked using the Registry
Reg Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Value Name: Flags
Value Type: REG_DWORD
Value Data (in decimal): 67 (to uncheck) or 71 (to check)
But, how do I add that to this?