Azure / EMS / Intune / Windows

Manage Internet Explorer settings with Intune

In the past, Intune was only able to deploy a predefined set of device settings to MDM managed Windows devices. Fortunately Microsoft introduced ADMX-backed policies in the Windows 10 Creators update (version 1703). With those new MDM policies we are able to set a lot of policies using Policy CSP and with the Fall Creators Update (version 1709) even more settings are added.

A good, short explanation of what ADMX-backed policies are I found on Peter van der Woude his blog:

Starting with Windows 10, version 1703, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a GPO. Each administrative template specifies the registry keys, and their values, that are associated with a GPO and defines the policy settings that can be managed. Each setting in an administrative template corresponds to a specific registry value. Windows maps the name and category path of a GPO to a MDM policy area, and policy name, by parsing the associated ADMX-file, finding the specified GPO, and storing the metadata in the Policy CSP. When the MDM policy is referenced, this metadata is referenced and determines which registry keys are set or removed.

In this blog I will show you some examples of policies to manage Internet Explorer settings with Intune on a MDM managed device. Settings which could be done easily with GPO`s, but before ADMX-backed policies couldn`t be done with Intune.

Configure the Intune policies; Disable First run wizard

The first thing I will do for my users is blocking the “First run wizard“. On this site you will find a list of currently available Internet Explorer CSP policies. Search for the corresponding policy DisableFirstRunWizard. You will see the Windows versions on which the policy is supported, an explanation of the policy, a Tip and ADMX info.

ADMX Info:
GP English name is the corresponding GPO name.
GP name is the corresponding GPO name which can be found in the corresponding ADMX file
GP Path is the path to the GPO
GP ADMX file name is corresponding ADMX file which can be found in %SystemRoot%\policydefinitions

To see the options available for this policy, open the Group Policy Editor and open the GPO Prevent running First Run Wizard. You can enable and disable the policy, when enabling the policy you have two options, Go directly to “Welcome to IE” page and Go directly to home page.

Now open the inetres.admx file en search for the GP name NoFirstRunCustomise. Here on the first line you can find the corresponding registry key.
And you can find the values you need to set in your CSP policy in Intune. In red you can see the two values (options) which are corresponding to the options in the Group Policy Editor, Go directly to “Welcome to IE” page and Go directly to home page.

Now open the Intune tab in the Azure portal, go to Device Configuration, Profiles and click on Create profile.

Give the profile a Name, choose Windows 10 and later as Platform and choose Custom as Profile Type.
Now Click Add

Give this setting a name and description.
Add the OMA-URI: ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard
As you can see it is a user policy. The last part of the OMA-URI corresponds with  the policy you found on the list with Internet Explorer CSP Policies; InternetExplorer/DisableFirstRunWizard
As data type you choose string.
And in the value field you enter: <enabled/><data id=”FirstRunOptions” value=”1″ />

The first part of the value is enabled (you had two options for the GPO; disabled or enabled).
The second part is data id, this is equal to the enum id you can find in the inetres.admx file.
And I choose value 1, because I want to go directly to the HomePage

Now save the policy ad assign the policy to a User group.

When we now switch over to the Windows 10 client, open Settings, Accounts, Access work or school and perform a Sync. After the sync is completed, choose Export your management log files and have a look at the file MDMDiagReport.html located in C:\Users\Public\Documents\MDMDiagnostics\
When you scroll down you can see the policy is applied to User02.

In the inetres.admx file we could also find the corresponding registry key; key=”Software\Policies\Microsoft\Internet Explorer\Main”
You can see the value is set to 1.

Disable Home Page Change

The second setting I will set is Disable Home Page Change which sets the startpage (Home Page) to the url I want. Some customers want to open IE, for example, with the intranet site and not allowing the users to change it. In this example I set IE to open with this website. We first need to lookup the CSP policy at the Policy CSP list.

You can open the Group Policy Editor to see what options you have to set. It`s only disabled or enabled, when enabled you can set a url.
Open the inetres.admx file and search for RestrictHomePage. You need the text id, marked in red, to set as Data id in the Intune Configuration Policy.

Now Open the Intune tab on the Azure portal and create a new Configuration policy or add a new row to an existing Policy.
The OMA-URI is ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange
In the value field fill in <enabled/><data id=”EnterHomePagePrompt” value=”” />
Off course, it starts with <enabled/> and the data id you found in the inetres.admx file. As value you enter an url between quotes.

When we have a look at the MDM Diagnostics Report on the Windows 10 client, you can see the policy is set.

Opening the Internet Explorer settings we see the url set at the Home Page.

Allow Site To Zone Assignment List

Another request we often get is to manage the security zones in Internet Explorer, for example to mark an url as Local Intranet. On the CSP list you have to look for AllowSiteToZoneAssignmentList.
In the explanation you read there are 4 security zones (1-4) and which valuenames are accepted as url or IP-address.

When we configure this setting with a GPO you also need a value name (url) and value (on of the security zones).

Open inetres.admx and search for IZ_ZoneMaps. You need the value of list id to at in the Intune policy at Data id; IZ_ZonemapPrompt.

Switch over to Intune. Create an Intune Configuration Policy or edit an existing one.
The OMA-URI is ./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
In the value field fill in <Enabled/><Data id=”IZ_ZonemapPrompt” value=”;1″/>
We now know the value for Data id is found in the inetres.admx file.
The value contains the url and separated the security zone (1-4). The url and security zone needs to be separated with the (encoded) Unicode character &#xF000;

When you want to associate multiple url`s with security zones, you also need to separate those values with the Unicode character &#xF000; With below example I associate two url`s with security zone 1 (Local Intranet) and the third url with security zone 2 (Trusted Sites):
<Enabled/><Data id=”IZ_ZonemapPrompt” value=”;1&#xF000;;1&#xF000;;2″/>

Again we can check the MDM Diagnostics report

And we can see the url`s are associated with the correct security zone.


Leave a Reply

Your email address will not be published. Required fields are marked *