With Windows 10 1703 (Creators Update) we now have the possibility to configure settings through a MDM deployed Group Policy Object. In this blogpost I explained how to configure the App-V client with these new capabilities. Within this blogpost you can also find the basics about deploying a GPO through a MDM solution. Since my preffered MDM solution is Microsoft Intune my blogposts will only cover the steps needed to configure these settings through Microsoft Intune. In this blogpost I want to cover the scenario to configure the Trusted Sites on a Windows 10 1703 machine through a MDM deployed GPO.
As explained in the introduction I will not explain the basics of deploying a GPO through MDM. You can find the information in my previous blogpost or on the Microsoft documentation site: here and here. In this blogpost I’m focusing on configuring the Internet Explorer Trusted Sites by using the following GPO Setting: InternetExplorer/AllowSiteToZoneAssignmentList. To use this setting we need to enable this setting and we need to provide a list of sites with the corresponding Internet Explorer Zone Number. Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Another difference is that this GPO settings has a ‘list’ element which holds the sites and the zone numbers as you can see in the screenshot below:
In the above screenshots you see the GPO setting and how the sites can be added through the GUI. When configuring this setting through the Policy CSP the entries in the list elements must be separated with the following Unicode character: 0xF000 (encoded version: ). Another important thing is that the Policy CSP is expecting the values in ‘decoded’ XML. When working with Intune as MDM solution, Intune will take care of the encoding and decoding of XML. Through Intune you can provide ‘encoded’ XML and Intune will present this as ‘decoded’ XML to the Policy CSP. In this scenario there is one expectation to this statement, the Unicode character need to be escaped within the ‘encoded’ XML string in Intune. A good site for enconding and decoding XML is the following: http://coderstoolbox.net. With the following steps you can configure Intune configure the Internet Explorer Trusted Sites:
- Go to portal.azure.com and open the Intune blade.
- Click on Device Configuration and click on Create Profile:
- Enter a Name and Description. Then select Windows 10 and later as platform and Custom as Profile Type:
- Click on Add and fill a Name for this settings. Fill in the following OMA-URI: ./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList and select string as datatype:
- Next step is to provide the value of this OMA-URI setting. So the ID of this setting. Important to determine is the ID of the List. This can be found in the ADMX file. In my case the ID is ‘IZ_ZonemapPrompt’. Next step is to provide the sites as value separated by the Unicode character. My trusted sites value is the following: <Enabled/><Data id=”IZ_ZonemapPrompt” value=”https://adfs.emsmaster.nl1″/> .
- Next step is to save this entry and save the profile. Then assign this profile to your user group and refresh the settings of the user.
When this profile is applied on the users device you will see that the Group Policy object is applied on the client by viewing the Internet Explorer settings:
As you can see the settings are controlled by a GPO but we’re not able to see the values. You can validate this as end user by going to the site and show the properties within Internet Explorer:
You can also see the values within the registry on the following locations:
Settings received by the Policy CSP:
Trusted Site setting within the Internet Explorer settings:
During the creation of this blogpost I identified a bug within Windows 10 1703. The settings deployed by MDM were not activated on the client. To activate the setting you need to configure the SitZoneAssignment through a local GPO. Then all (local and MDM) are applied to the workstation. Then you can disable your local GPO settings and only the MDM settings will be active. Microsoft has identified this as a bug. At this moment I don’t have much more information. If you want to have the latest information please drop a message and I will provide the latest on this.