Site to zone assignment list

Complete guide to trusted sites with Intune

Posted by

Are you looking for a way to handle your Zone assignment list for Internet Explorer with Intune? I wouldn’t recommend to handle that with PowerShell script, Unless you need to keep the configuration option open to users. But if you looking direct replacement for the old fashion group policy settings – this is your way!

Old fashion group policy setting: Site to Zone Assignment list

Create device configuration profile

I will get right to it, so fire up your Intune portal.
Start by adding a new Device Configuration Profile, with the type of Windows 10 and Custom.

Custom Windows 10 device configuration profile

Press Settings, and Add a new OMA-URI row on the right and enter the following information


(Note! If you do copy and paste, double check with the picture below, WordPress doesn’t handle the &­#xF000 very good)

New OMA-URI row

Press OK, OK, and Create to add the profile and then assign it to a group that fits you.

Add another site to the list

This is a bit tricky, but just be careful, especially when it comes to very long lists. The list you just added contains two URLs in the intranet zone. Let’s break it down.
This is one row

This is the URLhttps://*
This is a divider for the next column or row&­#xF000;
Explains what zone1 = Intranet
2 = Trusted
3 = Internet
4 = Restricted

To if you want to add * to the trusted list, it will look like this

And the complete value, don’t forget to add &­#xF000; as the divider as well to add new row

Keep this in mind

I always keep two copies of this profile, one for test and one for production to make sure my changes always works, and nothing breaks.

It’s easy to forget or miss the dividers, sometimes I use notepad to make sure everything is correct. Note that the last row never ends with a divider

This configuration will add the configuration to the user profile, if you need to create the entries per-computer instead that possible, just change the URI to ./Device/Vendor/ instead of ./User/Vendor
In some rare cases you could omit Device or User, and just write ./Vendor. Generally I don’t recommend it, try to specify User or Device when possible.
See reference for more information


Policy CSP – Site to Zone assignment list

One comment

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.