SuperUserTips

an endpoint admin's journal

  • Recent Posts
  • Popular Posts
  • Recent Comments

admx help site to zone assignment list

Deploy Trusted sites zone assignment using Intune

November 6, 2023

admx help site to zone assignment list

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

admx help site to zone assignment list

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

admx help site to zone assignment list

Intune Last Check-in date not updating for Windows device

October 25, 2023

admx help site to zone assignment list

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

admx help site to zone assignment list

5 Quick Mac OS Terminal commands to make a Mac user life easier

admx help site to zone assignment list

Powershell : Find disabled users and computers in AD

' src=

  • Active Directory (1)
  • Windows (7)
  • November 2023
  • October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles .

Hit the Create button and Select New policy

admx help site to zone assignment list

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

admx help site to zone assignment list

Give the profile desired name and click Next .

admx help site to zone assignment list

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

admx help site to zone assignment list

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

admx help site to zone assignment list

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

You may also like...

admx help site to zone assignment list

Set your laptop screen’s brightness level to desired percentage every time you logon

  • Previous Zoom Desktop Client – Download older build versions from Zoom

guest

thanks! I was just looking for this exact solution!

logo

Managing Internet Explorer Trusted Sites with Group Policy

Internet Explorer Maintenance is dead. We all have our regrets, missed chances, and memories. But we have to move on. Depending on your love for power, you have two options. You can take the totalitarian route (known as Administrative Templates) or the benevolent method (known as Group Policy Preferences). Here are the two ways that you can configure Internet Explorer Trusted Sites with Group Policy.

Configuring IE Trusted Sites with Administrative Templates

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

  • Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List
  • User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

  • 1 = Intranet/Local Zone
  • 2 = Trusted Sites
  • 3 = Internet/Public Zone
  • 4 = Restricted Sites

Internet Explorer Trusted Sites with Group Policy

  The screenshot above shows one trusted site and one restricted site. There is a potential downside to managing trusted sites with Administrative Templates. You will not be able to edit the trusted sites list within Internet Explorer. If you have more than four items listed, you won’t be able to see the entire list in the IE Trusted Sites window. If you view the site properties (Alt – File – Properties), you can check a specific site’s zone though. Remember this trick as it will help you when troubleshooting! You can view the entire list in the Registry by navigating to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. If you are an administrator, you can edit/add/remote items from this list for testing. Just be sure to run a GPUpdate /force to undo your changes.

Bonus Points : Leave a comment below explaining why a GPUpdate /force is required to undo your changes. Super Bonus Points if you answer in a haiku.

Configuring IE Trusted Sites with Group Policy Preferences Registry

You would think that Group Policy Preferences Internet Settings could set trusted sites. Unfortunately, that setting is greyed out.

Internet Explorer Trusted Sites with Group Policy

You can still configure IE site mappings with Group Policy Registry Preferences though.* The benefit of this is that your users can edit the zone lists and view all of the added sites. To set this up, create a new user side registry preference. This trick will not work under computer configuration. Enter in the following details:

  • Keypath: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\WEBSITENAME
  • Value Name: http
  • Value Type: REG_DWORD
  • Value Data: 2

Here is an example showing DeployHappiness being set as a trusted site with registry preferences:

Internet Explorer Trusted Sites with Group Policy

If your site isn’t being placed in the Trusted Sites list, add it manually and then navigate to the registry location above. Ensure that the manual addition exactly matches your registry preference. You will also need to ensure that no Administrative Template Site to Zone settings are applied. If they are, they will wipe out your preference settings. Remember that Policies always win!

You can search your domain for site to zone settings by using this Group Policy Search script. Alan Burchill taught me this trick.

To see additional ways to configure site to zone mappings, read this very in depth example guide.

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

I hope to replace our Site to Zone list to allow our users to enter their own in but I am not sure how to enter our entries that don’t specify a specific protocal such as http or https. So can someone tell me how I would create an entry for this:

*://*.sharepoint.com

and what about something like this – how would this be entered?

https://192.192.192.192 .:9443 (example only)

As for your first question, this info should help: https://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites?page=1#entry-2849140

As for the second question, I don’t know of a way to handle ports. In reference to your example, a link like that would be entered like this: *://192.192.192.192

This is excellent – I have used the GP preferences to add trused sites without locking users out of the setting if they need to add a site. But what about this – a program in the startup group – it is a shortcut to a file on a server – a member server of the local domain – domain.local. I want to prevent this program from prompting end-users to run it, and make sure it will run without prompting. Can this be accomplished with a GP preference as well? If so, do I need to add it to trusted sites, or to the local intranet zone or local machine zone? It would seem to be a local intranet or local machine zone I am working with here. I am not sure how to add it – whether I just need to add the local domain, or the computer name FQDN, or the path to the shared folder and the file. thanks!

This sounds like two different problems: 1. How do I get an app to run without prompting? 2. How do I make it run on startup with group policy?

The latter is easy, create it as a scheduled task that runs on startup. The former depends on what type of script it is. If it’s a vbscript then run it with cscript /b “name.vbs”.

With the old approach we had a file under trusted sites to allow the file to run. It has stopped working under 2012. Could I use this with a file? The old setting was:

file:\\Domain.com\netlogon\AsmallExe.exe

See this article on what you can configure with trusted sites: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

Just the ticket. Thanks a lot.

I have double-checked that the site to zone assignment policy is not configured, both under user and computer settings. We used group policy preferences because we do not want to lock down the trusted sites – only to push out the sites we want to be trusted. But for some absurd reason, the trusted sites are locked down and greyed out half the time – one day I will look and the sites are not dimmed out and will let me add or remove them. Then the next day they will be greyed out again. It is amazingly ridiculous. I am the only admin; no one else knows how to mess with the settings even if they had the admin credentials. So I have no clue why it keeps reverting back to the wrong settings. I thing our active directory needs to have dcdiag run on it a few times. Any ideas will be sincerely appreciated.

If it is locked down, it is a GP policy that is doing it (the site to zone assignment one) or a registry key that is enabling that site to zone assignment.

When you see one that does it, run a GPResult /h report.htm /f and look through that report.htm. You will see any GP settings that would block it then.

A reply to my own post – the problem was corrupted group policy on the Windows 7 computers – some of the computers were working fine. The ones that were not working, we had to delete the corrupt policy (it was preventing the updated policy settings from being applied). It was in the path C:\ProgramData\Microsoft\Group Policy\History\{policy GUID}. After deleting the corrupt policy and rebooting, it fixed the problem!

Thanks for the update Sam!

You’re welcome! I am still having some issues with the trusted sites being greyed out in IE, even though I made certain not to use site to zone assignment in the policy, and only used GP preferences to add registry items for the sites in the trusted zone. Do you know what registry key I need to be looking for, that might be causing this issue?

Many thanks! Sam S.

Are you making sure that you’re applying it under HKCU, and not under HKLM? If you configure it under HKCU, users will still have the ability to add their own entries. But if you configure it under HKLM, the option to add entries will be greyed out.

Yes, I definitely deployed the preferences under the Users GP Preferences and not computer policy/preferences. However, there are some policy settings that I set in both computer and user settings in the GPO. None of these are site to zone assignments though. These settings are for all the security settings within the zones, like, download signed activeX controls – enable, download unsigned activeX controls, Prompt… etc.. – these settings are set in the computer policy and the user policy which is probably what is wrong. I should probably just disable the computer policies in the GPO. I will try that and see if it helps. Why are all these settings available in the computer side and the user side both? Is there a reason someone would set these settings in one policy over the other?

A computer side policy is available for every user that logs in already. These are generally faster to apply and are my preferred way to configure something. However, times like this are when a user side policy would be the best route for you. Remove the computer side settings and try John’s suggestions. Let us know what you find out.

Sam, another thing you can try is to access the GPO from a Windows 7 workstation running IE 9 (and make sure that there are no current Internet Explorer policies being applied to the workstation; put it in an OU that is blocking inheritance if you have to), then drill down to “User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings”. Double-click on “Security Zones and Content Ratings”, then choose “Import…” under “Security Zones and Privacy’, click “Continue” when prompted, then click “Modify Settings, then “Trusted Sites”, then the “Sites” button. You can then make whatever changes you want (add a site, remove a site, remove the check from the https box, etc). This should give you the freedom you’re looking for :).

i`ve add multiple Sites to the Site to Zone assigment list (Trusted Sites). After a new logon, i`ve check my settings, start IE11, visit the site i`ve add to the list, press Alt – File – Properties and check the Zone. Some of the sites are correct, shown in the trusted site zone, some of them not, they are in an unkown zone (mixed). I want to check the registry path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains but this key is empty, for HKLM and HKCU. What`s wrong?

Thanks and Regards Patrick

Are you deploying the trusted sites with Policies or registry preferences?

> comment below explaining why GPUpdate /force is required to undo your changes.

For Group Policy to apply efficiently changes trigger it.

Exceptions apply. GPUPDate force is one. Security too.

Less obtusely said: “Group Policy will normally only reprocess client side extensions that have at least one policy element that changed. The exceptions to this are Security Option settings which reapply every ~16 hours on most machines and every 5 minutes on Domain Controllers. The other exceptions are when you run a gpupdate /force, and any CSEs you configure to auto-reapply. You can view this decision tree by enabling UserEnv logging as described in http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx ” … But not as haiku.

Hi, Is it possible to select the users you want that this GPO applies? It is because I need to add a web to trusted sites, but only to two users. Any idea?

You would need to configure these settings under user configuration. Then change the scope of the GPO from authenticated users to a group containing those two users.

With regards to deploying trusted sites via GPO, while allowing users to add their own entries, see if this post helps: http://community.spiceworks.com/topic/post/2849140

I’m finding that when I deploy Trusted Sites using GPP and the registry, users aren’t able to add entries themselves (it allows them to add to the list, but the entries don’t stick and are gone as soon as you reopen the dialog). Any ideas?

You sir, have a good last name! 🙂

Do you have any delete preferences configured to that registry key? If you manually browse to that key, do you see what the user added?

Leave a comment Cancel reply

Your email address will not be published. Required fields are marked *

  • Security Essentials
  • Deploying Windows 10 (without touching a client)
  • Group Policy – Preferences to Software and Everything In Between
  • OneNote Can Centralize Your Documentation
  • Lunch and Learn: PowerShell 3
  • Lunch and Learn: Software Extraction
  • Disclosure Policy
  • Privacy Policy
  • Rebuild the Administrative Start Menu
  • Guest Posting
  • What’s This? Q&A on Sponsored Posts
  • Blogs that I Follow – 2018 Edition
  • Books to Boost Your Career!
  • Top Articles to Teach You Now!
  • Top Gadgets to be more Productive!
  • Software Tools
  • Other – eBooks, Virtual labs, etc
  • My Articles
  • Clients and Desktops
  • Group Policy
  • Deployment/MDT
  • About DeployHappiness
  • October 2023
  • January 2023
  • October 2021
  • November 2020
  • October 2020
  • February 2020
  • January 2020
  • November 2019
  • October 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • August 2018
  • February 2018
  • January 2018
  • December 2017
  • October 2017
  • September 2017
  • August 2017
  • February 2017
  • January 2017
  • October 2016
  • September 2016
  • August 2016
  • February 2016
  • January 2016
  • December 2015
  • October 2015
  • September 2015
  • August 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • Group Policy (85)
  • Best Practice (89)
  • Hardware (9)
  • Management (99)
  • Networking (3)
  • Office 365 (8)
  • Performance (22)
  • Quick Tip (24)
  • PowerShell (85)
  • Security (28)
  • Server (16)
  • Thinking about IT (14)
  • Training (6)
  • TroubleShooting (35)
  • Uncategorized (29)
  • Walkthrough (109)
  • Entries (RSS)
  • Comments (RSS)

Group Policy Administrative Templates Catalog

Foxit software inc., tracker software, login consultants nederland b.v, binary fortress software, duo security, mozilla firefox and thunderbird, mailstore software gmbh, quest software, zoom video communications, basic bytes, nolightpeople, greycorbel solutions, admin by request, classic shell, clickview player, paper software, controlup console, d. brown management, frontmotion firefox community edition, gotomeeting, smartbox assistive technology, hp (hewlett packard), healthcast inc., blackfish software, mattermost desktop application, net at work gmbh, one identity, pdfforge gmbh, devolutions, royal applications team, seppmail ag, birch grove software, learnpulse sas, infineon technologies ag, veyon community, vivaldi technologies, dojo north software, italc - intelligent teaching and learning with computers, think-cell sales gmbh.

Windows security encyclopedia

Windows security encyclopedia

#microsoft #windows #security

Search form

Site to zone assignment list.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list enter the following information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example if you enter http://www.contoso.com  as the valuename other protocols are not affected. If you enter just www.contoso.com  then all protocols are affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their own site-to-zone assignments.

Policy path: 

Scope: , supported on: , registry settings: , filename: , related content.

Use Intune Policy CSP manage Windows 10 settings – Internet Explorer Site to Zone Assignment List

Sandy Zeng

  • October 23, 2017 July 5, 2020
  • 12 Comments

For start, I was actually testing ConfigMgr cloud gateway management and Client Installation over Internet, see this post https://blogs.technet.microsoft.com/arnabm/2017/08/27/client-installation-over-internet/

I did managed install ConfigMgr client on AAD joined Windows 10 (version 1709), but I also want configure some Internet Explorer settings to my AAD joined device.

Since Windows 10 (version 1703), we can use Intune Policy CSP to configure more settings, it call admx-backed policies .

Here is how I make Site to Zone Assignment list setting using Intune OMA-URI

Test result: Works only on Windows 10 version 1709

./User/Vendor/MSFT/Policy/Config/ InternetExplorer/AllowSiteToZoneAssignmentList

Works both Windows 10 version 1703 and 1709

./Vendor/MSFT/Policy/Config/ InternetExplorer/AllowSiteToZoneAssignmentList

Let’s check first Policy CPS list, InternetExplorer/AllowSiteToZoneAssignmentList is the one we are looking for, it tells admx file name is inetres.admx

admx help site to zone assignment list

Open gpedit.msc in Windows 10 (version 1709). Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled , and Zone assignment list .

admx help site to zone assignment list

I use ADMX Migrator open inetres.admx , zone list Elements is ListBox , ID name is IZ_ZonemapPrompt, this is the ID I will need to use for assigning those zone list in Intune. You can also just use notepad open inetres.admx, then search what is the ID you will need.

admx help site to zone assignment list

Go to Intune portal – Device configuration – Profiles – Create Profile

admx help site to zone assignment list

Click Add. Input the following information:

Name:               AllowSiteToZoneAssignmentList (you can use anything you want) OMA-URI:       ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList Data type:        String Value: <enabled/> <Data id=”IZ_ZonemapPrompt” Value=”https://login.microsoftonline.com&#xF000;2&#xF000;https://sandyzeng.com&#xF000;1&#xF000;&#xF000;”/>

admx help site to zone assignment list

So if want to choose “Enabled”, value will be <enabled/>, if want to choose disabled, value will be <disabled/>

Because we need to input those sites to zone list,  ID name is IZ_ZonemapPrompt, so we use   <Data id=”IZ_ZonemapPrompt”

In this article https://docs.microsoft.com/en-us/windows/client-management/mdm/registry-csp Supported date type, it tells:

Multiple strings are separated by &#xF000; and ended with two &#xF000; – A query of this parameter returns a multistring type.

You can find more information from internet about &#xF000; ( use search key word MDM &#xF000;)

In this case, I want to have https://login.microsoftonline.com in zone list 2 (trusted zone) and https://sandyzeng.com in zone list 1 (local intra), so I need to put &#xF000; between those strings, and also in the end &#xF000; &#xF000;

After create this profile, assign it to a user group.

In my Windows 10 machine, open Settings – Accounts – Access work or schoo l, click on Sync, because I was using ./Vendor/MSFT/Policy/Config/ InternetExplorer/AllowSiteToZoneAssignmentList, so those are device settings, you can find it under registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

admx help site to zone assignment list

Generate Advanced Diagnostic Report

admx help site to zone assignment list

You should able to see this in your report.

admx help site to zone assignment list

Open Internet Explorer

admx help site to zone assignment list

If you can’t see your policy, check Event Viewer – Applications and services log – Microsoft – Windows – DeviceManagement-Enterprise-Diagnostics-Provider , see if there is any errors about the policy you created, then start trouble shooting.

admx help site to zone assignment list

Share this:

12 thoughts on “use intune policy csp manage windows 10 settings – internet explorer site to zone assignment list”.

' src=

Thanks for this article. I notice that old (test) URL’s remain in the registry, even if I change the string . Is this by design ?

' src=

Hi, is the old (test) URL’s and new URLs are assigned with same policy or created a new policy for new URLs? I will test this and get back to you. Thanks.

Hi Sandy, I used the same policy. Thanks!

Hi Jan. I just tested it again. Using Windows 10 version 1709 Enterprise. URLs updated without issues. Tested remove old URLs, add new URLs, all worked. But it did take some time to update. I updated my post, because there are some typo and wrong print screen pictures. Event logs should show if the policy apply succeeded or failed.

Ok, thank you for testing. I did a check on my settings, and fixed a typo. Works as expected now.

' src=

Hi Sandy, thanks for this article. Unfortunally I’m not able to let it work. I just configured it like your example. In the eventlog it says: EnrollmentID requesting set. At your screenshot is says merge. Do you have any idea? Thanks. Edward

Hello Edward, can you try do it again? When you copy and paste those settings from my post, please check again if those double quotes are correct. Would be better copy those to first to notepad++, and make sure those single or double quotes are correct, also no extra space, then copy them again back to Intune. Those setting are still working, I just tested it few days ago. Sandy.

The quotes was indeed the issue. Thank you very much!

I modified my blog function, hope this quotes problem won’t happen again. 🙂

' src=

Hi, Gone through the post ,could you please confirm whether this policy works for Windows 10 1803

Regards, Arjun

Best way to find out is testing by yourself. 🙂 However, it still works in my Windows 10 1803 Enterprise version, not sure about Pro or others.

Pingback:  ADMX Backed Policies – Quick(ish) Reference Guide – Modern Workplace Configuration with Intune

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Privacy Overview

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Intranet zone settings apply to Edge and Chrome, but not to Firefox

We have GPO settings active that place a certain website https://www.example.com into the trustworthy intranet zone. The setting (User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List) still has good old IE in its name, but apparently should apply generally. At least this used to work across all browsers in the past.

Accordingly, files that are downloaded from https://www.example.com are considered "harmless" (as in: right click-properties does not show a "This file came from another computer and might be blocked ..." warning, or in case of e.g. Word documents: a yellow warning bar is not shown when opening the file).

At least, this works as desired in Edge and Chrome. I also verified that it is not the case that Edge and Chrome never block files from the "wild"; e.g., sample documents from https://file-examples.com/index.php/sample-documents-download/sample-doc-download/ are correctly marked as "dangerous". This shows that the setting is indeed used to distinguish "good" from "evil" downloads, as desired.

However, it seems that the setting does not apply to Firefox. That is, downloading the very same file from https://www.example.com using Firefox produces a file that is considered "dangerous". I am very sure that this is a fairly recent problem and used to work as desired for Firefox as well until a few weeks ago. Unfortunately, I cannot pin down the moment of failure with enough certainty do decide whether the change happened in connection with (a) a Firefox version upgrade, (b) some Windows update, (c) changes to company GPO, or (d) perhaps anything else.

Q: How can I ensure that the desired zone settings also apply to Firefox downloads? That is, files from the configured site shall be considered harmless while general downloads from the wild are still considered dangerous by the operating system? Is there perhaps a FF-specific setting with the same semantics?

  • google-chrome
  • internet-explorer
  • group-policy
  • internet-security

Hagen von Eitzen's user avatar

You must log in to answer this question.

Browse other questions tagged google-chrome firefox internet-explorer group-policy internet-security ..

  • The Overflow Blog
  • Down the rabbit hole in the Stack Exchange network
  • Featured on Meta
  • Upcoming privacy updates: removal of the Activity data section and Google...
  • Changing how community leadership works on Stack Exchange: a proposal and...

Hot Network Questions

  • How much data does a category contain?
  • Why deplane all passengers and not the troublemaker?
  • Existence of curves of a given degree in threefolds
  • Search the deepest depths of an array
  • Can DCO be used in BSL?
  • Could relativity be consistent if there are multiple light-like fields with different invariant speeds?
  • Is there any chance a Japanese person would understand this spoken line WITHOUT kanji? [Attack on Titan]
  • How to evaluate the impact of an intervention with no control group?
  • Reviewer's Concerns about Excessive Simulation Results
  • What's the intuition for reflexive pairs?
  • What is the definition of 909/808/707/etc. percussion?
  • Combining 3D-text (extruded 2D-font) and a simple solid: RegionProduct produces invalid BoundaryMeshRegion
  • Can a key signature express Phrygian mode (not just major or minor)?
  • How does an explorer civilization survive the Dark Forest Scenario?
  • Two years after the breakout of Ukraine war, is/how is Russia successful in sustaining its economy (now even growing?) and the war?
  • Custom asdict method for dataclasses
  • Were any U.S. founding fathers present at the storming of the Bastille?
  • Why does the normality assumption not affect Linear Regression in large samples?
  • Will there be another joint International Space Station (ISS) after the current is retired?
  • Integrate has issues when integrating the general form of a trigonometric integral but not specific instances
  • Does a new motorcycle headlight need to have the exact power consumption specs as the old one to avoid overworking the regulator rectifier?
  • How can I prove this special version of Poincaré formula?
  • Difference between 'Used to be' and 'have been'
  • Is there any ethical problem with a tiered grading system?

admx help site to zone assignment list

Knowledge Home : PingFederate >> Integrations

Related articles.

  • Number of Views 28.64K
  • Number of Views 4.42K
  • Number of Views 6.75K
  • Number of Views 346
  • Number of Views 2.75K

Using Group Policy to Configure Supported Browsers for Integrated Windows Authentication

How to use windows group policy to manage browser settings for iwa. may 10, 2023 • knowledge, information.

• Internet Explorer • Google Chrome • Mozilla Firefox Within Group Policy (GP) there are two subsets of configurations available: policies and preferences.  GP Policies are typically used for configuring system-specific policies including Windows, security, and software settings.  GP Preferences are contrasted from Policies by that when the GPO falls out of scope, the settings defined in the GP Preference remain the same (i.e. "tattoo" the setting).  In GP Policies, the settings defined supersede that of the local system or user setting, but when they fall out of scope, the local settings will revert to either the previous setting.  These settings in Group Policy are typically applied by Administrative Templates -- preconfigured collections of settings specific to Windows. The scope of this document is for applying browser settings via GP Policy.

While Internet Explorer can be configured directly within a native GPO policy, additional browser settings for Firefox and Chrome must make use of ADM or ADMX templates specific to each browser.

Configuring Group Policy for Internet Explorer

Follow these steps to assign the PingFederate server base URL in the Trusted Sites zone, and set the Trusted Sites zone logon options for the setting  Automatic logon with current username and password. 1. Create a new GPO, or use an existing GPO.

Configuring Group Policy for Chrome

Configuring startup script via group policy for firefox, system information, was this article helpful.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Policy CSP - ADMX_DnsClient

  • 7 contributors

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format> . For details, see Understanding ADMX-backed policies .

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections .

DNS_AllowFQDNNetBiosQueries

Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.

If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition to single-label names.

If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified domain names.

Description framework properties :

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy .

ADMX mapping :

DNS_AppendToMultiLabelName

Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.

A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.

For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.

If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com" second if the first query fails.

If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.

If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.

If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.

Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP.

To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.

If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.

If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.

DNS_DomainNameDevolutionLevel

Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.

With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.

The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.

Devolution isn't enabled if a global suffix search list is configured using Group Policy.

If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:

The primary DNS suffix, as specified on the Computer Name tab of the System control panel.

Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.

For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.

If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.

For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.

If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.

If this policy setting is disabled, or if this policy setting isn't configured, DNS clients use the default devolution level of two provided that DNS devolution is enabled.

DNS_IdnEncoding

Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.

If this policy setting is enabled, IDNs aren't converted to Punycode.

If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.

DNS_IdnMapping

Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.

If this policy setting is enabled, IDNs are converted to the Nameprep form.

If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form.

DNS_NameServer

Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.

To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.

If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.

If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.

DNS_PreferLocalResponsesOverLowerOrderDns

Specifies that responses from link local name resolution protocols received over a network interface that's higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).

If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.

If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.

This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.

DNS_PrimaryDnsSuffix

Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.

To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.

In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.

  • If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.

You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.

  • If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.

DNS_RegisterAdapterName

Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.

By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.

  • If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.

For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.

This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.

  • If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.

DNS_RegisterReverseLookup

Specifies if DNS client computers will register PTR resource records.

By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.

  • If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.

To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:

Don't register: Computers won't attempt to register PTR resource records.

Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.

Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.

  • If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.

DNS_RegistrationEnabled

Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.

If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.

If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.

DNS_RegistrationOverwritesInConflict

Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.

This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.

During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.

If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.

If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer.

DNS_RegistrationRefreshInterval

Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.

Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.

If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.

To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.

If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.

If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.

DNS_RegistrationTtl

Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.

To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).

If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.

If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).

DNS_SearchList

Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.

An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".

Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".

To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.

If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.

If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.

DNS_SmartMultiHomedNameResolution

Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.

If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.

If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.

DNS_SmartProtocolReorder

Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).

If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.

If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.

DNS_UpdateSecurityLevel

Specifies the security level for dynamic DNS updates.

To use this policy setting, click Enabled and then select one of the following values:

Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.

Only unsecure - computers send only nonsecure dynamic updates.

Only secure - computers send only secure dynamic updates.

If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.

If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.

DNS_UpdateTopLevelDomainZones

Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".

By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.

If you enable this policy setting, computers send dynamic updates to any zone that's authoritative for the resource records that the computer needs to update, except the root zone.

If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.

DNS_UseDomainNameDevolution

Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.

For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.

If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.

If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.

Turn_Off_Multicast

Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.

LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.

If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.

If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.

Related articles

Policy configuration service provider

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

  • VMware Technology Network
  • Digital Workspace
  • Dynamic Environment Manager

ADMX Browser Policies Error

  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Printer Friendly Page

shivamp

  • Mark as New
  • Report Inappropriate Content

pastedImage_2.png

  • browser policies
  • internet control panel
  • site to zone
  • All forum topics
  • Previous Topic

Pim_van_de_Vis

admx help site to zone assignment list

Environment Manager (EM) — mer (Community Member) asked a question.

I'm currently in the process of transforming our GPO into EM. It seems to work well but I have one problem.

The "apply ADMX policy" actions seems not not be working properly when using it for the "Site to Zone Assignment list" for IE. For example I added 6 entries to the list and when I check the registry there are only 1 or 2 entries from my list configured in EM policy.

I also checked with the client logging tool and this step is marked as "passed". I am also sure that no conflicting GPO is applied during logon.

Anyone else with this issue?

  • All forum questions

admx help site to zone assignment list

steven.woods.ivanti (Ivanti Employee)

I have had a case previously similar however we seen in Procmon that this was due to another GPO/Script overwriting the keys the ADMX policy had set. I would advise to have an endpoint completely blank with no GPO/scripts being ran on the endpoint and running a blank configuration that just runs this ADMX policy. If you still see the issue I would raise a case for further troubleshooting to be carried out.

mer (Community Member)

Ok, I have to admit that it was my fault. I made a failure while adding the list and switched the value and value name. :/

But thank you very much for giving a hint.

admx help site to zone assignment list

joeh (Ivanti Employee)

Are you adding a large number of entries? I think I've seen issues with very large numbers where it just fails to complete them all.

Hi Joeh, what do you define as a large number? I think it was around 40 entries per node. One node during computer "network available" trigger and one node under "Pre-Desktop" Trigger.

Hi. I may have been mistaken, I think I was remembering the issue described here: https://forums.ivanti.com/s/article/Slow-application-launch-when-Zone-Map-keys-contains-many-entries

Related Questions

Trending articles.

  • Release Notes for DSM 2019.1
  • KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy…
  • Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887
  • CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Se…

Have a question about this article?  

Open up a discussion in our discussion groups HERE

  • Terms & Conditions
  • Privacy Policy

IE trusted sites still not adding zones

Fellow Spiceheads,

Good morning.

I have tried all of the suggestions I found in Spiceworks. I admit I am learning how to script and use GPO Editor. That being said, this is how it is configured. 1st) I am in the Administrator and GPO creator and Owner Security Group.  I put a shortcut of the script under corp.spiceymeat.com In GPO Editor the script was created and enabled under... User configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Windows components >Internet Explorer > Internet Control Panel > Internet Control Panel > Security Page > Site to Zone Assignment List. The contents within Site to Zone Assignment List are http://frame. Opens a new window spiceymeat.com  Value is 2 (this one works) *.spiceymeat.com http://framesandsandbox.spiceymeat.com Opens a new window What am I missing? Please help! My job is dependent upon this success.

Thanks in Advance Chris O.

User: Chris ordinachev

Popular Topics in Active Directory & GPO

Author Aaron S

Should pull down the GPO after about 2 hours. May have to start another thread in reference to your machines not automatically pulling down their GPO. Possibly some helpful links below.

http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Pol... Opens a new window

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e4f37f3b-dce1-4cbc-adbe-dae90d86084c... Opens a new window

I believe GPO will only allow you to assign the zone assignment to the root domain. Example Spiceworks.com = Value of 2. Then you add spicerex.spiceworks.com = Value of 1. The root domain is going to be assigned the value of 2, so no other sub domains can be added. 

Technet discussion on this issue:

https://social.technet.microsoft.com/Forums/ie/en-US/9b49e65b-13ad-4914-8328-f386907b79de/wildcards-... Opens a new window

Author Chris ordinachev

I appreciate the quick response.

I am trying this process now. Will follow up shortly

TIA Chris O. aka Gringo Loco01

So I added the sites like you mentioned at the the Value of 1.

Still no change.  There is one site that DOES work which is in the trusted zones. framespicymeat.com works. freddymac and blitzdocs.net are in there as well

Do I need to put the script in a specific container other than just at the root of the domain?

I would not use a script like that. Just manually enter those server names under

>Internet Explorer > Internet Control Panel > Internet Control Panel > Security Page > Site to Zone Assignment List.

Thank you Aaron.

I will kick it around a bit and let you know.

Until then have a GREAT day!!!

I tried the above again. Should I remove the existing zones and put them in again? I am at a loss

Is there something stupid I am missing like execute the script or something like that?

You should not have a script to execute. All you should have to do is place those domains into the site to zone assignment list, then perform a gpupdate or reboot the PC, to push the Group Policy Updates.

Thats what I needed to know.  I still have my training wheels on and have no clue all the nuances of pushing policies. When I do this I am on the domain controller so after the update and the reboot it should enforce all the computers that are turned on and logged into by a spiceymeat employee correct?

Thanks a HUUUUUGE bunch. Saved my ass bro.

Any books, videos or references for Dummies you can suggest would be very much appreciated as well.

I will holler with status after I do gpupdate.

When you setup a group policy your machines will pull down the update after issuing the gpupdate command/reboot/or waiting for roughly two hours. Here is a beginners guide straight from Microsoft.

https://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx Opens a new window

Another good video from Professor Messer on GPO

http://www.professormesser.com/security-plus/sy0-401/group-policy/ Opens a new window

Excellent.  Thank you very much for all of your time and assistance Aaron.  Have a GREAT day sir.

No problem, please remember to mark a best answer, if you are satisfied with the results.

So in order for me to successfully add the trust zones I had to go to the local machine and sync the gpo. I would have thought this would have happened without having to update or sync the gpo locally.

Any thoughts Aaron?

I don't know what changed in the DC but it appears to be working now.

This domain has ghosts. LOL

Thanks again Aaron. I will close this out.

Have a GREAT weekend sir.

Glad everything is working now. Have a wonderful weekend yourself.

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question .

Read these next...

Curated Snap! -- Space Surgery, VoltSchemer, 3D Printed White Tower, 2X Computing Speeds

Snap! -- Space Surgery, VoltSchemer, 3D Printed White Tower, 2X Computing Speeds

Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: February 23, 1965: Michael Dell was born, the founder of Dell computers. (Read more HERE.) Security News: • Microsoft now force installing Windows 11 23H2 on eligi...

Curated Stupid Friday ?'s | 2-23-24

Stupid Friday ?'s | 2-23-24

Heck of a week 👎, about to be a heck of a weekend👍. Here are some questions to think about rolling into those favorite days of the week.1. Would you rather be a magician or a mime if you were guaranteed success either way?2. What food do you like that no ...

Curated Spark! Load-Test Series 21-February 2024

Spark! Load-Test Series 21-February 2024

Suzanne (Spiceworks)​ asked me to copy the Spark! post I made on Load-Test day in the Community Playground so it would be preserved. It was created hastily just so I could make some posts, so the quality isn't the best. Plus I don't do this normally. But ...

Curated Spark! Pro series – 23rd February 2024

Spark! Pro series – 23rd February 2024

Sure is nice around here, feels like spring.  Hope you are all enjoying some spring like weather as well.  Just a reminder, if you are reading the Spark!, Spice it up. We like it spicy here! Today in History: February 23, 2005 - the discover...

Curated Authenticator app that doesn't require a cell phone

Authenticator app that doesn't require a cell phone

A few of our clients require MFA to access their sites. We have been using Authy's desktop app for a few years, but it is going EOL next month. I am looking for an alternative that can either use a landline or a desktop app. Our employees do not have comp...

admx help site to zone assignment list

by Mike Gruner

Dynamic Environment Manager (DEM) – IE trusted sites

You ever wants to set websites in Microsoft Internet Explorer as default through your whole environment? Sure, that is one of the use cases of VMware´s Dynamic Environment Manager (DEM). But what if you use the Internet Explorer Enhanced Security Configuration? In that case you have to define which sites are associated with which security zone. There are 4 types of zones in that case:

1 = Intranet zone

2 = Trusted Sites zone

3 = Internet zone

4 = Restricted Sites zone.

This led to the conclusion to do the definition with DEM as well, it´s a website, right? You go to your DEM Management console, use the tab “User environment”. On the left side you choose “ADMX-based Settings”. Click create. Choose “Select Categories” and then User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page, click ok.

Now go to Edit

Select on the left side “Windows Components – Internet Explorer – Internet Control Panel – Security Page. On the right side you will find the policy “Site to Zone Assignment List.

And then you see that:

Now unfortunately, the bad news. In that case I have to tell you, that this is not possible with DEM ADMX-based settings. I explain you why, with that policy will not only be set some registry keys or something like that. This policy is a little bit more complex from the policy perspective. It will run the so called Group Policy extensions. DEM is not able to do the same or in better words can´t simulate that behavior. For that reason, VMware marks that as unsupported settings.

If you want to configure things like that in your environment, please use the usual Active Directory GPOs.

Dynamic Environment Manager (DEM) supports a lot of policies (GPOs) but unfortunately, not that.

twitter

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

IMAGES

  1. Adding Site to Zone assignment list using IE ADMX/L in ProfileUnity

    admx help site to zone assignment list

  2. Use Intune Policy CSP manage Windows 10 settings

    admx help site to zone assignment list

  3. Adding Site to Zone assignment list using IE ADMX/L in ProfileUnity

    admx help site to zone assignment list

  4. What Are Windows 11 Admx Templates And How To Set Them Up All Things

    admx help site to zone assignment list

  5. 16.site to zone assignment list

    admx help site to zone assignment list

  6. Manage Internet Explorer settings with Intune

    admx help site to zone assignment list

VIDEO

  1. No Investment

  2. Como definir tempo de desconexão para sessões ativas, ociosas no RDP?

  3. 6 Common Estate Planning Mistakes that Put You at Risk

  4. SOL 1st Sem Internal Assessment Last Date Extend होंगी या नहीं?

  5. CS402 Assignment 2 Solution || CS402

  6. KDD 2023

COMMENTS

  1. Site to Zone Assignment List

    They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone.

  2. Per-site configuration by policy

    In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could assign sites to the Local Intranet Zone.

  3. InternetExplorer Policy CSP

    By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. Description framework properties. Add, Delete, Get, Replace. This is an ADMX-backed policy and requires SyncML format for configuration.

  4. Adding Site to Zone assignment list using IE ADMX/L in ProfileUnity

    Updated: Feb 17, 2020 Expires on: 365 days from publish date Problem: What's the correct syntax when adding Site to Zone assignment lists in ProfileUnity when using imported ADMX/L for Internet Explorer. Resolution: Make sure when adding the site you use the pipe | symbol to add multiple sites. See Below. ProfileUnity Hot-fix List

  5. Deploy Trusted sites zone assignment using Intune

    To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required. Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles. Hit the Create button and Select New policy. From the Create a profile menu, select Windows 10 and later for Platform , Templates ...

  6. Managing Internet Explorer Trusted Sites with Group Policy

    When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to: 1 = Intranet/Local Zone. 2 = Trusted Sites. 3 = Internet/Public Zone.

  7. Walkthrough

    Expand Computer configuration > Policies > Administrative Templates > Control Panel > Personalization. Notice the available settings. Double-click Prevent enabling lock screen camera, and see the available options: In the Intune admin center, go to your Admin template - Windows 10 student devices template.

  8. Site to Zone Assignment List Help?

    Active Directory & GPO. Hello All, I am coming to you because I am getting stumped with what I believe to be a Site to Zone Assignment List issue. Here is a rundown of what is happening: 1)We purchased a product from clickstudios called Passwordstate. It is a web based enterprise solution password manager. 2)installed the IE extension and the ...

  9. gpo site to zone assignment list missing

    Everyone talks about group policy and adding the zone in the "site to zone assignment list". There is not such a thing!!! It is hilarious that when I type in the title, the search gives me the option for the last couple works, meaning others have searched for the same darn think, but NONE of the answers has anything to do with MISSING part.

  10. Group Policy Administrative Templates

    Microsoft. DirectAccess Connectivity Assistant Disable SMB Compression Network Drive Mappings Microsoft Edge for Business Edge Chromium Blocker Toolkit Enhanced Mitigation Experience Toolkit Forefront Endpoint Protection 2010 Forefront Identity Manager 2010 R2 Group Policy Preference Client Side Extensions Azure Hybrid Connection Manager Hide ...

  11. Site to Zone Assignment List

    Site to Zone Assignment List This policy setting allows you to manage a list of sites that you want to associate with a particular security zone.

  12. Need proper format for a Group Policy Object Site to Zone Assignment entry

    We have a Group Policy Object named "AddTrustedSites" that is linked and enforced for all of our network PCs. Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files)… > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.

  13. Use Intune Policy CSP manage Windows 10 settings

    Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled, and Zone assignment list.

  14. Intranet zone settings apply to Edge and Chrome, but not to Firefox

    The setting (User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List) still has good old IE in its name, but apparently should apply generally. At least this used to work across all browsers in the past. Accordingly, files that are downloaded ...

  15. Using Group Policy to Configure Supported Browsers for Integrated

    1. Create a new GPO, or use an existing GPO. 2. Edit the GPO for the following settings: a. Under User Configuration\Policies\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List:

  16. ADMX_DnsClient Policy CSP

    ADMX mapping: DNS_AppendToMultiLabelName ./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AppendToMultiLabelName Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.

  17. ADMX Browser Policies Error

    The following settings are set: Internet Zone Template - Disabled. Locked-Down Trusted Sites Zone Template - Disabled. Restricted Sites Zone Template - Disabled. I am unable to set the Site-to-Zone Assignment List. We receive the following error: I have also tried setting this with the other policies mentioned above set to "Not Confgured" and ...

  18. Apply ADMX policy broken? (Site to Zone Assignment List)

    The "apply ADMX policy" actions seems not not be working properly when using it for the "Site to Zone Assignment list" for IE. For example I added 6 entries to the list and when I check the registry there are only 1 or 2 entries from my list configured in EM policy.  I also checked with the client logging tool and this step is marked as ...

  19. IE trusted sites still not adding zones

    User configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Windows components >Internet Explorer > Internet Control Panel > Internet Control Panel > Security Page > Site to Zone Assignment List. The contents within Site to Zone Assignment List are.

  20. Dynamic Environment Manager (DEM)

    There are 4 types of zones in that case: 1 = Intranet zone. 2 = Trusted Sites zone. 3 = Internet zone. 4 = Restricted Sites zone. This led to the conclusion to do the definition with DEM as well, it´s a website, right? You go to your DEM Management console, use the tab "User environment". On the left side you choose "ADMX-based Settings".