SOLVED

Intune Windows 10 Security Baseline IE Settings

%3CLINGO-SUB%20id%3D%22lingo-sub-1501715%22%20slang%3D%22en-US%22%3EIntune%20Windows%2010%20Security%20Baseline%20IE%20Settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1501715%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20deployed%20the%26nbsp%3BIntune%20Windows%2010%20Security%20Baseline%2C%20which%20includes%20the%20default%20IE%20Settings.%20However%2C%20via%20GPO%20we%20have%20published%20intranet%20sites%20to%20the%20intranet%20security%20zone%20via...%20GPO%20setting%20%5CUser%20Configuration%5CPreferences%5CWindows%20Settings%5CRegistry%5CIE%20Settings%2C%20which%20creates%20registry%20entries%20at%20...HKCU%5CSoftware%5CMicrosoft%5CWindows%5CCurrentVersion%5CInternet%20Settings%5CZoneMap%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20we%20also%20allow%20our%20users%20to%20add%20sites%20to%20the%20zones%20as%20they%20deem%20necessary.%20This%20works%20as%20expected%20and%20has%20for%20many%20years....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20machines%20that%20are%20enrolled%20in%20the%26nbsp%3BIntune%20Windows%2010%20Security%20Baseline%20have%20all%20internet%20explorer%20security%20settings%20blocked%20including%20adding%20sites...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20appears%20the%20setting%20in%20the%20baseline%20%22Internet%20Explorer%20users%20adding%20sites%3A%20Disabled%22%20does%20not%20function.%20I%20have%20changed%20this%20to%20%22Not%20Configured%22%20and%20%22Enabled%22%20with%20no%20change..%20the%20add%20sites%20box%20is%20greyed%20out%20along%20with%20all%20IE%20Security%20options...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChanging%20the%20setting%20%22Internet%20Explorer%20security%20zones%20use%20only%20machine%20settings%22%20to%20disabled%20does%20allow%20the%20sites%20published%20via%20GPO%20to%20show%20and%20be%20effective....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20looking%20to%20publish%20specific%20intranet%20sites%20along%20with%20a%20few%20internet%20sites%20while%20retaining%20the%20ability%20of%20our%20users%20to%20add%20custom%20sites....%20Any%20Thoughts%2Fsuggestions...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1501715%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%20baselines%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%20MDM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eintune%20support%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522350%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20Windows%2010%20Security%20Baseline%20IE%20Settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522350%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414433%22%20target%3D%22_blank%22%3E%40MJ_Black%3C%2FA%3E%26nbsp%3BAny%20update%20on%20this%20one%3F%20We%20are%20experiencing%20the%20same%20problem.%20The%20%22%3CSPAN%3EInternet%20Explorer%20users%20adding%20sites%3C%2FSPAN%3E%22%20does%20not%20change%20the%20behavior.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522414%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20Windows%2010%20Security%20Baseline%20IE%20Settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522414%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728724%22%20target%3D%22_blank%22%3E%40MattMT%3C%2FA%3E%2C%20I%20have%20not%20received%20any%20suggestions...%20My%20plan%20on%20going%20forward%20is%20to%20move%20away%20from%20the%20baseline%20configurations%20and%20move%20toward%20a%20more%20granular%20configuration%20policy.%20Which%20kinda%20sucks%20as%20the%20baselines%20are%20easy%20to%20manage%20and%20translating%20all%20the%20settings%20from%20the%20baselines%20into%20individual%20policies%20is%20going%20to%20be%20diffucult.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We have deployed the Intune Windows 10 Security Baseline, which includes the default IE Settings. However, via GPO we have published intranet sites to the intranet security zone via... GPO setting \User Configuration\Preferences\Windows Settings\Registry\IE Settings, which creates registry entries at ...HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

 

and we also allow our users to add sites to the zones as they deem necessary. This works as expected and has for many years....

 

However, machines that are enrolled in the Intune Windows 10 Security Baseline have all internet explorer security settings blocked including adding sites...

 

It appears the setting in the baseline "Internet Explorer users adding sites: Disabled" does not function. I have changed this to "Not Configured" and "Enabled" with no change.. the add sites box is greyed out along with all IE Security options...

 

Changing the setting "Internet Explorer security zones use only machine settings" to disabled does allow the sites published via GPO to show and be effective....

 

We are looking to publish specific intranet sites along with a few internet sites while retaining the ability of our users to add custom sites.... Any Thoughts/suggestions...

7 Replies

@MJ_Black Any update on this one? We are experiencing the same problem. The "Internet Explorer users adding sites" does not change the behavior. 

@MattMT, I have not received any suggestions... My plan on going forward is to move away from the baseline configurations and move toward a more granular configuration policy. Which kinda sucks as the baselines are easy to manage and translating all the settings from the baselines into individual policies is going to be diffucult.  

I'm having the same issue.  Did anyone figure out a solution?

 

 

Do our time constraints we moved away from Intune all together. My hope is to come back to it...

@MJ_Black I have the same issue

best response confirmed by Bruno_Marcelo (Microsoft)
Solution
I guess I found a solutions for this issue, try this


Internet explorer security zones use only machine settings: Disabled
Internet explorer users adding sites= Enabled
Internet explorer users changing policies = Enabled
Nice job figuring it out. I was able to solve this by setting all three settings to "Not Configured".