Enabling and configuring Web content filtering in Microsoft Defender for Endpoint (MDE)
Microsoft 365
Web content filtering is part of the Microsoft Defender for Endpoint solution and is fully integrated with the web protection capabilities. Customers can directly activate web content filtering without any more cost, budget, hardware, or extra licensing.
One of the most common questions: why use web content filtering? The answer is simple. In many environments websites, while not malicious, might be problematic because of compliance, bandwidth, or other concerns. With web content filtering it is possible to deploy policies and target them for specific device groups.
You will need the following prerequisites to start web content filtering:
License
Multiple licenses are available for Defender for Endpoint. In general, the following license will fit the product and feature:
Device
More in-depth requirements for each component (Network Protection) will be explained more in this blog.
Microsoft Edge is protected by Defender SmartScreen, other browsers will not use the Defender SmartScreen functionality. To successfully use web content filtering on all browsers make sure Network protection(NP) is enabled and Defender SmartScreen. Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic.
Web Content filtering uses multiple techniques for Microsoft and non-Microsoft browsers and gives different visual results. Let’s explain:
For Network Protection the following requirements are needed.
See all requirements: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
Network Protection enablement is possible with the following methods:
In this blog the enablement with MEM/ Intune and PowerShell. Don’t forget to enable SmartScreen for Edge.
For configuring network protection in MEM.
For enabling network protection expand the category: Real-time protection and enable the setting: Enable Network Protection. For enabling the full protection use the Enable value. Enable Audit mode for testing the feature.
Set-MpPreference is the PowerShell Defender cmdlet for enabling Network Protection in audit or block.
Enable block mode
Set-MpPreference -EnableNetworkProtection Enabled
Enable audit mode
Set-MpPreference -EnableNetworkProtection AuditMode
Use the PowerShell command Get-MpPreference for validating the Network Protection enablement. (1) block, (2) AuditMode.
Web content filtering is part of Web protection in Microsoft Defender for Endpoint. First, we need to make sure the Advanced feature is enabled for web content filtering.
Next up is to create the first web content filtering policy. To add a new policy:
Next step is creating the first policy. Start with specifying the policy name.
Next, select the web content categories to block. All selected websites will block – the unselected categories will be used for reporting in the reports. For example; when blocking criminal activity – open the category Legal liability and select criminal activity. Clicking on the arrow next to the categories will dropdown all the subcategories for each individual category.
For the scope two options are possible. You have two options to select:
For targeting all devices select the option Al devices in my scope for specific device-tags use the select from list option. When using device tags, only selected device groups will be prevented from accessing the selected websites in the categories. All others will remain with audit only.
In the policy below, the policy applies only for the group “Windows 10 devices Kiosk”
Important for web protection is the understanding of the user behavior before blocking websites for end-users. You can deploy a policy without selecting any category on a device group. This action will create an audit-only policy.
With Network Protection and web content filtering, multiple situations are possible. Below both audit and block examples:
In the below example:
In the below example:
To view all the activity multiple reports are available for the web content protection feature. For opening the Defender for Endpoint web protection report:
In the above example for the audit mode site worldofwarcraft, useful details are available in the web content filtering summary.
Web categories show the request/block rate based on the category. Details for the request trend, machines, and total domains.
With KQL it is possible to summarize web protection events. Below all the events based on the ActionType:
SmartScreenURLWarnings
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience)
| where Experience == "CustomPolicy"
Third party browser – Network protection
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, ResponseCategory=tostring(ParsedFields.ResponseCategory)
| where ResponseCategory == "CustomPolicy"
It’s possible to override the web content filtering category with custom indicator policies. The custom indicator policy gives a higher priority.
For creating custom indicators:
Make sure the policy action is configured with the Allow action
With the Defender for Endpoint search functionality, it is possible to search the Web Content filtering category for specific websites. Select the Search option URL
Microsoft: Web content filtering
Microsoft: Defender Network Protection