Enabling and configuring Web content filtering in Microsoft Defender for Endpoint (MDE)
Microsoft 365
What is web content filtering?
Web content filtering is part of the Microsoft Defender for Endpoint solution and is fully integrated with the web protection capabilities. Customers can directly activate web content filtering without any more cost, budget, hardware, or extra licensing.
One of the most common questions: why use web content filtering? The answer is simple. In many environments websites, while not malicious, might be problematic because of compliance, bandwidth, or other concerns. With web content filtering it is possible to deploy policies and target them for specific device groups.
Prerequisites
You will need the following prerequisites to start web content filtering:
License
Multiple licenses are available for Defender for Endpoint. In general, the following license will fit the product and feature:
- Windows 10 Enterprise E5
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E3 + Microsoft 365 E5 Security add-on
- Microsoft Defender for Endpoint Standalone license
Device
- Minimal Windows 10 1607 or later
- SmartScreen / Network Protection enabled
More in-depth requirements for each component (Network Protection) will be explained more in this blog.
Network Protection
Microsoft Edge is protected by Defender SmartScreen, other browsers will not use the Defender SmartScreen functionality. To successfully use web content filtering on all browsers make sure Network protection(NP) is enabled and Defender SmartScreen. Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic.
Web Content filtering uses multiple techniques for Microsoft and non-Microsoft browsers and gives different visual results. Let’s explain:
- Microsoft browsers: ( Microsoft Edge): Smart Screen Client
- Third-Party browsers: (Chrome, Firefox e.d): Network Protection driver (NP)
Requirements
For Network Protection the following requirements are needed.
- Windows 10 version 1709 or later
- Real-time protection enabled
- Cloud-delivered protection enabled
- Defender SmartScreen for Edge (Chromium) enabled
- Connectivity configured following the requirements
See all requirements: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
Network Protection enablement is possible with the following methods:
- PowerShell
- Mobile Device Management (MDM)
- Microsoft Endpoint Manager / Intune
- Group Policy
- Microsoft Endpoint Configuration Manager
In this blog the enablement with MEM/ Intune and PowerShell. Don’t forget to enable SmartScreen for Edge.
Configuration MEM
For configuring network protection in MEM.
- Navigate to endpoint.microsoft.com
- Click on Endpoint Security -> Antivirus
- Click on Create Policy -> Windows Defender Antivirus
For enabling network protection expand the category: Real-time protection and enable the setting: Enable Network Protection. For enabling the full protection use the Enable value. Enable Audit mode for testing the feature.
Configuration PowerShell
Set-MpPreference is the PowerShell Defender cmdlet for enabling Network Protection in audit or block.
Enable block mode
Set-MpPreference -EnableNetworkProtection Enabled
Enable audit mode
Set-MpPreference -EnableNetworkProtection AuditMode
Validating network protection
Use the PowerShell command Get-MpPreference for validating the Network Protection enablement. (1) block, (2) AuditMode.
Configure web content filtering
Web content filtering is part of Web protection in Microsoft Defender for Endpoint. First, we need to make sure the Advanced feature is enabled for web content filtering.
- Go to security.microsoft.com
- Navigate to Settings -> Endpoints -> Advanced Features
- If not enabled – enable the future Web content filtering
Next up is to create the first web content filtering policy. To add a new policy:
- Go to security.microsoft.com
- Navigate to Settings -> Endpoints -> Web content filtering
- Click on Add item
Next step is creating the first policy. Start with specifying the policy name.
Next, select the web content categories to block. All selected websites will block – the unselected categories will be used for reporting in the reports. For example; when blocking criminal activity – open the category Legal liability and select criminal activity. Clicking on the arrow next to the categories will dropdown all the subcategories for each individual category.
For the scope two options are possible. You have two options to select:
- All devices/ All devices in my scope
- Select from list
For targeting all devices select the option Al devices in my scope for specific device-tags use the select from list option. When using device tags, only selected device groups will be prevented from accessing the selected websites in the categories. All others will remain with audit only.
In the policy below, the policy applies only for the group “Windows 10 devices Kiosk”
Audit only policy
Important for web protection is the understanding of the user behavior before blocking websites for end-users. You can deploy a policy without selecting any category on a device group. This action will create an audit-only policy.
Testing policy
With Network Protection and web content filtering, multiple situations are possible. Below both audit and block examples:
Audit mode
In the below example:
- Network protection: Enabled
- Web content filtering: Auditmode for category gaming
- Website: Worldofwarcraft.com
Block mode
In the below example:
- Network protection: Enabled
- Web content filtering: block for category gambling
- Website: playusa.com
Reporting
To view all the activity multiple reports are available for the web content protection feature. For opening the Defender for Endpoint web protection report:
- Go to security.microsoft.com
- Click reports
- Open the report web protection
- Web threat detections over time: Attempts to access malicious URLs
- Web threat summary: Summary with web threats
- Web activity by category: Activity change traffic view by category
- Web activity summary: Total number of requests for web content in all URLs
- Web content filtering summary: Attempts to access URLs in blocked categories
In the above example for the audit mode site worldofwarcraft, useful details are available in the web content filtering summary.
Web categories show the request/block rate based on the category. Details for the request trend, machines, and total domains.
Advanced Hunting
With KQL it is possible to summarize web protection events. Below all the events based on the ActionType:
SmartScreenURLWarnings
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience)
| where Experience == "CustomPolicy"Third party browser – Network protection
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, ResponseCategory=tostring(ParsedFields.ResponseCategory)
| where ResponseCategory == "CustomPolicy"
Whitelist domains
It’s possible to override the web content filtering category with custom indicator policies. The custom indicator policy gives a higher priority.
For creating custom indicators:
- Go to Security.microsoft.com
- Navigate to Settings -> Endpoints -> Indicators -> URL/Domain
- Add new item
Make sure the policy action is configured with the Allow action
Checking category/ sending feedback
With the Defender for Endpoint search functionality, it is possible to search the Web Content filtering category for specific websites. Select the Search option URL
Sources
Microsoft: Web content filtering
Microsoft: Defender Network Protection
