Web content filtering is part of the Microsoft Defender for Endpoint solution. One of the previous blogs explained the feature during the preview release. In this blog all the information related to the current release with the new features, troubleshooting, and reporting.
Blog latest updated: October 25, 2021
What is web content filtering?
Web content filtering is part of the Microsoft Defender for Endpoint solution and is fully integrated with the web protection capabilities. Customers can directly activate web content filtering without any more cost, budget, hardware, or extra licensing.
One of the most common questions: why use web content filtering? The answer is simple. In many environments websites, while not malicious, might be problematic because of compliance, bandwidth, or other concerns. With web content filtering it is possible to deploy policies and target them for specific device groups.
Prerequisites
You will need the following prerequisites to start web content filtering:
License
Multiple licenses are available for Defender for Endpoint. In general, the following license will fit the product and feature:
- Windows 10 Enterprise E5
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E3 + Microsoft 365 E5 Security add-on
- Microsoft Defender for Endpoint Standalone license
Device
- Minimal Windows 10 1607 or later
- SmartScreen / Network Protection enabled
More in-depth requirements for each component (Network Protection) will be explained more in this blog.
Network Protection
Microsoft Edge is protected by Defender SmartScreen, other browsers will not use the Defender SmartScreen functionality. To successfully use web content filtering on all browsers make sure Network protection(NP) is enabled and Defender SmartScreen. Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic.
Web Content filtering uses multiple techniques for Microsoft and non-Microsoft browsers and gives different visual results. Let’s explain:
- Microsoft browsers: ( Microsoft Edge): Smart Screen Client
- Third-Party browsers: (Chrome, Firefox e.d): Network Protection driver (NP)
Requirements
For Network Protection the following requirements are needed.
- Windows 10 version 1709 or later
- Real-time protection enabled
- Cloud-delivered protection enabled
- Defender SmartScreen for Edge (Chromium) enabled
- Connectivity configured following the requirements
See all requirements: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
Network Protection enablement is possible with the following methods:
- PowerShell
- Mobile Device Management (MDM)
- Microsoft Endpoint Manager / Intune
- Group Policy
- Microsoft Endpoint Configuration Manager
In this blog the enablement with MEM/ Intune and PowerShell. Don’t forget to enable SmartScreen for Edge.
Configuration MEM
For configuring network protection in MEM.
- Navigate to endpoint.microsoft.com
- Click on Endpoint Security -> Antivirus
- Click on Create Policy -> Windows Defender Antivirus
For enabling network protection expand the category: Real-time protection and enable the setting: Enable Network Protection. For enabling the full protection use the Enable value. Enable Audit mode for testing the feature.
Configuration PowerShell
Set-MpPreference is the PowerShell Defender cmdlet for enabling Network Protection in audit or block.
Enable block mode
Set-MpPreference -EnableNetworkProtection Enabled
Enable audit mode
Set-MpPreference -EnableNetworkProtection AuditMode
Validating network protection
Use the PowerShell command Get-MpPreference for validating the Network Protection enablement. (1) block, (2) AuditMode.
Configure web content filtering
Web content filtering is part of Web protection in Microsoft Defender for Endpoint. First, we need to make sure the Advanced feature is enabled for web content filtering.
- Go to security.microsoft.com
- Navigate to Settings -> Endpoints -> Advanced Features
- If not enabled – enable the future Web content filtering
Next up is to create the first web content filtering policy. To add a new policy:
- Go to security.microsoft.com
- Navigate to Settings -> Endpoints -> Web content filtering
- Click on Add item
Next step is creating the first policy. Start with specifying the policy name.
Next, select the web content categories to block. All selected websites will block – the unselected categories will be used for reporting in the reports. For example; when blocking criminal activity – open the category Legal liability and select criminal activity. Clicking on the arrow next to the categories will dropdown all the subcategories for each individual category.
For the scope two options are possible. You have two options to select:
- All devices/ All devices in my scope
- Select from list
For targeting all devices select the option Al devices in my scope for specific device-tags use the select from list option. When using device tags, only selected device groups will be prevented from accessing the selected websites in the categories. All others will remain with audit only.
In the policy below, the policy applies only for the group “Windows 10 devices Kiosk”
Audit only policy
Important for web protection is the understanding of the user behavior before blocking websites for end-users. You can deploy a policy without selecting any category on a device group. This action will create an audit-only policy.
Testing policy
With Network Protection and web content filtering, multiple situations are possible. Below both audit and block examples:
Audit mode
In the below example:
- Network protection: Enabled
- Web content filtering: Auditmode for category gaming
- Website: Worldofwarcraft.com
Block mode
In the below example:
- Network protection: Enabled
- Web content filtering: block for category gambling
- Website: playusa.com
Reporting
To view all the activity multiple reports are available for the web content protection feature. For opening the Defender for Endpoint web protection report:
- Go to security.microsoft.com
- Click reports
- Open the report web protection
The following cards are available for web threat detections and web content filtering.
- Web threat detections over time: Attempts to access malicious URLs
- Web threat summary: Summary with web threats
- Web activity by category: Activity change traffic view by category
- Web activity summary: Total number of requests for web content in all URLs
- Web content filtering summary: Attempts to access URLs in blocked categories
In the above example for the audit mode site worldofwarcraft, useful details are available in the web content filtering summary.
Web categories show the request/block rate based on the category. Details for the request trend, machines, and total domains.
Expending the category gaming gives the following view. Including domain information, machine count, and the related policies.
Advanced Hunting
With KQL it is possible to summarize web protection events. Below all the events based on the ActionType:
SmartScreenURLWarnings
KQL:
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience)
| where Experience == "CustomPolicy"Third party browser – Network protection
KQL:
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, ResponseCategory=tostring(ParsedFields.ResponseCategory)
| where ResponseCategory == "CustomPolicy"
Whitelist domains
It’s possible to override the web content filtering category with custom indicator policies. The custom indicator policy gives a higher priority.
For creating custom indicators:
- Go to Security.microsoft.com
- Navigate to Settings -> Endpoints -> Indicators -> URL/Domain
- Add new item
Make sure the policy action is configured with the Allow action
Checking category/ sending feedback
With the Defender for Endpoint search functionality, it is possible to search the Web Content filtering category for specific websites. Select the Search option URL
The specific website page contains the category and the option for sending feedback (Dispute category)
Sources
Microsoft: Web content filtering
Microsoft: Defender Network Protection
21 Comments
Leave a Reply
Hi Jeffrey, do you know if that features works on android devices please ?
Thanks
Hi Nicolas,
Custom indicators are working for Android / iOS. Not 100% sure about the web content filtering function for Android.
I will test it
I read on microsoft documentation web content filtering is not yet supported with defender on mobile device, only web protection is supported. is it correct?
Hi Jeffrey,
Do you have any post or content involve block user upload to their personal storage like google drive, github … but they still can access these sites. It mean they can go to their personal storage to view the content but cannot upload. Thanks.
Hi Nick,
Interesting question with only viewing and not uploading any data. Yes – this seems possible using Defender for Cloud Apps and – or Sensitivity labels/ data classifications.
I will research the options and publish a new blog around this topic.
Defender for Endpoint indicators/web content filtering can only audit/block specific sites.
Hi Jeffrey,
Do you have any post for this content yet? Please attach the link here if any. Thanks
I have enabled Network Protection on my machine and verified in Reg Entry that it is showing Networkprotectionenabled 1 value and also checked with powershell command. But my issue is web filtering is not working on chrome browser. Can you please help me or give me some tip.
Hi Amit,
yes, of course – what is the current OS you used for testing?
If server, do you use the new MDE unified agent?
I am using Windows 10 latest update. I found issue. My issue was Defender Antivirus was off and instead i was using other anti virus (third party). As soon as i disabled third party anti virus, it started working fine. Thanks.
Hi Jeffrey,
Do you Microsoft provide a details URL list for each category?
Thank you
Hi, there is no list available for each category including all websites.
The only option is to search for the URL in Defender to show the category.
Have you had any success overriding the categories to allow specific URLs?
I added a URL in indicvators however it continues to be blocked.
Hi John,
Yes – override using indicators works and overrides the blocked URLs by web content filtering.
Make sure the indicator is configured based on “Allow” and no other custom-created block indicator is previously added.
Hi
I’m testing this in 365 developer program and can’t see Endpoints tab in “security.microsoft.com
Navigate to Settings -> Endpoints -> Advanced Feature”
Would you know if this is a limitation of the program (MS says it’s E5 licenses) or something may have changed since you posted? Thanks
I don’t see it either. I believe is limited only to some functions.
Hallo,
ik heb alles ingesteld zoals beschreven. Network protection staat aan. Realtime/cloud beveiliging staat aan. Web filter aangezet. Webfilter geconfigureerd en daaraan een group gehangen met 1 apparaat erin als test. Het werkt helaas niet. Ik heb alles geblockt, maar als ik bijvoorbeeld naar Netflix of Faceook ga, kan ik er nog steeds bij. Ik gebruik Windows 11. Heb je tips?
Op welke browser is het getest.
Network protection is gericht op Google Chrome, waar additionele SmartScreen configuratie is vereist voor Microsoft Edge.
Via de output command; Get-MpPreference is het tevens mogelijk om de configuratie te bekijken.
Wanneer network protection is geconfigureerd staat de waarde van “EnableNetworkProtection” op 1
Wellicht goed om een custom indicator te configureren en te valideren of de website geblokkeerd zal worden.
Hallo,
Alles werkt prima. Behalve verschijnt de ‘Microsoft Security Alert’ (third party browsers) niet bij onze eindgebruikers. Graag zouden we onze eindgebruikers duidelijkheid geven bij de error message. Enig idee wat het probleem kan zijn?
Third party browsers geven een andere melding en weergeven niet de “vriendelijke” message.
Als het goed is, zal er alleen een notificatie verschijnen vanuit Defender. Indien er geen notificaties verschijnen, kan het zijn dat de notificaties alleen zijn ingesteld voor de kritische meldingen?
Hello Jeff. We have applied web content filtering policy it works smoothly with third party browsers with network protection enabled. Also it works fine with edge however we are able to see that block appears after 3-4 seconds. There is delay in blocking on edge
Do you have the delay also on custom indicators; for example add a website in the custom indicator and check of there is a delay there.