Web content filtering is part of the Microsoft Defender for Endpoint solution. One of the previous blogs explained the feature during the preview release. In this blog all the information related to the current release with the new features, troubleshooting, and reporting. 

What is web content filtering? 

Web content filtering is part of the Microsoft Defender for Endpoint solution and is fully integrated with the web protection capabilities. Customers can directly activate web content filtering without any more cost, budget, hardware, or extra licensing.

One of the most common questions: why use web content filtering? The answer is simple. In many environments websites, while not malicious, might be problematic because of compliance, bandwidth, or other concerns.  With web content filtering it is possible to deploy policies and target them for specific device groups.


Prerequisites

You will need the following prerequisites to start web content filtering:

License

Multiple licenses are available for Defender for Endpoint. In general, the following license will fit the product and feature:

  • Windows 10 Enterprise E5
  • Microsoft 365 E5
  • Microsoft 365 E5 Security
  • Microsoft 365 E3 + Microsoft 365 E5 Security add-on
  • Microsoft Defender for Endpoint Standalone license

Device

  • Minimal Windows 10 1607 or later
  • SmartScreen / Network Protection enabled

Source: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide#prerequisites

More in-depth requirements for each component (Network Protection) will be explained more in this blog.


Network Protection

Microsoft Edge is protected by Defender SmartScreen, other browsers will not use the Defender SmartScreen functionality. To successfully use web content filtering on all browsers make sure Network protection(NP) is enabled and Defender SmartScreen. Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic.

Web Content filtering uses multiple techniques for Microsoft and non-Microsoft browsers and gives different visual results. Let’s explain:

  • Microsoft browsers: ( Microsoft Edge): Smart Screen Client
  • Third-Party browsers: (Chrome, Firefox e.d): Network Protection driver (NP)

Requirements

For Network Protection the following requirements are needed.

  • Windows 10 version 1709 or later
  • Real-time protection enabled
  • Cloud-delivered protection enabled
  • Defender SmartScreen for Edge (Chromium) enabled
  • Connectivity configured following the requirements

See all requirements: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide

Network Protection enablement is possible with the following  methods:

In this blog the enablement with MEM/ Intune and PowerShell. Don’t forget to enable SmartScreen for Edge.

Configuration MEM

For configuring network protection in MEM.

  1. Navigate to endpoint.microsoft.com
  2. Click on Endpoint Security -> Antivirus
  3. Click on Create Policy -> Windows Defender Antivirus

For enabling network protection expand the category: Real-time protection and enable the setting: Enable Network Protection. For enabling the full protection use the Enable value. Enable Audit mode for testing the feature.

Configuration PowerShell

Set-MpPreference is the PowerShell Defender cmdlet for enabling Network Protection in audit or block.

Enable block mode

Set-MpPreference -EnableNetworkProtection Enabled

Enable audit mode

Set-MpPreference -EnableNetworkProtection AuditMode

Validating network protection

Use the PowerShell command Get-MpPreference for validating the Network Protection enablement. (1) block, (2) AuditMode.


Configure web content filtering

Web content filtering is part of Web protection in Microsoft Defender for Endpoint. First, we need to make sure the Advanced feature is enabled for web content filtering.

  1. Go to security.microsoft.com
  2. Navigate to Settings -> Endpoints -> Advanced Features 
  3. If not enabled – enable the future Web content filtering

Next up is to create the first web content filtering policy. To add a new policy:

  1. Go to security.microsoft.com
  2. Navigate to Settings -> Endpoints -> Web content filtering
  3. Click on Add item

Next step is creating the first policy. Start with specifying the policy name.

Next, select the web content categories to block. All selected websites will block – the unselected categories will be used for reporting in the reports. For example; when blocking criminal activity – open the category Legal liability and select criminal activity. Clicking on the arrow next to the categories will dropdown all the subcategories for each individual category. 

For the scope two options are possible. You have two options to select:

  1. All devices/ All devices in my scope
  2. Select from list

For targeting all devices select the option Al devices in my scope for specific device-tags use the select from list option. When using device tags, only selected device groups will be prevented from accessing the selected websites in the categories. All others will remain with audit only.

In the policy below, the policy applies only for the group “Windows 10 devices Kiosk”

Audit only policy

Important for web protection is the understanding of the user behavior before blocking websites for end-users. You can deploy a policy without selecting any category on a device group. This action will create an audit-only policy.


Testing policy

With Network Protection and web content filtering, multiple situations are possible. Below both audit and block examples:

Audit mode

In the below example:

  • Network protection: Enabled
  • Web content filtering: Auditmode for category gaming
  • Website: Worldofwarcraft.com
Audit mode ( no block)

Block mode

In the below example:

  • Network protection: Enabled
  • Web content filtering: block for category gambling
  • Website: playusa.com
MS Edge: Smartscreen Enabled
Chrome: Network Protection

Reporting

To view all the activity multiple reports are available for the web content protection feature. For opening the Defender for Endpoint web protection report:

  • Go to security.microsoft.com
  • Click reports
  • Open the report web protection

The following cards are available for web threat detections and web content filtering.

  • Web threat detections over time: Attempts to access malicious URLs
  • Web threat summary: Summary with web threats
  • Web activity by category: Activity change traffic view by category
  • Web activity summary: Total number of requests for web content in all URLs
  • Web content filtering summary: Attempts to access URLs in blocked categories

In the above example for the audit mode site worldofwarcraft, useful details are available in the web content filtering summary.

Web categories show the request/block rate based on the category. Details for the request trend, machines, and total domains.

Expending the category gaming gives the following view. Including domain information, machine count, and the related policies.


Advanced Hunting

With KQL it is possible to summarize web protection events. Below all the events based on the ActionType:

SmartScreenURLWarnings

KQL:

DeviceEvents 
| where ActionType == "SmartScreenUrlWarning"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience)
| where Experience == "CustomPolicy"

Third party browser – Network protection

KQL:

DeviceEvents 
| where ActionType == "ExploitGuardNetworkProtectionBlocked"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, ResponseCategory=tostring(ParsedFields.ResponseCategory)
| where ResponseCategory == "CustomPolicy"

Whitelist domains

It’s possible to override the web content filtering category with custom indicator policies. The custom indicator policy gives a higher priority.

For creating custom indicators:

  1. Go to Security.microsoft.com
  2. Navigate to Settings -> Endpoints -> Indicators -> URL/Domain
  3. Add new item

Make sure the policy action is configured with the Allow action


Checking category/ sending feedback

With the Defender for Endpoint search functionality, it is possible to search the Web Content filtering category for specific websites. Select the Search option URL

The specific website page contains the category and the option for sending feedback (Dispute category)


Sources

Microsoft: Web content filtering

Microsoft: Defender Network Protection