Microsoft Defender For Endpoint Article Series: Enabling Web Content Filtering with MEM + MDE
Web content filtering is part of the Microsoft Defender for Endpoint with fully integrated to protect attached devices. Users can easily activate web content filtering via the security.microsoft.com.
In this article, we configure web content filtering using via Microsoft Intune (endpoint.microsoft.com) and Microsoft 365 Defender (security.microsoft.com)
Prerequisites
The licenses used to configure web content filtering are:
- Windows 10/11 Enterprise E5
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E3
- Microsoft Defender for Endpoint Plan 1 or Plan 2
- Microsoft Defender for Business
- Microsoft 365 Business Premium
Your organization’s devices must be running one of the following operating systems with the latest antivirus/antimalware updates:
- Windows 11
- Windows 10 Anniversary Update (version 1607) or later and SmartScreen / Network Protection enabled
Step to configure:
Setup Microsoft Endpoint Manager (MEM):
- First, navigate to endpoint.microsoft.com
- Click on Endpoint Security — > Antivirus
- Click on Create Policy → choice Windows 10/11/Windows Server and Microsoft Defender Antivirus
- In Configuration settings, enabling network protection and choice Audit mode for testing the feature.
For the next steps, we will do the configuration powershell for enabling Network Protection in audit or block with command:
Enable block mode
Set-MpPreference -EnableNetworkProtection Enabled
Enable audit mode
Set-MpPreference -EnableNetworkProtection AuditMode
Configure web content filtering
First, make sure the menu Advanced feature is enabled for web content filtering to web protection capabilities:
- Navigate to security.microsoft.com
- Click on Settings — > Endpoints — > Advanced Features
- Switch on to enable Web content filtering
Next steps, we will create web content filtering policy:
- Click on Settings — > Endpoints — > Web content filtering
- Click on Add item
- Create name policy with Blocked-suspicious-website
- On Blocked categories, checklist Adult content, Legal liability and Leisure to blocking content about this
- On the Scope, choice All device groups and click Save
- Now, Web content filtering policy has already to use blocking content.
Testing Web Content Filtering policy
For the example, policy can blocking store.steampowered.com and roundcube.net
- Network protection: Enabled
- Web content filtering: block for category games and web based mail
This policy can blocking store.steampowered.com and roundcube.net on the third party browser. For the example, we use Google Chrome. On endpoint devices, Windows Defender can detect the url.
Reporting
We can view report the blocking website with policy on Reports → Web protection.
On page Reports, we can view machines suspect blocking website policy
Results Advance Hunting: Web Content Filtering
- SmartScreenURLWarnings
DeviceEvents
| where ActionType == “SmartScreenUrlWarning”
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, Experience=tostring(ParsedFields.Experience)
| where Experience == “CustomPolicy”
- Third party browser — Network protection
DeviceEvents
| where ActionType == “ExploitGuardNetworkProtectionBlocked”
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, ResponseCategory=tostring(ParsedFields.ResponseCategory)
| where ResponseCategory == “CustomPolicy”
Sources: