Web Content Filtering with Microsoft Defender for Endpoint Advanced Features

I recently realised I haven’t done much writing on Microsoft Endpoint Manager (MDE) side of things for a while. Web Content Filtering via MDE is a straight forward implementation and this will work on the devices that are onboarded currently.

MDE has a lot of good features that makes it a next level XDR and more than an Anti-Virus product. When it combines with the power of Endpoint Manager, it acts as it’s own powerhouse of security features.

Chances are you are using a web content filtering product already. Web content filtering in MDE is an added bonus to it’s feature set. So lets dive in.

Table of Content

Filtering Categories

The categories which you need to block are all here and can dig down further in to sub categories.

Prerequisites

RBAC

Make sure you have Security Administrator or Global Administrator role assigned

Operating Systems

Your organization’s devices must be running one of the following operating systems with the latest antivirus/antimalware updates:

  • Windows 11
  • Windows 10 Anniversary Update (version 1607) or later

MDE Licensing

Eligible to apply the polices to users that has the below licenses or licenses that covers below plans

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint Plan 1
  • Microsoft Defender for Endpoint Plan 2
  • Microsoft Defender for Business

Microsoft Defender Prerequisites

  1. Microsoft Defender A/V Network Protection to be turned ON – Check here to configure Defender Network Protection
  2. Microsoft Defender SmartScreen to be ON – Check here to configure Defender SmartScreen

Switch ON Web Content Filtering From Advanced Features

Web content filtering should be switched ON from MDE before start using the feature. To do this, follow the below steps.

Login to security.microsoft.com > Settings > Endpoints > Advanced Features > Web content filtering > ON

Create Device Groups

Once the feature is ON, you can create the device groups. Chances are you may already have device groups created. If not, please check this article on how to create device groups. Alternatively you can enforce restrictions to all the devices regardless of any membership to device groups.

Configuration

This step involves creating the filtering policy so the selected devices will get the Defender SmartScreen when a user tries to browse a restricted web site.

For this, go to Settings > Endpoints > Web content filtering > Add Item

Provide the policy name

Select the categories you need to block

Select the scope. This will show the device groups we created. Or simply select the All devices in my scope if you need to apply it for all the devices that has been onboarded to MDE.

Check the summary and create the policy

[Optional] – Specify Indicators of Compromise (IoC) – URLs and Domains

While Microsoft intelligently identifying URLs that are malicious, you can now provide your own Indicators of Compromise with a custom threat level and what the user should do in an event like this.

There are few IoCs that can be setup, but I will be using URLs/ Domains IoC for Web Content Filtering.

Before setting this up, there is an Advanced Feature Custom network indicators to be turned ON.

Once that’s done, Press on Save Preferences

To Create an IoC, Go to Security Portal > Settings > Endpoints > Indicators > URLs/Domains > Add Item

Provide the URL. Here you can leave this IoC to run forever or can make it to expire after certain date.

Under Actions Specify what you need to do if this has been browed. Below example shows has set to block the site followed by an Alert generation.

Under Scope, Select the Device groups you need this to be applied

Summary is shown below once the rule has been setup.

Your URLs/Domains Indicators will be listed as below

Test the Filtering Policy

It’s testing time! Login to a device that is in the device group scope and try to login to a website under on the of the categories you’ve selected previously and if all good, you will see the Defender SmartScreen on the web browser.

Below is an example of blocking a URL via IoC

Check MDE Reports

Once you activate enable the service, MDE does the reporting for you. With this you can identify the behavior of the user computers.

Final Words

Typically, this is a very easy setup and if you have the correct MDE license, the feature is ready to be configured and this can eliminate another web filtering license that you have already in place.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.