How to enable and configure Web Content Filtering within Microsoft Defender for Endpoint

-

So here is the situation. You access Microsoft Defender 365 Portal to enable Web Content Filtering, only to find out it is missing. What do you do?


Well this is because at the time of writing this blog post, Web Content Filtering is still in Preview and in order to enable it, you first need to enable the Preview features in Defender.

To turn on the preview experience setting, 

1. Navigate to Microsoft 365 Defender Portal > Settings > Endpoints > Advanced features > Preview features.

2. Toggle the setting between On and Off and select Save preferences.


Once you have enabled the Preview features, you should see Web Content Filtering listing shortly. In my experience, it can take 15-20 minutes to show up. When it does, just go under Endpoint > Advanced features again and turn it on.


Refresh the page and you should see Web Content Filtering listing under Endpoint > Rules.


Now that we have got the feature enabled, let's see what this feature is all about and how one can configure it.

Web content filtering is part of Web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. 

You can configure policies across your device groups to block certain categories. Blocking a category prevents users from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited and your users can access the URLs without disruption. The users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.

There are some Pre-requisites that you need to consider before using this feature.

1. Windows 10 Enterprise E5, Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 E3 + Microsoft 365 E5 Security add-on, or the Microsoft Defender for Endpoint standalone license. 
2. Access to Microsoft 365 Defender portal (https://security.microsoft.com).
3. Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
4. Windows Defender SmartScreen and Network Protection enabled.

I will be covering some of the pre-requisites in another post so for now I will dive right into configuring Web Content Filtering rule.

1. Sign into https://security.microsoft.com
2. Click on Settings and Endpoints
3. Navigate to Web Content Filtering and Add item by the name Web content Baseline Policy (or whatever you wish to call it.)
4. Select the following categories.

Categories

Recommended to be blocked

Adult content

 

Cults

Gambling

Nudity

Pornography/Sexually explicit

Sex education

Tasteless

Violence

High bandwidth

 

Download sites

Image sharing

 

Peer-to-peer

Streaming media & downloads

Legal liability

 

Child abuse images

Criminal activity

Hacking

Hate & intolerance

Illegal drug

Illegal software

School cheating

Self-harm

Weapons

Leisure

 

Chat

Games

Instant messaging

Professional networking

 

Social networking

Web-based email

Uncategorized

 

Newly registered domains

 

Parked domains

 

5. Assign a Device group. I already created a group containing all Windows 10 Devices and you can do the same. It is important to scope the rule as devices in the selected groups will be prevented from accessing websites in the selected categories. Once done, the rule will show up and you can access it to verify for the settings.


You also have the option to create network indicators to create your own custom list of URLs, IPs that you wish to allow or block, but that is for another post for a later time.

Once your Web Content filtering rules are in place, you can head over to Reports in Defender 365 Portal and access the Web Protection Card to see the rules in action.



Conclusion

Web Content Filtering is still in public preview so there are some known issues and limitations. However, if you have invested in an M365 E5 license or equivalent that contains the Defender for Endpoint service, then you can use the feature right out of the box without feeling the need to invest any further in implementing similar Web Content Filtering capabilities.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more