Within the organizational network, traffic is usually monitored by an internal firewall. However, if the device is outside the "four walls" and no VPN, proxy or third-party tool is used to monitor Internet traffic, the end user can move freely on the Internet. This is not always desired. You can use the web filter in the Defender for Endpoint and also in Defender for Business configure.

Table of Contents


One of these licenses:

  • Windows 10/11 Enterprise E5
  • Microsoft 365 E5
  • Microsoft 365 E5 Security
  • Microsoft 365 E3
  • Microsoft Defender for Endpoint Plan 1 or Plan 2
  • Microsoft Defender for Business
  • Microsoft 365 Business Premium

Operating system:

  • Windows 11
  • Windows 10 (version 1607 or newer)


  • Smart Screen - active
  • Network Protection - active

Activate feature

The feature is becoming more active very quickly Security Center under:
Settings endpoints Advanced features > Web content filtering

Enable smart screen and network protection with Intune

You can activate the two policies in different places. I'll show you how to activate both in a "Setting catalog" profile. Other options are via "Security Baseline", antivirus profile or with a classic GPO.

To do this, create a new profile:
Intune > Devices > Windows > Configuration profiles > + Create profile
(Windows 10 and later / Settings catalogue)

Now add an option and then search for "Configure Microsoft Defender SmartScreen":

Intune Settings picker, Smart Screen

Then add the "Network protection" added:

Intune Settings picker, Network protection

Once both settings have been added, activate them as follows:

Intune enable Network protection and Smart Screen

Finally, you only assign the policy to a desired device group.

Create & assign policy

You can now also create a policy in the endpoint settings of the Security Center:
Settings endpoints Web content filtering

Defender Webfilter

If you have just activated the option and the menu item is not visible, it is best to log in again.

During creation, you can choose which categories to block. Any categories you don't select will be monitored. If you don't define a blocking category, the policy will run in audit mode.
Here is an overview of all categories including subcategories:

Defender Webfilter categories
As of February 2023

In the Defender for Business these are already all the settings that you have to make or can make. They are applied directly to all devices.

In the Defender for Endpoint you also have the option of applying web filter guidelines only to certain scopes.

Defender Webfilter assignmentt

I have put together how the scopes work and where you can create them here:
Defender for Endpoint scope tag via Intune | scloud

Monitor Behavior

In the Security Center almost at the bottom you will find them reports and in this the point "Web protection".

Defender Web protection report

Here you have a nice visualized overview of accesses, blocks and what was affected:

Defender Web filter report

If you click on the details, you will also see more precisely from which subcategory, domain or group the access was blocked or only monitored:

Add Exceptions

You add exceptions in the "Indicators":
Settings > endpoints > indicators > URLs/Domains > + Add items

Defender Webfilter, exceptions

You can unblock entire domains or specific URLs. In addition, you can define whether these are completely ignored, monitored, warned or always blocked.

User Experience

Blocked content is displayed differently depending on the browser. There are two main differences, Edge with Smart Screen and all other browsers protected by "Network Protection".

Microsoft Edge - Web Filter

Defender Web filter, Microsoft Edge

3rd party Browser - Web Filter

Such as Google Chrome, Mozilla Firefox or Opera.

Defender Web filter, Google Chrome