Defender for Endpoint - Web Filter

Within the organizational network, traffic is usually monitored by an internal firewall. However, if the device is outside the "four walls" and no VPN, proxy or third-party tool is used to monitor Internet traffic, the end user can move freely on the Internet. This is not always desired. You can use the web filter in the Defender for Endpoint and also in Defender for Business configure.

Table of Contents

• Requirements
• Activate feature
• Enable smart screen and network protection with Intune
• Create & assign policy
• monitor behavior
• define exceptions
• user experience
  • Microsoft Edge - Web Filter
  • 3rd party browser - web filter

Requirements

One of these licenses:

• Windows 10/11 Enterprise E5
• Microsoft 365 E5
• Microsoft 365 E5 Security
• Microsoft 365 E3
• Microsoft Defender for Endpoint Plan 1 or Plan 2
• Microsoft Defender for Business
• Microsoft 365 Business Premium

Operating system:

• Windows 11
• Windows 10 (version 1607 or newer)

Configuration:

• Smart Screen - active
• Network Protection - active

Activate feature

The feature is becoming more active very quickly Security Center under:
Settings > endpoints > Advanced features > Web content filtering

Enable smart screen and network protection with Intune

You can activate the two policies in different places. I'll show you how to activate both in a "Setting catalog" profile. Other options are via "Security Baseline", antivirus profile or with a classic GPO.

To do this, create a new profile:
Intune > Devices > Windows > Configuration profiles > + Create profile
(Windows 10 and later / Settings catalogue)

Now add an option and then search for "Configure Microsoft Defender SmartScreen":

Then add the "Network protection" added:

Once both settings have been added, activate them as follows:

Finally, you only assign the policy to a desired device group.

Create & assign policy

You can now also create a policy in the endpoint settings of the Security Center:
Settings > endpoints > Web content filtering

If you have just activated the option and the menu item is not visible, it is best to log in again.

During creation, you can choose which categories to block. Any categories you don't select will be monitored. If you don't define a blocking category, the policy will run in audit mode.
Here is an overview of all categories including subcategories:

In the Defender for Business these are already all the settings that you have to make or can make. They are applied directly to all devices.

In the Defender for Endpoint you also have the option of applying web filter guidelines only to certain scopes.

I have put together how the scopes work and where you can create them here:
Defender for Endpoint scope tag via Intune | scloud

monitor behavior

In the Security Center almost at the bottom you will find them reports and in this the point "Web protection".

Here you have a nice visualized overview of accesses, blocks and what was affected:

If you click on the details, you will also see more precisely from which subcategory, domain or group the access was blocked or only monitored:

define exceptions

You add exceptions in the "Indicators":
Settings > endpoints > indicators > URLs/Domains > + Add items

You can unblock entire domains or specific URLs. In addition, you can define whether these are completely ignored, monitored, warned or always blocked.

user experience

Blocked content is displayed differently depending on the browser. There are two main differences, Edge with Smart Screen and all other browsers protected by "Network Protection".

Microsoft Edge - Web Filter

3rd party browser - web filter

Such as Google Chrome, Mozilla Firefox or Opera.