Defender for Endpoint – Web Content Filtering

What is Web Content Filtering?

Web Content Filtering provides the ability to manage which web content users have access to and if applicable, block access to specific or pre-categorised content. There are also softer options such as auditing content which is accessed, warning users when potentially inappropriate content is accessed and options to limit the scope of the filtering policies.

Web Content Filtering is part of the Web Protection offering in Defender for Endpoint which includes 3 key areas; ‘Web Threat Protection’, ‘Web Content Filtering’ and ‘Custom Indicators’. This post focuses on Web Content Filtering and does include a few Custom Indicators in the example, but I’ll be covering Web Threat Protection in a separate post.

The settings for Web Content Filtering are not presented in the main Defender portal window or from the immediate left hand pane but it is definitely a feature worth taking a look at to determine whether it would be of benefit. Web Content filtering enables controls for browsing the internet with 5 key categorised areas –

  • Adult content
  • High Bandwidth
  • Legal Liability
  • Leisure
  • Uncategorised

The intended use for Web Content Filtering is not just around inappropriate content, but also content which could consume large quantities of bandwidth or breach regulations specific to the organisations industry type.

There is no restriction on the browser being used, Web Content Filtering will work with any browser, but the Network Protection service must be enabled in Windows for the protection to extend beyond the Edge browser.

URLs and Domains can be manually included or excluded from content filtering restrictions as necessary, either 1 by 1, or with an imported CSV file containing the appropriate data.

License requirements

Web Protection features are included with Microsoft Defender for Endpoint P1 and P2.


  • Network Protection must be enabled on the device
  • Windows Defender SmartScreen must be enabled on the device
  • Device onboarded to Defender for Endpoint
  • Windows 10 v1607+


In the following example a policy is created that blocks access to content categorised as ‘Gambling’ and ‘Social Networking’ with an exclusion (indicator) for Twitter and a warning indicator for Facebook.

A policy is created as follows –

  • Navigate to ‘Settings’ within the portal
  • Open the ‘Endpoints’ settings and select ‘Web Content Filtering’ under the ‘Rules’ in the left hand pane

3. Select ‘Add Item’ to create a new policy and provide a relevant policy name value in the ‘Policy’ field. Select ‘Next’ to continue

4. Check the boxes to determine which content to filter. In this example I’ll be specifically filtering ‘Gambling’ and ‘Social Networking’. Select ‘Next’ to continue

5. Select a Device Group to scope the policy to (can be done afterwards), or leave to scope to ‘all devices’

6. Continue and select ‘Save’ to create the policy

To test the policy, allow some time for the onboarded and in scope device to obtain the settings and browse to a web site that falls under 1 of the categories. In my example I’ll go to a gambling site and social media site.

The expected result is the following splash screen –

Via Chrome –

Via Firefox –

As is common with M365 services now, there are a lot of reports, visual charts, exportable data and graphics available to analyse the result of the configuration and determine any necessary steps to take. For example, the Web Protection reports section includes several reports related to Web Content Filtering actions and there is the option of configuring alerts for matched criteria if necessary –

As mentioned above, Network Protection and Defender SmartScreen must be enabled for Web Content Filtering features to work as expected. If you use Endpoint Manager and the available baselines, these are enabled by default in the ‘Microsoft Defender for Endpoint’ baseline. If not these can be enabled with an Endpoint Protection Configuration Profile, a GPO or manually with a PowerShell script (Network Protection) or registry key amendment.

Where a website falls under 1 of the filtered categories, but needs to be excluded, this can be achieved by creating a URL/Domain Indicator within the Defender portal.

  • Navigate to ‘Settings’ and ‘Endpoints’
  • Select ‘Indicators’ in the left hand pane under the ‘Rules’ section
  • Select ‘ URLs/Domains’ from the ribbon and select ‘Add Item’ to add URLs and/or IP address values
  • Provide the URL or Domain value in the field and select an expiry date if applicable. For my example, I’ll be excluding Twitter which is filtered by the Social Networking sub category in ‘Leisure’.

For completeness, the following is a screenshot prior to implementing this exclusion (Indicator)–

  • Select ‘Next’ to proceed and select 1 of the available actions; ‘Allow’, ‘Audit’, ‘Warn’ or ‘Block Execution’. Provide a relevant ‘Title’ and ‘Description’ for the indicator. Optionally enable the alert generation setting.
  • Select ‘Next’ to proceed and specify the scope by selecting relevant Device groups, or apply to all onboarded devices
  • Select ‘Next’ to proceed and review the summary details. Select ‘Save’ to complete.
  • Revisiting results in success (it can take up to 2 hours for changes to indicators and policies to be seen)
  • Create another indicator with specified as the domain value and the Warn value in the actions. Optionally specify a bypass duration period value. This determines for how long the site can be accessed before the warning is shown again.

  • This configuration results in the following warning screen which the user can then ‘Allow’ to visit the site

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: