One of ‘bonuses’ of Microsoft Defender for Endpoint is the inclusion of web filtering. This means that you can block a range of pre-configured sites as well as custom ones if needed. This article will cover how to set up this capability for pre-configured sites.
To get web filtering working you’ll basically need:
– Windows 10/11 devices onboarded to Defender for Endpoint
– Windows Defender Smartscreen and Network Protection enabled.
Web filtering for other platforms, like iOS and Android, is on the roadmap.
Please note that the options that appear may differ based on what version of Defender for Endpoint you are using (P2, P1 or Business)
Navigate to https://security.microsoft.com and scroll down the menu options on the left and select Settings. From the options that appear on the right select Endpoints.
Locate the Web content filtering option from the menu that now appears, and select + Add item on the right as shown above.
From the dialog that appears from the right, give the policy a name (here, Default) and select the Next button.
Select the Block categories required. You can expand the headings and select individual items insides these. Also note, that you can block both Newly registered domains and Parked domains.
Press the Next button when you have made you choices.
You can target this policy at specific Defender for Endpoint groups if you wish, depending on the version of Defender for Endpoint you use. In this case, no groups have been created, so All devices will be targeted. Note, that Device Groups does not currently appear with Defender for Business and thus all policies there will be scoped to all devices by default.
Press the Next button to continue.
Review the policy summary and select the Save button to complete the creation process.
In my experience it takes around 40 – 45 minutes for this policy to be applied to Windows 10/11 device endpoints, so be patient.
When a restricted site is visited using a Microsoft browser like Edge, you’ll very briefly see the restricted website flash up and then almost immediately be replaced with the content blocked message shown above.
If you use a non-Microsoft browser, Brave in this case, then you will see a message saying that access is denied and you’ll also receive a Windows Security message as shown in the bottom right above.
If you wish to remove or edit a web filtering policy, simply navigate back to the web filtering option in the security console. Changes, including policy deletions, again take about 40 or so minutes to become evident on endpoint devices.
What’s covered here is just the basics. Look out for future article where I cover off how to filter custom sites and locations. You’ll also find lots more details in the Microsoft documentation here:
At this stage (January 2022), as I said earlier, web filtering is only available on Windows 10/11 devices but more options are coming in the very near future.
CIAOPS 
It seems that the web filtering on the business scope is limited to just one policy per tenant or in your tenant, you have the ability to create device groups. The screenshots I have seen are from the P2 tenant and not the business sku or am i missing something?
LikeLike
You are correct that my screenshots are not from Defender for Business. See – https://blog.ciaops.com/2022/01/27/all-the-microsoft-defender-for-endpoint-options/ and I have renamed this post to exclude the focus on Defender for Business.
You can have multiple policies from what I see in defender for Business but no Device Groups, which means these policies apply to all devices.
Apologies for the confusion around what options are available but it seems even when a Defender feature is available in another plan it is different.
LikeLike
Hello,
I need help and i don’t find the answer clearly on MS website. With M365 Defender Web filtering based on categories can i block personal web mails like google, yahoo, icloud ?
I see the option for: Web-based email: Sites offering web-based mail services, but i can’t find any definition for it. Thank you!
LikeLike
MS only show categories and no specifics, because if they did show specifics bad actors will work around that. The policies are by design ‘generic’ to prevent compromise and work arounds.
LikeLike