In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.
Usecase
Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:
- Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
- Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
- Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
- Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
- Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.
Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.
Pre-requisites
To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:
- Portal Access to Microsoft 365 Defender Portal
- Windows Defender SmartScreen Enabled on all Browsers (Edge, Chrome etc.)
- Network Protection must be enable on the endpoint devices
- Microsoft Defender for Endpoint (MDE) Plan 1 or 2
- MDE for Business
- Windows 10/11 or Multi-session Operating System
Enable Web Content Filtering
To enable Web Content Filtering in Microsoft Defender for Endpoint (MDE), you need to follow these steps:
- Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
- Navigate to Settings and select Endpoints
- Click on Advance Features and enable Web Content Filtering
Create Device Group for Windows 365 & AVD in Microsoft 365 Defender Portal
To assign the policy to particular devices such as Windows 365 Cloud and Azure Virtual Desktop Session, we will create the Device Groups:
- Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
- Navigate to Settings and select Endpoints
- Under Permissions, click on Device Groups
- Select Add device group and give it a name – Win365Devices
- The Cloud PC start with CPC, I will be using that along with OS type – Windows 11
- For the Azure Virtual Desktop – My Session host start with AVD-, I will use that as the device group along with OS Type – Windows 11
Enable Network Protection under Microsoft Endpoint Portal (Intune)
Under the Enpoint Secruity – Antivirus policy we will enable the configuration:
- Login to the MEM Portal – https://endpoint.microsoft.com/
- Select Endpoint security > Antivirus > Create Policy.
- For Platform, select Windows 10, Windows 11, and Windows Servers.
- For Profile type, select Microsoft Defender Antivirus, and then select Create.
- Enter a Name – W365-AVD-AV-P01 and description and choose Next
- Under the Configuration Settings
- Enable Network Protection – Enable (Block Mode)
In my previous blog post on getting started, I enabled Network Protect and other configurations. Here I am trying to give you a quick config guidance.
Enable Smart Screen under Microsoft Edge Browser via Intune
I want to use the security baseline around Microsoft Edge for enabling global configuration across all the endpoints:
- Login to the MEM Portal – https://endpoint.microsoft.com/
- Select Endpoint security > Security Baseline > Microsoft Endge Baseline.
- Click on Create a profile and give it a name – MSEdge-Sbaseline-01
- Enable the SmartScreen config
- I am applying this security baseline to All Devices
Note you can enable them via configuration profiles too. In this scenario, I prefer using the security baselines.
Enable Smart Screen for Google Chrome Browser via Intune
To enable Smart Screen on Google Chrome, follow these steps:
- Login to the MEM Portal – https://endpoint.microsoft.com/
- Select Devices > Configuration profiles > Create profile
- Under Platform – Windows 10 & Later
- Profile Type – Templates and Select Administrative Templates
- Give the policy a name – GoogleChrome-SmartScreen-CP01
- Under Computer – Select Configure the list of force-installed apps and extensions
- Click on Enable and enter the below URL for extension
- Further assign the policy to the target devices
- Click on Review and Save
bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx
Create policy for Web Content Filtering
To create a web content filtering policy in Microsoft Defender for Endpoint, follow these steps:
- Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
- Navigate to Settings and select Endpoints
- Under Rules > Web Content Filtering > Add Item
- Policy Name – Stop Social Media
- Block Categories > Leisure > Social Networking & Instant Messaging & Professional Networking
- Scope – Select the Windows 365 Device Group & AVD Device Group (Session Host VMs), as its a targeted policy
- Wait for approx. 40 mins for the policy to implement for your endpoints
Validate the URLs within Windows 365 Cloud PC
Before going ahead and checking the URLs within the browser verify the following on the virtual desktop or endpoints:
SmartScreen
Open the browser and type edge://policy and make sure the Smart Screen is enabled
Network Protection
Open the Powershell and check if network protection is enable (Value 1) block mode
Microsoft Edge
Open Microsoft Edge and open https:\\www.facebook.com or https:\\www.snapchat.com
Google Chrome
Check reports in Defender Portal
Under the Microsoft Defender Portal go to Reports > Web Protection > Web content filtering categories details
References & Useful Links
I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Thanks,
Aresh Sarkari
4 Responses to “Microsoft Defender for Endpoint – Web Content Filtering for Windows 365 Cloud PC and Azure Virtual Desktop”