Well free as in you need an MDATP licence first, but as this used to be an add on feature on top of MDATP with an additional cost, this is now effectively free once you are licensed for MDATP. The feature enables your organisation to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
So how do you set it up from scratch.
Visit the MDATP admin portal at https://securitycenter.microsoft.com/ and click the cog icon to change to the settings view.
Under General, Advanced Features enable Preview Features (whilst this feature is in preview, once it stops being a preview feature this step is no longer required).
On the same list of Advanced Features toggle the option for Web Content Filtering to enable the feature and click Save Preferences.
In the option where you enable Web Content Filtering click the link to create a web content filtering policy to take you to the settings for this feature.
This opens a second tab but all it does it takes you to the Web Content Filtering node of the Settings page! Click + Add Item to start adding content filtering categories.
First, give the policy a name and click Next. Then choose a category or parent category. For example you could select the parent category Adult Content which will turn on seven categories, or you could select just a category such as Nudity. The parent categories are, in addition to Adult Content, High Bandwidth (with peer to peer, and streaming media sites included), Legal Liability (with categories such as child abuse, hacking, and criminal activity included), Leisure (including chat, games, and social networking as categories) and the blanket Uncategorized.
Click Next and then enable for all devices in your admin scope (so if you are Global Admin, that’s all devices!) or pick one or more device groups.
You need to have made the device groups in advance of setting up the policy, and this is available from the Settings page as well. In the above screenshot I have selected the UK device group which is a MDATP Tag set by the registry on all our UK machines. Create a pilot group tag and roll out this feature to a limited number of devices to test.
Click Next to get to the Summary page and then finish the policy creation.
The policy you created and others if you have more than one are then shown.
There are no client agents to install for this feature to work – the MDATP sensor built into Windows 10 (1609 and later) does all the work. The website categories that are blocked are blocked in the browser with a warning. Blocks are performed by SmartScreen (Edge) and Network Protection (Chrome and Firefox). Network Protection is not a message in the browser though – it is a popup at the Operating System level. The Web Content Filter interrupts network traffic to the blocked sites, so Chrome and Firefox will show a network level error, and the OS popup will give the reason. Edge Browser integrates with the OS to show a proper error message (unless SmartScreen is disabled, in which case Network Protection will be the experience here in Edge as well).
In addition to the browser “requirement” for a nice error message, you also need to have the latest updates for Windows Defender signatures and platform, known as MoCAMP. An Advanced Hunting query on GitHub allows you to check the versions across your MDATP estate.
All viewed categories, blocked or not blocked, are reported back to MDATP via the telemetry – so you can create reports on the visited site categories even without blocking users. These reports are available from the MDATP portal and Reports > Web Protection:
The above screenshot shows the only activity at the moment was Custom Indicators (see Blocking Apps With A Low Reputation) but as categories of web content and browsed they will appear on this report.
You can access the Report details for each card by selecting a table row or coloured bar from the chart in the card. The report details page for each card contains data about web content categories, website domains, and device groups.
If you create a Web Content Filtering Policy that has no blocked items in it, but apply this to all devices, you will get a report within a few days of the scope of all your users across all your devices (in MDATP that is) and the categories of URL they are visiting. Therefore, if you need to know what to block before you block it – create a policy that does not include any categories to block.
Leave a Reply