How to block top-level domains via Microsoft Intune

posted on

April 8, 2024

There are multiple ways to block specific domains. The easiest way to do this is within Microsoft Defender for Endpoint using Indicators. However, Indicators does not allow you to block top level domains (TLDs). But what if you want to block the entire top level domain, for example everything on the .ru domain?

In that case, you can use firewall rules in Microsoft Intune.

How to block top-level domains in Microsoft Intune

To block top-level domains in Microsoft Intune, we use the so-called Reusable settings for Windows Firewall.

In the Intune admin center, open Endpoint security – Firewall and in the top menu open Reusable settings and create a new reusable setting.

The name of the setting can be any name you want. For example, I want to block dumb top-level domains registered by Google, so I named the setting Dumb Domains.

Under Configuration Settings, click Edit Instance. Switch Auto Resolve to True and add the top level domain in the form *.tld that you want to block to Keyword. For example, I am adding *.zip because I want to block the top-level domain .zip, which could easily be exploited for some phishing attacks.

You can add other domains in the same way within a single setup. For example, I want to block all of the dumb domains, so I added .mov, .foo, .meme and .ing domains as well.

Create a Windows Firewall Rule

The final step is to create a firewall rule that applies the settings to the endpoint devices. So we’re going to go back to Endpoint security – Firewall and create a new policy for the Windows 10, Windows 11, and Windows Server platform and select Windows Firewall Rules as the profile.

On the Configuration settings page, add a new rule where Action is Block. Click Set reusable setting and select the previously created Reusable settings for the top-level domains you want to block.

The last thing to do is to click on Edit instance, where for Enabled select Enabled, Interface type select All (we want to apply the rule to all network interfaces), Network types select FW_PROFILE_TYPE_ALL (the setting applies to all types of firewall profiles) and under Direction select This rule applies to outbound traffic.