Recently, I faced a scenario where I needed to restrict access to all URLs while allowing only a few specific ones for certain machines. The environment in question was an Azure Virtual Desktop setup, with these virtual machines residing within a designated VNet and subnet. Initially, I considered leveraging NSGs or Azure Firewall’s Application Rule Collections to implement this requirement until a colleague introduced me to the URLBlocklist and URLAllowlist settings in Microsoft Edge or Google Chrome. I’ll admit, I wasn’t familiar with these options before, but they turned out to be the perfect solution for our needs!
Microsoft Edge’s and Google Chrome URLBlocklist and URLAllowlist policies provide a powerful way to manage this. By blocking all URLs and selectively allowing access to whitelisted sites, administrators can create a highly controlled browsing environment tailored to organizational needs.
In this blog, we’ll explore how to configure these policies to block all web traffic while granting access to specific trusted sites. Whether you’re safeguarding sensitive systems or focusing user activity on approved resources, this setup offers an efficient solution for managing web access.
Block all URL’s
To start, we need to block all URLs by configuring a specific setting in Intune. This is achieved by adding a *
as the value in the URLBlocklist entry, effectively blocking all web traffic. Unlike the usual precedence rules, in this case, the Allow setting takes priority over Block.
Allow specific URL’s
As noted earlier, the Allow setting overrides the Block rule. This allows us to specify certain URLs that should be accessible even with the block policy in place.
Create Intune policy
Note: The URLBlocklist and URLAllowlist setting can be combined in a single policy.
- Navigate to https://intune.microsoft.com -> Devices -> Configuration
- Click Policies -> New Policy -> Platform: Windows 10 and later -> Profile type: Settings catalog -> Create
- Give the policy a common name (e.g. AVD Host – Allow specific Edge URL)
- Click Add Settings and search for URLBlocklist -> Microsoft Edge -> Select Block access to a list of URLs (Device)
- Enable the policy and configure * as your one and only value
Note: If there’s no need to allow specific URLs and you simply want to block all access, you can save and deploy the policy as-is. While this may not be the most refined approach, it effectively gets the job done. If you need to allow specific URLs you should follow the next steps. This can be done within the same policy.
- Click Add Settings and search for URLAllowlist -> Microsoft Edge -> Select Allow access to a list of URLs (Device)
- Enable the policy and add your allowed URLs
- Click Next -> Configure scope tags (optional) -> Click Next -> Assign specific (device) groups -> Click Create
Note: In an Azure Virtual Desktop environment, device-based settings require assigning the policy to a device group. For user-based settings, you’ll need to assign the policy to a user group.
Wildcards
The URLAllowlist setting supports wildcards, but they don’t behave quite as expected. For instance, I assumed that using *.domain.local would allow all URLs ending with domain.local, but that wasn’t the case. After experimenting with various formats and modifying the registry at HKLM\SOFTWARE\Policies\Microsoft\Edge\URLAllowlist, I discovered the following:
- domain.local: Permits access to all resources containing domain.local in their name
- *.domain.local: Does not allow all URLs ending with domain.local
- www.domain.com: Permit access to only this specific URL. Subdomains not included! Removing www from the address bar results in a “blocked” page
- domain.com: Permits access to all resources containing domain.com in their name. Subdomains allowed.
Bonus
1: Upon first launching Edge, the browser may present the first-run experience, which could result in a blocked page. To resolve this, simply add welcome-new-device to the URLAllowlist.
2: If websites redirect to other URLs or inject external payment/cookie walls, the URL may still be blocked.
3: After modifying the registry, you’ll need to restart Edge for the changes to take effect.