Organizations must maintain strict control over the applications and services accessed within their networks. DeepSeek, AI-powered tools, can present potential security or compliance risks. If your organization wants to block these services, Microsoft Intune offers a robust solution for managing and restricting access to such applications across corporate devices. This guide will walk you through the steps to effectively block DeepSeek using Microsoft Intune.

Why Block DeepSeek?

Before proceeding with the blocking process, it’s essential to understand why an organization might want to restrict access to DeepSeek. Potential reasons include:

  • Data Security: Prevents unauthorized AI-powered tools from processing sensitive company information and ensures proprietary data remains within organizational control.
  • Compliance Requirements: Ensures adherence to industry regulations and corporate policies by preventing interactions with unapproved AI-driven services.
  • Productivity Management: Reduces distractions and unauthorized software usage within the corporate environment, ensuring employees focus on business-related applications.

Steps to Block DeepSeek Using Microsoft Intune

1. Identify DeepSeek Domains and Application Signatures

Before implementing restrictions, identify the URLs and application signatures associated with DeepSeek. Common methods to do this include:

  • Reviewing web traffic logs for DeepSeek-related domains.
  • Checking software inventory reports for DeepSeek application presence.
  • Monitoring DNS queries for potential access attempts.

Common DeepSeek-related URLs might include:

  • ai.com
  • deepseek.com
  • deepseek.ai
  • Any associated subdomains or dynamically generated links used by DeepSeek services.

2. Block DeepSeek in Edge Using Indicators in Microsoft Defender for Endpoint

Since Web Content Filtering does not support custom URL blocking, use Microsoft Defender for Endpoint Indicators instead:

  1. Access Microsoft Defender Security Center
  2. Create a URL Indicator to Block DeepSeek
    • Navigate to Settings > Endpoints > Rules > Indicators.
    • Click URL/Domain under Indicators.
    • Click + Add Item.
    • Enter deepseek.com, and do this later also for deepseek.ai and ai.com
    • Click Next
      Block DeepSeek
    • Set Action to Block execution.
    • Click Next
    • If necessary, you can enable Generate Alert
      Set the Severity to Informational, and the Category to Unwanted Software
    • Click Next
    • Apply to all devices or specific device groups
    • Click Next
    • Click Submit.

3. Block DeepSeek in other Browsers Using Microsoft Defender for Endpoint and Intune

  1. Access Microsoft Intune Admin Center
    • Go to Microsoft Intune Admin Center.
    • Navigate to Devices > Manage > Configuration
    • Under Policies, click + Create
      Block DeepSeek
    • At the Basics tab enter a Name and Description
    • Click Next
    • At the Configuration Settings tab, click on + Add Settings
    • Search for Enable Network Protection
    • Choose the category Defender
    • Check the box Enable Network Protection and do not forget to set Enable Network Protection to Enabled (block mode) in the left part of the screen.
    • Click Next
      Block DeepSeek
    • Leave the Scope Tag and click Next
    • Assign the appropriate groups and click Next
    • Review the profile and click Create

4. Restrict DeepSeek App via App Protection Policies

If DeepSeek is available as a standalone application, use Intune’s app protection policies to restrict it:

  1. Navigate to Apps > Manage apps > Protection.
  2. Click + Create and select the platform (iOS, Android, Windows, macOS).
  3. Define the policy name and target users.
  4. Under Protected apps, add DeepSeek if listed.
  5. Set restrictions to prevent data sharing, copy-pasting, or opening files in unauthorized applications.
  6. Configure additional policies, such as preventing saved credentials for unapproved applications.
  7. Save and assign the policy to relevant groups.

5. Uninstall the DeepSeek App on Android

  1. Navigate to Apps > Platforms > Android.
  2. Click on + Create
  3. Select Managed Google Play app as App type
  4. Click Select
  5. Click on Search
  6. Search for DeepSeek
  7. Select DeepSeek – AI assistant
  8. Click Select
  9. Click Next on the App information screen
  10. Under Uninstall, assign it to the appropriate group
  11. Click Next
  12. On the Review + Create tab, review the setting and click on Create

6. Uninstall the DeepSeek App on iOS/iPadOS

  1. Navigate to Apps > Platforms > iOS/iPadOS.
  2. Click on + Create
  3. Select iOS store app as App type
  4. Click Select
    Block DeepSeek
  5. Click on Search the App Store
  6. Search for DeepSeek
  7. Select DeepSeek – AI assistant
  8. Click Select
    Block DeepSeek
  9. Click Next on the App information screen
  10. Under Uninstall, assign it to the appropriate group
  11. Click Next
    Block DeepSeek
  12. On the Review + Create tab, review the setting and click on Create

7. Enforce Network-Based Restrictions

For organizations using corporate networks, implement additional restrictions through:

  • DNS Filtering: Configure network-wide DNS filtering to block DeepSeek-related domains.
  • Proxy Server Rules: If using a corporate proxy, create rules to restrict AI-related traffic.
  • Next-Generation Firewall (NGFW): Define Deep Packet Inspection (DPI) policies to detect and block AI-generated traffic.

Monitoring and Maintenance

After implementing these restrictions, continuously monitor compliance through Intune’s reporting tools:

  • Reports > Web Content Filtering: Track web traffic and access attempts to blocked DeepSeek services.
  • Endpoint Security > Firewall logs: Monitor blocked network requests.
  • Apps > Protection logs: Track unauthorized application usage and data-sharing attempts.
  • Audit and Review Policies Regularly: Ensure policies are up-to-date with new AI-powered services.

Troubleshooting Issues

If users report that DeepSeek is still accessible:

  1. Check Intune Policy Deployment: Verify that policies are assigned to the correct device groups.
  2. Confirm Defender Indicators Configuration: Ensure Microsoft Defender for Endpoint is active and enforcing the blocking rules.
  3. Validate Firewall Rules: Use local device logs to check if DeepSeek-related traffic is being blocked.
  4. Use Endpoint Detection and Response (EDR) Tools: Deploy threat analytics to detect and respond to unauthorized AI usage.

Final Thoughts

Blocking DeepSeek with Microsoft Intune ensures your organization maintains control over this AI tool usage, protects sensitive data, and complies with security policies. By leveraging Microsoft Defender for Endpoint indicators, app protection, conditional access, and network-based restrictions, you can effectively manage and restrict DeepSeek across all managed devices. Regular monitoring, policy updates, and proactive security measures will help maintain a secure and compliant workplace.

Paul Cobben