How to block managed-device from connecting to specific WLAN SSIDs with Intune

Recently I was working on a request to check how we can block users from connecting their Intune-managed corporate Windows endpoint to some specific WLAN SSIDs, for example, the common Guest Wi-Fi SSID that is available within the office premises, to ensure that corporate devices within corporate premises are only using the corporate network.

Natively with a device restriction policy, we have the below settings that can be configured.

This GUI configuration item resolves to the AllowManualWiFiConfiguration node of the Policy CSP item. When configured and applied, it will only allow the user to connect their devices to Wi-Fi profiles that are configured on the device via the MDM channel.

However, this is not our requirement here.

And to be honest, I am not aware of any other configuration item that is available natively within the Intune Admin portal GUI that can help us with the requirement.

Thus, this blog post of today will be a very brief post about how you can block end-users from connecting their Intune-managed corporate Windows devices to some specific WLAN SSIDs only.

How to block managed-device from connecting to specific WLAN SSIDs with Intune

The requirement to prevent users from connecting their Intune-managed corporate Windows devices to a specific SSID can be easily met via the single line of PS code as below.

netsh wlan add filter permission=block ssid="<SSID_name_here>" networktype=infrastructure

So if you would want to block more than one SSID, then you will need to have one line corresponding to each SSID name. For example, If I want to block devices from connecting to 2 SSIDs, my PS code would look like the below.

netsh wlan add filter permission=block ssid="<SSID-1_name_here>" networktype=infrastructure
netsh wlan add filter permission=block ssid="<SSID-2_name_here>" networktype=infrastructure

Now I can either deploy it as a plain PS script deployment from Intune or take the effort to package the script as a Win32 app and deploy it and have the requirement met.

But the above will only work on devices that have previously not connected to the SSIDs that are being blocked. Hence, if you have the above PS script deployed to a device that has previously connected to the SSIDs that are being blocked, or is presently connected to one such SSID, you will see no effect.

Thus we also need to ensure that if there are existing Wi-Fi profiles on a device for the SSIDs in concern, those need to be deleted as part of the script execution.

Again, this can be easily achieved with the below line of PS code.

netsh wlan delete profile name="<SSID_name_here>" i=*

So if we are working on blocking 2 SSIDs here, there will be one line corresponding to each SSID.

netsh wlan delete profile name="<SSID-1_name_here>" i=*
netsh wlan delete profile name="<SSID-2_name_here>" i=*

So the final PS script will look something like this

$PackageName = "Block-Wi-Fi-SSID"
$Path_local = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs"
Start-Transcript -Path "$Path_local\$PackageName-install.log" -Force
netsh wlan delete profile name="Guest01" i=*
netsh wlan delete profile name="GUEST02" i=*
netsh wlan add filter permission=block ssid="Guest01" networktype=infrastructure
netsh wlan add filter permission=block ssid="GUEST02" networktype=infrastructure
Stop-Transcript

Here Guest01 and GUEST02 are the SSIDs I am trying to block.

Now I always prefer to package my PS scripts as a Win32 app for deployment, and for simplicity, the logging done in the above script is for the purpose of detection.

You can save the script as “install.ps1”, keep it in a folder and then use the IntuneWinAppUtil to prepare the Win32 package. Then create the Win32 app in Intune.

Make the necessary selection for OS architecture and Minimum OS version.

For detection, as I told you earlier, I have gone with the simple file or folder exist mechanism looking for the app install log that will get generated as part of the script execution.

There’s no need for setting Dependency or Supersedence so you can skip and go to the Assignments section to make the necessary assignments.

Once done with the assignment, complete the app creation workflow. The app will be ready within a few minutes.

End-User Experience

Once the application install is triggered, a device that

1. is already having a WLAN profile created for the WLAN SSID due to previous connections being established, or
2. is presently connected to the WLAN SSID that is being blocked

The Wi-Fi profile will be deleted (for case a) from known networks and the device will get automatically disconnected from the WLAN network (for case b). Further, the blocked SSIDs won’t appear under the Available networks.

The script transcript generated upon execution is shared below.

**********************
Windows PowerShell transcript start
Start time: 20230318174513
Username: WORKGROUP\SYSTEM
RunAs User: WORKGROUP\SYSTEM
Configuration Name: 
Machine: DESKTOP-SVFV6OI (Microsoft Windows NT 10.0.22621.0)
Host Application: C:\WINDOWS\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\install.ps1
Process ID: 19580
PSVersion: 5.1.22621.963
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22621.963
BuildVersion: 10.0.22621.963
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\Block-Guest-WiFi-install.log
Profile "Guest01" is deleted from interface "Wi-Fi".
Profile "GUEST01" is not found on any interface.
The filter is added on the system successfully.
The filter is added on the system successfully.
**********************
Windows PowerShell transcript end
End time: 20230318174513
**********************

Well, that was all for today’s short post. Thanks for reading.