Forcing Wireless Networks on clients

by | May 8, 2018

Do your employees complain they can’t connect to your network resources, only to find they are on a different Wireless network?

In Windows, you can restrict what networks your users connect to – for example, restricting a Guest-style network from being joined, which would prevent Domain-based logins for the next user. You can restrict users from connecting to Ad-Hoc style Access Points, as well as other Infrastructure-style networks.

We are going to use the netsh command within the Command Prompt to achieve these goals. We will assume you are either running these locally, or deploying the commands with a tool such as “PsExec” or “PDQ Deploy“.

Allowing / Denying certain wireless networks

To force certain Wireless Networks to always show when in range, you first need to add them to the “filter list”. The Filter List is a list of filters that Windows will use to determine what networks show up, or can be connected to.

Your first step is to use netsh wlan add filter permission=allow ssid=WIRELESS-NAME-HERE networktype=infrastructure (replace WIRELESS-NAME-HERE with your actual SSID). Repeat as necessary for any additional SSIDs you wish to always have available.

Likewise, if you want to restrict certain SSIDs from being connected to, you can use netsh wlan add filter permission=block ssid=WIRELESS-NAME-HERE networktype=infrastructure. Both of these commands assume you are blocking SSIDs that act as a one-to-many relationship – infrastructure mode, such as with a wireless router on your home network.

Blocking remaining networks

After you setup the filters to allow networks you require access to, you will then block all other networks from being joined. Because this also prevents them from appearing in the Wireless Connections window, your users won’t be tempted to click on them.

Be warned, if the computer has a legitimate reason to travel to other networks, this next command should likely not be enforced!

To block the rest of the networks, run these next two commands:
netsh wlan add filter permission=denyall networktype=infrastructure
netsh wlan add filter permission=denyall networktype=adhoc

Once these commands are run, only networks previously added with the filters beforehand will appear.

Removing the blocks

If you made a mistake, and need to undo what you’ve done, you can run the exact same commands as above, but replace add with delete. For example: netsh wlan delete filter permission=block ssid=WIRELESS-NAME-HERE networktype=infrastructure, or netsh wlan delete filter permission=denyall networktype=infrastructure.

Full Help

Obtained from running netsh wlan add filter:

Usage: add filter [permission=]allow|block|denyall [[ssid=]]
[networktype=]infrastructure|adhoc

Parameters:

Tag Value
permission – Permission type of the filter.
ssid – SSID of the wireless network.
networktype – Network type of the wireless network.

Remarks:

Adds a wireless network into the allowed and blocked network list
configured on the system.

Parameter ssid is required if permission is allow or block. If permission
is denyall then parameter ssid should not be given.

Examples:

add filter permission=allow ssid=ssid1 networktype=infrastructure
add filter permission=block ssid=ssid2 networktype=adhoc
add filter permission=denyall networktype=adhoc