Do your employees complain they can’t connect to your network resources, only to find they are on a different Wireless network?
In Windows, you can restrict what networks your users connect to – for example, restricting a Guest-style network from being joined, which would prevent Domain-based logins for the next user. You can restrict users from connecting to Ad-Hoc style Access Points, as well as other Infrastructure-style networks.
We are going to use the
netsh command within the Command Prompt to achieve these goals. We will assume you are either running these locally, or deploying the commands with a tool such as “PsExec” or “PDQ Deploy“.
Allowing / Denying certain wireless networks
To force certain Wireless Networks to always show when in range, you first need to add them to the “filter list”. The Filter List is a list of filters that Windows will use to determine what networks show up, or can be connected to.
Your first step is to use
netsh wlan add filter permission=allow ssid=WIRELESS-NAME-HERE networktype=infrastructure (replace
WIRELESS-NAME-HERE with your actual SSID). Repeat as necessary for any additional SSIDs you wish to always have available.
Likewise, if you want to restrict certain SSIDs from being connected to, you can use
netsh wlan add filter permission=block ssid=WIRELESS-NAME-HERE networktype=infrastructure. Both of these commands assume you are blocking SSIDs that act as a one-to-many relationship – infrastructure mode, such as with a wireless router on your home network.
Blocking remaining networks
After you setup the filters to allow networks you require access to, you will then block all other networks from being joined. Because this also prevents them from appearing in the Wireless Connections window, your users won’t be tempted to click on them.
Be warned, if the computer has a legitimate reason to travel to other networks, this next command should likely not be enforced!
To block the rest of the networks, run these next two commands:
netsh wlan add filter permission=denyall networktype=infrastructure
netsh wlan add filter permission=denyall networktype=adhoc
Once these commands are run, only networks previously added with the filters beforehand will appear.
Removing the blocks
If you made a mistake, and need to undo what you’ve done, you can run the exact same commands as above, but replace
delete. For example:
netsh wlan delete filter permission=block ssid=WIRELESS-NAME-HERE networktype=infrastructure, or
netsh wlan delete filter permission=denyall networktype=infrastructure.
Obtained from running
netsh wlan add filter:
Usage: add filter [permission=]allow|block|denyall [[ssid=]]
permission – Permission type of the filter.
ssid – SSID of the wireless network.
networktype – Network type of the wireless network.
Adds a wireless network into the allowed and blocked network list
configured on the system.
Parameter ssid is required if permission is allow or block. If permission
is denyall then parameter ssid should not be given.
add filter permission=allow ssid=ssid1 networktype=infrastructure
add filter permission=block ssid=ssid2 networktype=adhoc
add filter permission=denyall networktype=adhoc