none
Windows 10 WiFi and Corporate network RRS feed

  • Question

  • Hi all,

    I have a group policy on Windows 2012R2 in place on our corporate network that prevents access to the WiFi while connected to the corporate network. This has been working fine on Windows 10 1709, however on Windows 10 1803 it appears that Windows is not adhering to the policy. I have no policy errors, I can see the policy has been deployed successfully with no errors. I have tested this on another laptop and the same issue is happening. I have a Microsoft Surface Pro 4 with a docking station, the other device is a HP Pro Laptop

    I want to deploy the latest version of Windows 10 out the organisation but I am unable to due to this issue.

    The policy is located:

    Computer Config -> Policies -> Administrative Templates -> Network/Windows Connection Manager -> 
    If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:

    Automatic connection attempts
    - When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
    - When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked.

    Manual connection attempts
    - When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
    - When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.

    If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
    " gpmc_settingname="Prohibit connection to non-domain networks when connected to domain authenticated network" gpmc_settingpath="Computer Configuration/Administrative Templates/Network/Windows Connection Manager" gpmc_supported="At least Windows Server 2012, Windows 8 or Windows RT" tabindex="0">Anybody else having this issue? 

    Friday, June 22, 2018 1:21 AM

All replies

  • I just verified that we have this problem as well once updated to v1803.  Previously, wireless connections would get blocked while on the wired LAN.  Now the connections are being allowed again.  Frustrating.
    Thursday, September 6, 2018 11:44 PM
  • Microsoft is aware of this issue and is currently investigating.

    Workaround

    Enable "Configure registry policy processing” under Computer Configuration -> Policies -> Administrative templates -> System -> Group policy”

    Do not enable "Process even if GP objects not changed”. (leave unchecked)

    Restart client

    • Proposed as answer by B.Banner_Hulk Thursday, September 27, 2018 4:01 PM
    • Unproposed as answer by B.Banner_Hulk Thursday, September 27, 2018 7:53 PM
    Thursday, September 27, 2018 1:35 PM
  • Microsoft is aware of this issue and is currently investigating.

    Workaround

    Enable "Configure registry policy processing” under Computer Configuration -> Policies -> Administrative templates -> System -> Group policy”

    Do not enable "Process even if GP objects not changed”. (leave unchecked)

    Restart client

    This appears to work but by "Enabling" the policy with nothing checked, the result is that it's actually "Disabled".  However, wireless is once again blocked.

    After a few reboots, this stopped working again.  This workaround does not work.


    Thursday, September 27, 2018 3:50 PM
  • I’ve found another workaround that works consistently in my environment.

      1. Remove the “Prohibit connection to non-domain networks when connected to domain authenticated network” policy.
      2. Set the registry key directly via GPO:
        SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy
        fBlockNonDomain = 1

    Wireless networks are now blocked again and stay blocked because the key is not constantly being deleted and re-added.  The registry processing policy is not required for this to work.




    • Edited by B.Banner_Hulk Thursday, September 27, 2018 10:44 PM
    • Proposed as answer by B.Banner_Hulk Thursday, September 27, 2018 10:45 PM
    Thursday, September 27, 2018 10:40 PM
  • Hi,

    Non of the workarounds work in my environment.

    If it a Know issue, Microsoft can explain why this happen and will release a fix?

    Thank You

    Friday, September 28, 2018 1:46 PM
  • The root cause is under investigation.

    Update 10/10:

    This has been root caused.   A fix is being investigated.

    If a fix is approved it will likely not be released until January or later.

    Please use the mentioned workarounds in this forum in the meantime.

    Update 11/8:

    The bug has been fixed in future releases.

    Currently looking at a backport to 1803 and 1809.

    If backport approved will be targeted for January release timeframe.


    Update 12/12:

    The fix was released early in yesterday’s KB 4471324, although it is not explicitly listed there.

    https://support.microsoft.com/en-us/help/4471324/windows-10-update-kb4471324


    • Proposed as answer by tfair - MSFT Friday, October 26, 2018 7:08 PM
    • Edited by tfair - MSFT Wednesday, December 12, 2018 3:52 PM
    Friday, September 28, 2018 2:19 PM
  • Hi tfair,

    Thank You.

    This situation have a serious security impact so i will be glad and relieved if you share some official solution soon.

    DG

    Friday, September 28, 2018 2:36 PM
  • Hi,

    Non of the workarounds work in my environment.

    If it a Know issue, Microsoft can explain why this happen and will release a fix?

    Thank You

    Leinad84,

    Make sure that the original “Prohibit connection to non-domain networks when connected to domain authenticated network” policy is no longer applied (set to not Not Configured, verify it's gone via RSOP).  Then set HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain = DWORD 1 via registry in the GPO (Computer Config -> Preferences -> Registry).

    At least in my environment, I found that if the original policy was still being applied, then the registry workaround would not work for me.

    Hope this helps.

    Friday, September 28, 2018 3:19 PM
  • The fix was released in yesterday’s KB 4471324, although it is not explicitly listed there.

    https://support.microsoft.com/en-us/help/4471324/windows-10-update-kb4471324



    • Proposed as answer by tfair - MSFT Wednesday, December 12, 2018 3:54 PM
    • Edited by tfair - MSFT Wednesday, December 12, 2018 3:54 PM
    Wednesday, December 12, 2018 3:53 PM
  • I see that the KB4471324 was released but only references build 1803.  Does that apply to 1809 too or was that already fixed in 1809?  I just tested this policy setting and while it did disconnect me from a wireless non-domain network after re-docking the computer to a wired domain network, it did not prohibit me from re-connecting to the wifi non-domain network.
    Tuesday, February 12, 2019 6:16 PM
  • The 1809 fix will be released on Tues Feb 26th via KB 4482887.

    The policy prevents "automatic" connections to the nondomain network.  Manual connections are still allowed.  The user intention trumps the system assumption that they should not be automatically connected.

    Tuesday, February 12, 2019 8:08 PM
  • The 1809 fix will be released on Tues Feb 26th via KB 4482887.

    The policy prevents "automatic" connections to the nondomain network.  Manual connections are still allowed.  The user intention trumps the system assumption that they should not be automatically connected.

    Actually, that's not how it should be according to the description on the GPO, and both auto and manual connections have always been blocked in the past.  Is this changing or another bug that needs to be corrected again in 1809?  Please review the GPO decription.

    "- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked."

    Friday, February 15, 2019 11:38 PM
  • I see what you're saying.

    Can you verify with the 1803 KB uninstalled (or even better, an 1803 machine that has never had that KB installed) supports the blocking behavior for this scenario, and then reinstall  of the KB repros again?  If so, please open a support case with Microsoft and we can look further into the issue.



    • Edited by tfair - MSFT Saturday, February 16, 2019 12:06 AM
    Saturday, February 16, 2019 12:03 AM
  • I see what you're saying.

    Can you verify with the 1803 KB uninstalled (or even better, an 1803 machine that has never had that KB installed) supports the blocking behavior for this scenario, and then reinstall  of the KB repros again?  If so, please open a support case with Microsoft and we can look further into the issue.



    FYI we just upgraded to 1809 and everything is functioning as expected.  I'm unable to connect to a wireless network while docked in the LAN.  This is the same as 1803 post patch (which I worked with Microsoft to get released).

    However, we're still implementing this directly via registry instead of policy, as I didn't trust that this would not break again:

    SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy
    fBlockNonDomain = 1

    I'll update after the 26th.

    Wednesday, February 20, 2019 4:51 PM
  • Does anyone know if the fix for 1803 originally in KB4471324 would now be included in the security updates that have super seeded since, January and February ?
    • Edited by naimco Thursday, February 21, 2019 5:14 PM typo
    Thursday, February 21, 2019 2:25 PM
  • All updates are cumulative, meaning yes, as new monthly updates are published the binaries in them contain previous fixes.
    Thursday, February 21, 2019 3:47 PM