Thursday 5 December 2019

Extending corporate network to untrusted device using Windows 10 and how to prevent it

At a customer site I discovered patterns of unexpected network traffic to various Google and Apple sites. The policy doesn't allow for unmanaged devices (BOYD mobile phones etc. til access the WiFi network, and this traffic pattern looks like mobile devices, but there weren't any mobile devices associated on the wifi.

What actually happened is that dual radio Windows 10 devices are able to have a Mobile Hotspot where mobile phones connects on 5GHz while maintaining a WiFi connection on 2.4GHz. This allows unmanaged devices to access the corporate network.

To prevent this "feature", we decided to disable Mobile Hotspot sharing on the Windows 10 devices. Using Intune device configuration we used this setting:

Setting this entry: ./Vendor/MSFT/Policy/Config/WiFi/AllowInternetSharing to 0 disables the Mobile Hotspot button on Windows 10 devices.