18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'

Information

This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time.

The recommended state for this setting is: Enabled.

Rationale:

The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network.

Impact:

The computer responds to automatic and manual network connection attempts based on the following circumstances:

Automatic connection attempts - When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. - When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked.

Manual connection attempts - When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. - When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Enabled:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Administrative Templates)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Computer Configuration/Network/Windows Connection Manager
Setting Name: Prohibit connection to non-domain networks when connected to domain authenticated network
Setting: Enabled

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Disabled. (Connections to both domain and non-domain networks are simultaneously allowed.)

Item Details

Audit Name: CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1

References: CSCv7|12.4

Plugin: Windows

Control ID: fde71d0c34e8a31d3881baac1f62b12d4a058d28bb19905e6487d5450eb78cb6

Detections

Analytics

18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'

Information

Solution

See Also

Item Details