How to prevent domain PCs from joining the guest Wi-Fi?

In this topic, you will learn how to prevent domain Windows machines from automatically connecting to a guest Wi-Fi network, while still allowing users to access home or other personal Wi-Fi networks.

Domain-joined Windows computers can sometimes switch from the internal wired network or internal Wi-Fi to a guest Wi-Fi network. This can create security risks and disrupt network policies. Administrators need a way to prevent this behavior without blocking users from connecting to their home or other non-corporate networks.

The recommended solution is to use the Windows netsh command to add a filter that blocks specific SSIDs. By targeting only the guest or unwanted networks, domain machines remain compliant with network policies while still allowing normal Wi-Fi access for personal networks.

  1. Open a Command Prompt with administrative privileges on the domain Windows machine.

    For example: Right-click Start > Terminal (Admin).

  2. Run the netsh command to block the guest Wi-Fi SSID.
    For example: 
    netsh wlan add filter permission=block ssid="Guest_WiFi" networktype=infrastructure
    Note:
    Replace Guest_WiFi with the actual SSID of the guest network or any other network you want to block. This prevents domain machines from connecting to that network but allows other Wi-Fi networks.
  3. Deploy this command via your UEM/MDM solution or a script to all managed domain Windows machines.

    For example, include the netsh command in a startup script deployed via Intune, SCCM, or another management tool.