How to Strengthen Public Wi-Fi Security on Managed Endpoints

Open internet networks are convenient, but they can expose your endpoints to serious public Wi-Fi security risks. Open networks can expose users to data interception, credential theft, and session hijacking. These are the most common threats to computers operating outside controlled environments, with devices used by remote workers being the most vulnerable.

For managed service providers (MSPs) and IT admins, it is essential to secure Windows endpoints on public networks. This guide covers the steps to achieve this, including SSID control, profile management, firewall tweaks, transport security, user awareness, and continuous monitoring.

Steps to improve public Wi-Fi security on managed devices

Public networks can expose managed endpoints to security risks. These steps will outline ways to enforce practical controls that will keep you protected from public Wi-Fi security risks.

📌 Prerequisites:

• The Windows 10 and 11 endpoints have to be joined to a management domain or an MDM.
• You need administrative rights to deploy WLAN profiles, Group Policy (GPO) settings, and scripts.
• This requires central logging in place for network category changes and firewall events.
• You must have a defined ticketing workflow for exceptions and user notifications.

Step 1: Block or allow specific SSIDs to strengthen public Wi-Fi security

Limiting the network endpoints that can connect to it is an excellent way to protect yourself from Wi-Fi security risks. Start by setting SSID allowlists and denylists. This blocks devices from joining unsafe or spoofed Wi-Fi networks and ensures they connect only to approved, trusted access points.

📌 Use Cases:

• This step enforces consistent connection rules and avoids accidental exposure on public networks.
• It reduces the risk of users connecting to unsafe hotspots.

📌 Prerequisites:

• You need to have administrative rights to deploy WLAN filters or GPO settings on managed endpoints.
• You’ll need an updated list of approved SSIDs to include in scripts or policy definitions.

Denylist and allowlist with netsh

Use the following commands in PowerShell or Command Prompt to control which Wi-Fi networks devices can join:

netsh wlan add filter permission=block ssid=”Free Public WiFi” networktype=infrastructure

This command blocks connections to a specific SSID. Replace “Free Public WiFi” with the network you want to block.

netsh wlan add filter permission=allow ssid=”CorpWiFi” networktype=infrastructure

This command allows connections only to a trusted SSID. Replace “CorpWiFi” with your organization’s secure network.

netsh wlan show filters

This displays the current list of allowed and blocked networks to confirm filters were applied correctly.

How to remove risky saved networks

netsh wlan delete profile name=”Airport Free WiFi”

This command deletes an existing saved network profile. Replace the placeholder name with the SSID of the work you want to remove.

Applying these restrictions across domain-joined machines via Group Policy

Instead of manually applying these commands, you can use Wireless Network (IEEE 802.11) Policies in Group Policy.

1. Open the Group Policy Management Console (GPMC) on a domain controller.
2. Create or edit a GPO linked to the Organizational Unit (OU) containing your managed devices.
3. Navigate to:
   Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies
4. Right-click Wireless Network (IEEE 802.11) Policies and select Create A New Wireless Network Policy for Windows Vista and Later Releases.
5. Under the Network Permissions tab, configure one of the following options:
   1. Allow only networks you explicitly define (SSID allowlist).
   2. Block networks by name or type (SSID denylist).
6. Add your approved corporate and home SSIDs under Allowed Networks, and block risky or public networks under Denied Networks.
7. Click OK, then Apply the policy.
8. Run gpupdate /force on client devices, or wait for the next Group Policy refresh to enforce the settings.

Step 2: Preload and prioritize trusted profiles to enhance public Wi-Fi security

You can preload and prioritize known network profiles to prevent endpoints from automatically connecting to random or unsafe hotspots. Note that security for public Wi-Fi is almost nonexistent, so defining which network devices should trust will reduce the risk of rogue or spoofed access points.

📌 Use Cases:

• This step will ensure endpoints automatically connect to trusted networks before any public Wi-Fi connections/
• It reduces the risk of accidental connections with unsecured networks.

📌 Prerequisites:

• You need to have administrative rights to configure or deploy Wi-Fi profiles on managed endpoints.
• This requires an exported or preconfigured XML file for your approved SSIDs.

How to preload Wi-Fi profile

netsh wlan add profile filename=”CorpWiFi.xml” interface=”Wi-Fi” user=all

This adds a Wi-Fi profile to all users on the device. Replace “CorpWiFi.xml” with the path to your exported XML file that contains the approved SSID configuration.

How to set connection priority

netsh wlan set profileorder name=”CorpWiFi” interface=”Wi-Fi” priority=1

This sets the connection priority so the endpoint automatically connects to the trusted SSID first. Priority value “1” gives it top preference.

How to purge stale profiles

You can remove outdated or unsafe profiles that point to open SSIDs or networks. To review and remove outdated profiles, use the following command:

netsh wlan show profiles

netsh wlan delete profile name=”OldPublicWiFi”

Replace “OldPublicWiFi” with the name of the network you want to remove.

💡Tips: 

• Always use enterprise-grade authentication such as WPA2-Enterprise or WPA-3 Enterprise. These enforce stronger encryption, which reduces exposure on public networks.
• You can also add Wi-Fi network profiles in advance without needing to connect.

Step 3: Strengthen device settings on untrusted Wi-Fi networks

MSPs should always treat unfamiliar networks as untrusted. Hardening the Windows Public network profile limits exposure, blocks inbound traffic, and disables unnecessary discovery services.

📌 Use Cases:

• This step reduces exposure when devices connect to open or shared networks outside the corporate perimeter.
• It enforces a restrictive firewall and network posture automatically when a new or unrecognized Wi-Fi network is detected.

📌 Prerequisites:

• You need to have administrative rights on managed endpoints.
• Devices must be running Windows 10 or 11 with PowerShell 5.0 or later.

Force the Public network category when unknown

This PowerShell command forces the network type to Public, applying stricter security settings automatically.

Set-NetConnectionProfile -InterfaceAlias “Wi-Fi” -NetworkCategory Public

Tighten the firewall for the Public profile

This command blocks all unsolicited inbound connections while allowing outbound traffic, reducing the chance of external intrusion.

netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound

Meanwhile, this disables pop-up notifications asking whether to allow new apps through the firewall, ensuring consistent protection even when users have local admin rights.

netsh advfirewall set publicprofile settings inboundusernotification disable

How to turn off discovery and sharing features

You can turn off features that broadcast the device’s presence on public networks, such as Network Discovery and File and Printer Sharing. You can do this through:

Control Panel > Network and Sharing Center > Advanced sharing settings.

In addition, you can use Group Policy under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

Step 4: Enforce encrypted connections to protect data on public Wi-Fi

Traffic on open networks can still be intercepted even with network restrictions and firewall hardening. Requiring secure transport ensures that all data leaving the device remains encrypted, strengthening overall protection on public Wi-Fi.

📌 Use Cases:

• This step protects corporate data by encrypting connections even when users access resources over public or untrusted networks.
• It ensures users cannot bypass VPN or encrypted channels when connecting from non-corporate environments.

📌 Prerequisites:

• You must have administrative rights to configure VPN or network policies on managed endpoints.
• You need an established VPN solution and browser policy management capability.

Require VPN on Public networks

Configure VPN policies so endpoints automatically connect to a corporate VPN whenever the Windows network category is set to Public. This ensures that all traffic from public Wi-Fi passes through encrypted corporate tunnels.

Enforce browser encryption

Enable HTTPS-only mode and HSTS preload lists in supported browsers. These settings block users from visiting non-secure HTTP sites and help prevent credential theft through downgrade attacks.

Enable encrypted DNS

If your environment supports it, configure DNS over HTTPS (DoH) through Group Policy or device configuration. On Windows 11, this can be set using:

Computer Configuration > Administrative Templates > Network > DNS Client > Enable DNS over HTTPS

This ensures DNS queries are encrypted, preventing interception and tampering on public Wi-Fi networks.

Step 5: Inform users about safe public Wi-Fi practices

Although technical controls are already an excellent safeguard, user behavior is often the deciding factor in public Wi-Fi security. It’s important to teach users how to spot unsafe networks and apply basic precautions to ensure protection when they connect to outside managed environments.

📌 Use Cases:

• This step gives users awareness to spot and avoid risky connections while traveling or working remotely.
• This reinforces technical controls with clear habits that prevent accidental data exposure.

📌 Prerequisites:

• This method requires a way for you to deliver user guidance, like internal documentation or a quick-reference guide.
• You should maintain a simple checklist or visual reminder summarizing Wi-Fi safety practices.

Here are the key topics to cover:

• Verify the network name before connecting. Avoid look-alike or “evil twin” SSIDs that mimic trusted access points.
• Use the corporate VPN whenever possible. Never access sensitive data or internal tools on open networks without it.
• Check for HTTPS encryption. Stop immediately if a browser shows certificate or connection warnings.
• Report suspicious behavior. Notify IT if the network repeatedly disconnects, requires multiple logins, or redirects unexpectedly.

In turn, training users on safe public Wi-Fi behavior closes the final security gap that technical policies alone cannot protect against.

Step 6: Monitor and review public wi-fi security posture

Even structured policies can drift over time as users travel, networks change, and new exceptions are added. Consistent monitoring will ensure your public Wi-Fi security controls will remain effective and consistent across managed endpoints.

📌 Use Cases:

• This step helps identify configuration drift, unauthorized network connections, or devices that bypass established Wi-Fi policies.
• It gives clearer visibility into real-world usage patterns, enabling admins to fine-tune filters, VPN rules, or firewall settings.

📌 Prerequisites:

• You need to have a centralized logging or RMM platform capable of tracking Wi-Fi profiles, firewall events, and VPN status.
• This requires reporting templates or dashboards that highlight changes in network behavior over time.

Key signals you need to monitor:

• New saved Wi-Fi profiles that appear on endpoints that are not part of the approved SSID list.
• Frequent transitions to public networks or recurring firewall alerts that indicate risky connections.
• Applications that open listeners or open ports when the profile is set to public.

Recommended review schedule:

• Monthly: You can review all new SSIDs, connection exceptions, and firewall activity across endpoints.
• Quarterly: Perform spot checks to verify VPN behavior, firewall compliance, and enforcement of public network settings.

⚠️ Things to look out for

NinjaOne integration ideas for managing public Wi-Fi security

NinjaOne’s automation, scripting, and reporting tools can simplify how MSPs enforce and monitor public Wi-Fi security policies across endpoints.

Policy deployment

You can use NinjaOne to push SSID filters, preload approved Wi-Fi profiles, and apply Public profile firewall settings using scripts or policies. This keeps endpoint configurations consistent across all managed devices.

Detection and alerting

NinjaOne can surface endpoints that save new open networks or suddenly change their network category. These alerts help you spot unsafe connections or signs of policy drift before they turn into bigger issues.

Exception handling

NinjaOne can handle temporary access requests through automated tickets. Each ticket expires automatically, preventing exceptions from becoming permanent.

Reporting

NinjaOne dashboards show SSID enforcement, VPN-on-Public compliance, and firewall posture by client. These reports give visibility into endpoint coverage and overall Wi-Fi security status.

Strengthening public Wi-Fi security across managed endpoints

Users will keep relying on public wi-fi when they’re traveling or working remotely. The key is understanding the risks so you can put the right safeguards in place, reducing exposure without slowing anyone down.

A layered approach offers the strongest security. This includes enforcing SSID allowlists, prioritizing trusted profiles, hardening network settings, and requiring VPN or HTTPS connections. When you pair these controls with user education and routine monitoring, you can keep your endpoints secure even when they’re operating on networks you don’t control.

Related topics:

• IT Security Checklist to Protect Your Business
• How to Create a Modern Cybersecurity Strategy for IT Departments
• How to Deploy Wi-Fi Profiles to All Users Using PowerShell
• How to See a List of Wireless Network Profiles in Windows 11
• How to Enable or Disable Wi-Fi in Windows 11