How to Turn Off Windows Connect Now (WCN) Wizards Using Intune Settings Catalog
Enable or Disable Windows Connect Now (WCN) in Microsoft Intune (Wireless Settings)
Windows Connect Now (WCN) is a Windows feature that helps devices discover and configure wireless networks using guided setup experiences and, in some cases, removable media-based configuration. In modern enterprise environments, WCN is typically managed as a security control to reduce the risk of unmanaged wireless onboarding and to keep connectivity aligned with approved IT provisioning methods.
Why WCN matters in an enterprise environment
Reduce security exposure
Some WCN workflows are commonly associated with consumer-style wireless onboarding methods (including WPS-style scenarios). Many organizations reduce attack surface by disabling these setup experiences to prevent devices from being configured through less controlled pathways.
Improve standardization and governance
If your organization provisions Wi-Fi using managed profiles, certificate-based authentication, and compliance controls, disabling WCN helps ensure onboarding stays within those approved processes rather than user-driven configuration methods.
What this policy does
This setting controls whether users can access WCN wizard experiences, such as tasks related to setting up wireless devices or configuring wireless connectivity using guided setup.
- When the policy is enabled (wizards turned off): Users cannot run WCN wizard tasks.
- When the policy is disabled or not configured: WCN wizard experiences remain available.
In most managed environments, turning off the wizard experiences is the preferred approach unless there is a specific operational need to keep them available.
Prerequisites and planning checklist
Before deployment:
- Confirm you already have an approved Wi-Fi onboarding method (such as Intune Wi-Fi profiles using PSK or enterprise authentication).
- Decide scope and targeting:
- Corporate devices only
- Pilot and test rings first
- Special handling for kiosks or shared devices if applicable
- Plan validation steps using Intune reporting and endpoint logs.
Configure WCN using Intune (Settings Catalog)
1) Create the profile
- Sign in to the Intune admin center.
- Go to Devices > Configuration > Create > New policy.
- Set:
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Select Create.
2) Basics
- Name the policy clearly (example:
WIN - Security - Disable Windows Connect Now (WCN)). - Add a short description that explains the purpose and intended scope.
3) Add the setting
- In Configuration settings, select Add settings.
- Browse or search for:
- Administrative Templates > Network > Windows Connect Now
- Select the WCN control setting(s) and configure the desired values.
4) Recommended enforcement stance
Recommended: Turn off WCN wizards to reduce unmanaged onboarding.
Optional defense-in-depth: If your environment exposes additional WCN configuration channels in the catalog, you can disable those as well (for example, USB-based or network-discovery-based configuration mechanisms) to further reduce alternate onboarding paths.
Scope tags, assignments, and rollout
Scope tags (optional)
If you use delegated administration, apply appropriate scope tags so only the right admin group can manage and view the policy.
Assignments (required)
- Assign to a device group that contains corporate Windows endpoints.
- Use a phased deployment:
- IT pilot group
- Early adopters
- Broad rollout
Review and create
Review settings and assignments, then create the profile.
Monitoring and verification
1) Intune reporting
Open the profile and review Device status and User status to confirm the policy applied successfully.
2) Client-side verification (Event Viewer)
On a targeted device:
- Open Event Viewer.
- Navigate to:
Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin - Review recent events that indicate the configuration profile was processed and applied.
Rollback options
Remove assignment (preferred rollback)
If you need to stop enforcing the policy without deleting it:
- Remove the assignment group from the policy.
Delete the profile (full removal)
If the policy is no longer needed:
- Delete the configuration profile from Intune.
Applicability notes
This approach is designed for managed Windows devices where wireless onboarding should be controlled through corporate provisioning methods. Always validate in a pilot ring first to ensure the setting behaves as expected across your Windows versions and device types.
