Question How to disable "Cast" /"Connect" in windows 10 in a mass deployment environment

addixkmac

Reputable
Jan 12, 2019
40
1
4,535
Hi there,

I would like to configure a GPO that would disable an computer from seeing a Microsoft Wireless Display Adapter. I am in a school environment and our staff projects to a wireless display adapter with miracast. I would like our student computers to not be able to see the wireless display adapter when they go to the "Connect" menu (Windows key + k) or click on "Connect to a wireless display". I've searched everywhere for an answer but the closest I have seen is using a CSP "WirelessDisplay/AllowProjectionFromPC". How can I find a group policy that can accomplish this?

Thanks!
 

Ralston18

Titan
Moderator
Is the end objective to be able to prevent students from being able to make some wireless connection versus just seeing that a wireless display adapter exists?

The following link may prove helpful:

https://bondy.tech/?p=1481

I started with the search criteria being " GPO to disable wireless network devices".

Quite a number of hits.

These links came up after I added "miracast" to the search criteria.

https://customersupport.screenbeam....ttings-for-Windows-Miracast-over-Wi-Fi-Direct

https://support.airserver.com/suppo...network-or-in-a-policy-controlled-environment

Actually the second link seems to be a fix to the situation you wish to create....

Just some ideas to help.
 

addixkmac

Reputable
Jan 12, 2019
40
1
4,535
There are predefined 'cast to device' policies in windows firewall settings. I haven't tested it, personally, but you should be able to push a policy out that changes these to 'deny'.
Hi Alceryes,
Thanks for the suggestion, I tried changing the Firewall rule "Cast to Device functionality" to deny any Domain, Private, or Public and rebooted the computer. I then checked that the firewall rule was still uncheck marked on all network types then pressed the hotkey "Windows key + K" and the adapter name showed up, I then click on the adapter name and pressed "Connect" it asked for the pin that showed up on the board with the wireless display adapter then it allowed the connection showing the screen on the casted device. Is this the firewall rule you were pointing too?
 
Hi Alceryes,
Thanks for the suggestion, I tried changing the Firewall rule "Cast to Device functionality" to deny any Domain, Private, or Public and rebooted the computer. I then checked that the firewall rule was still uncheck marked on all network types then pressed the hotkey "Windows key + K" and the adapter name showed up, I then click on the adapter name and pressed "Connect" it asked for the pin that showed up on the board with the wireless display adapter then it allowed the connection showing the screen on the casted device. Is this the firewall rule you were pointing too?
Hmmm, this may require a bit more tuning then. Like disabling the Miracast ports (TCP and UDP) in Advanced Firewall, or removing the built-in 'Connect' app and not allowing it to be installed.
 

addixkmac

Reputable
Jan 12, 2019
40
1
4,535
Is the end objective to be able to prevent students from being able to make some wireless connection versus just seeing that a wireless display adapter exists?

The following link may prove helpful:

https://bondy.tech/?p=1481

I started with the search criteria being " GPO to disable wireless network devices".

Quite a number of hits.

These links came up after I added "miracast" to the search criteria.

https://customersupport.screenbeam....ttings-for-Windows-Miracast-over-Wi-Fi-Direct

https://support.airserver.com/suppo...network-or-in-a-policy-controlled-environment

Actually the second link seems to be a fix to the situation you wish to create....

Just some ideas to help.

Hi Ralston18,

The end result would be to not allow students to see or connect to the wireless display adapter at all. I'm trying to prevent students from trying to connect to the board the teacher is casting too while they are teaching or when the teacher is disconnected from the Wireless display adapter. Anyway to stop this would work :)

I have also seen both of those bottom links you added in but still allow the user to see the Wireless Display Adapter in Windows.

I did also try disabling the firewall rule "Wireless Display" and it did block the final connection with the display adapter, But it also still showed the adapter, allowed me to try to connect to it by showing a code on the projected display, then when it tried to do the final handshake, it blocked it from connecting. In a perfect world, I would like the computer to not even see the adapter or allow it to make a initial connection with the wireless display adapter in the first place.

Thanks for you help!
 

addixkmac

Reputable
Jan 12, 2019
40
1
4,535
Hmmm, this may require a bit more tuning then. Like disabling the Miracast ports (TCP and UDP) in Advanced Firewall, or removing the built-in 'Connect' app and not allowing it to be installed.
yeah I thought about that too. I cant find the name of the exe or service that the Cast/Connect app belongs too. I thought it was "CastSrv.exe" in system32 folder but not 100% sure.
 

Ralston18

Titan
Moderator
With you having GPO rights etc. then that likely means you have a lot of control over the individual student computers.

FYI:

https://www.tenforums.com/tutorials...ct-wireless-display-feature-windows-10-a.html

(And do note the Related Tutorials at the bottom. You may find a viable idea or solution there.)

Option 2 is via the Command Prompt. Uses DISM. Remove-Capability.

Remove the capability to start with.

= = = =

Are you familiar with Powershell?

If you run Get-PNPDevice via Powershell (as admin) do see the adapter listed?

https://learn.microsoft.com/en-us/p...rce=recommendations&view=windowsserver2022-ps

https://learn.microsoft.com/en-us/p...e/disable-pnpdevice?view=windowsserver2022-ps

You might be able to accomplish that removal and a bit more via Powershell. Some script that is launched at start up.

Then maybe rename something or otherwise hide the adapter's presence.

First objective being to ensure that it can be disabled or removed. Then second objective, if and as necessary, hide, mask, rename, or otherwise disguise the adapter.
 

addixkmac

Reputable
Jan 12, 2019
40
1
4,535
With you having GPO rights etc. then that likely means you have a lot of control over the individual student computers.

FYI:

https://www.tenforums.com/tutorials...ct-wireless-display-feature-windows-10-a.html

(And do note the Related Tutorials at the bottom. You may find a viable idea or solution there.)

Option 2 is via the Command Prompt. Uses DISM. Remove-Capability.

Remove the capability to start with.

= = = =

Are you familiar with Powershell?

If you run Get-PNPDevice via Powershell (as admin) do see the adapter listed?

https://learn.microsoft.com/en-us/p...rce=recommendations&view=windowsserver2022-ps

https://learn.microsoft.com/en-us/p...e/disable-pnpdevice?view=windowsserver2022-ps

You might be able to accomplish that removal and a bit more via Powershell. Some script that is launched at start up.

Then maybe rename something or otherwise hide the adapter's presence.

First objective being to ensure that it can be disabled or removed. Then second objective, if and as necessary, hide, mask, rename, or otherwise disguise the adapter.
Hi Ralston18,

I like your Idea, the only issue I have is that I have about 40 Wireless Display adapters on site and hopefully I can find an easier way then finding each PNP Devices ID and blocking them., very smart way of handing the issue though. I would like to be able to install a new adapter without having to update a PowerShell script each time if posable. I was messing around earlier today while connected to a wireless display adapter and came across "WUDFHost.exe" in task manager. there were 3 instances of it running, I clicked "End Task" on the largest one using memory and it disconnected the adapter. From what I researched, its a child process of the driver manager service so it must have been handing off a DLL in conjunction with the "Connect" feature in windows 10. How would I find the exe or msc of the Connect setting menu?

EDIT: Also wanted to add, These computers are running 21h2 so they do not have the "Wireless Display" in optional features, its now deprecated in newer versions of windows so when I ran the DISM tool, it gives the error 87 "The Remove-apability option is unknown."
 
Last edited:

Ralston18

Titan
Moderator
"hopefully I can find an easier way then finding each PNP Devices ID and blocking them".

Certainly agree.

Powershell can pull in data from lists so a script could be used that searched the list, referenced a MAC, etc. Probably any number of ways to address the problem.

Script does get longer with each additional factor that appears and even more so if you remote into each student computer to make changes.

Noted your sentence "I clicked "End Task" on the largest one using memory and it disconnected the adapter. " That is good.

The key is to discover something common to all of the wireless adapters that could be used as a wild card to identify the adapter(s) and then execute the "End Task".

Do you use any remote access tools to update and manage all of the 40 computers hosting the wireless adapters? Once the wireless adapter is disabled and "invisible" that would be permanent - correct?

As for finding specifc exe or msc another tool to help could be Process Explorer (Microsoft, free). Maybe PIDs.

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Another possibility is simply Get-Process

Look for the process (Process Name) that you want to end.

From my computer:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> Get-Process

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName

290 11 2060 7968 0.05 2316 0 WUDFHost


Which leads to .....

https://www.comparitech.com/net-admin/powershell-kill-process-command-tutorial/

You could set up the "Kill" via Task Scheduler on each computer and trigger it at boot or some other action. Student opens a browser maybe....

Set up one representative workstation as a test environment. First figure out how to manually end the process as required via a Command Prompt e.g., PS> while sitting at the workstation. Then work on doing the same remotely.

https://learn.microsoft.com/en-us/p...g/running-remote-commands?view=powershell-7.2

Powershell can be scarily simple sometimes..... However, it can be quite frustrating especially when first starting out.

Use Get's to learn things about the hardware and software. Start simple, get each step to work then build a script. Could be a one-liner.

I can envision a PS script on an admin computer that goes out remotely to each student computer via some list, and looks for and kills, if necessary, the applicable process.

Just in case some student figured out how to restart the wireless process.

As students can often do with such things as I am sure you know. :)