Secure Score How-To

← Back to Secure Score Hub

How to Disable Network Bridge Configuration via Group Policy

Last updated: June 2026

Network bridges let a user connect two separate network segments through a single Windows device — effectively bypassing firewalls, VLANs, and network access controls. Disabling the ability to create or modify network bridges is a straightforward Group Policy setting that removes this risk and picks up a Secure Score improvement.

Jump to stepsSee FAQ
This is a how-to page. Steps are the priority. The CTA sits at the bottom, and cluster links do the conversion work.

What you'll achieve

Network segmentation preservedUsers cannot bridge a corporate LAN adapter to a personal Wi-Fi or mobile hotspot, keeping your network boundaries intact.
Firewall bypass eliminatedNetwork bridges can route traffic around perimeter firewalls and NAP enforcement. Blocking bridge creation closes this path entirely.
Secure Score improvementMicrosoft marks this recommendation as Completed once the policy is enforced, directly lifting your Secure Score.

Why this setting matters

A network bridge joins two network interfaces on the same device at Layer 2, effectively making that device a switch between two networks. In a corporate environment, this is almost never intentional — and when it happens, the consequences can be serious.

  • A bridge between corporate Ethernet and a personal Wi-Fi hotspot exposes internal resources to an uncontrolled network.
  • Traffic flowing through a bridge bypasses firewall rules, NAC policies, and VLAN segmentation that your security architecture relies on.
  • Attackers who gain access to a bridged device can pivot between networks without triggering network-level detection.
Disabling network bridge configuration is a zero-disruption control — no legitimate business workflow requires users to create network bridges on managed devices.

Before you start

  • Windows devices joined to an Active Directory domain with Group Policy applied.
  • Domain Administrator or Group Policy Administrator permissions.
  • Access to the Group Policy Management Console (GPMC) on a domain controller or management workstation.
  • Confirm no legitimate use of network bridges exists in your environment before enforcing.

Step-by-step

Use these five steps to create, configure, link, test, and confirm the Group Policy setting that disables network bridge configuration.

1
Screenshot required

Open Group Policy Management Console

On your domain controller or management workstation, open the Group Policy Management Console (GPMC). Navigate to the Organisational Unit (OU) containing the computer accounts you want to target. Right-click the OU and select Create a GPO in this domain, and Link it here.

Insert screenshot here
2
Screenshot required

Name the Group Policy Object

Name the new GPO something descriptive, for example: SEC - Disable Network Bridge Configuration. Click OK to create the GPO, then right-click it and select Edit to open the Group Policy Editor.

Insert screenshot here
3
Screenshot required

Navigate to the Network Bridge setting

In the Group Policy Editor, navigate to: Computer Configuration → Administrative Templates → Network → Network Connections. Find the setting called Prohibit installation and configuration of Network Bridge on your DNS domain network.

Insert screenshot here
4
Screenshot required

Enable the policy

Double-click the setting to open it. Select Enabled, then click Apply and OK. This prevents all users on targeted devices from creating, modifying, or enabling a network bridge — regardless of their local permissions.

Insert screenshot here
5
Screenshot required

Force policy update and verify

On a target device, run gpupdate /force from an elevated command prompt to pull the new policy immediately. Then open Network Connections — the option to create a network bridge should no longer appear. Return to Microsoft Secure Score after 24–48 hours to confirm the recommendation shows as Completed.

Insert screenshot here

How to confirm it worked

  • On a target device, open Network Connections — the Bridge Connections option is no longer available when selecting multiple adapters.
  • Running gpresult /r on the target device shows the GPO is applied under Computer Settings.
  • Microsoft Secure Score shows the network bridge recommendation as Completed.

FAQ

What is a network bridge and why is it a security risk?

A network bridge connects two network interfaces on the same device at Layer 2, making them behave as a single network. In a corporate setting, this can allow traffic from an untrusted network (like a personal hotspot) to flow directly into the corporate LAN, bypassing firewalls, VLANs, and network access controls.

Will this policy affect VPN or Wi-Fi connectivity?

No. This policy only prevents the creation of network bridges between adapters. Standard network connections — including VPN, Wi-Fi, Ethernet, and mobile broadband — continue to work exactly as before. Users can still connect to any network; they just cannot bridge two networks together through their device.

Can I deploy this via Intune instead of Group Policy?

Yes. In Intune, create a Settings Catalog profile and search for Prohibit installation and configuration of Network Bridge. Set it to Enabled and assign to your device groups. The effect is identical to the Group Policy method — choose whichever management tool your environment uses.

What if a network bridge already exists on a device?

The policy prevents new bridges from being created and stops users from modifying existing ones. However, it does not automatically remove bridges that were created before the policy was applied. You should manually check for and remove any existing bridges on managed devices after deploying the policy.

How long until my Secure Score updates?

Secure Score typically updates within 24–48 hours after the policy is applied and confirmed on enrolled devices. If the score has not updated, verify the GPO is linked to the correct OU and that target devices have received the policy via gpresult.

Need help hardening your Windows environment?

Our team can review your Group Policy configuration, identify gaps in your endpoint security posture, and build a clear remediation roadmap aligned to your Secure Score targets.

Book a Security AssessmentView the Secure Score hub