This week is a relatively short post, mainly focused on providing a warning around turning off notifications network usage on Windows devices. Turning off notifications network usage can be used to prevent applications from using the notifications network the send notifications. No matter if that notification is a tile update, tile badge, toast, or any raw updates. It basically turns off the connection between Windows and the Windows Push Notification Services (WNS). WNS enables third-party developers to send those notifications. It provides a mechanism to deliver updates to users and devices in a power-efficient and dependable way. The important thing, however, is to keep in mind that WNS is not only used by third-party developers. It’s also used by many different Microsoft products, including Microsoft Intune. This post will provide a quick overview of the specific setting manage the notifications network usage, followed with the impact of using that setting.
Warning: Turning off notifications network usage can break a lot of functionalities, including Microsoft Intune functionalities. It will no longer be possible to use real-time processes, such as a remote wipe, or a device query.
Configuring turning off notifications network usage
For Microsoft Intune managed devices, the configuration of turning off notifications network usage is available via the Policy CSP. More specifically, the Notifications node of the Policy CSP. That node contains the DisallowCloudNotification setting that can be used for exactly that scenario. This setting is often only configured when an organization has to comply with the CIS benchmarks for Windows. More importantly, when using Level 2 of that benchmark. So, only when a even greater level of security is required, this configuration is required. It is important though, to keep in mind that this also breaks a lot of functionalities, including for Microsoft Intune. The configuration of this specific setting is available via the Setting Catalog. The following eight steps walk through the configuration of turning off notifications network usage.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
- On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
- On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
- Click Add settings and perform the following in Settings picker
- Select Notifications as category
- Select Disallow Cloud Notification as setting
- Switch the slider to the right the enable (Allow) the setting
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment for the specific devices and click Next
- On the Review + create page, verify the configuration and click Create
Warning: Turning off notifications network usage can break a lot of functionalities, including Microsoft Intune functionalities. It will no longer be possible to use real-time processes, such as a remote wipe, or a device query.
Experiencing turning off notification network usage
When the configuration is applied, the device will need a reboot for the configuration to be effective. After that reboot, it’s pretty straight forward to verify the applied configuration. The easiest method to know it for sure, is by checking the device locally. That could be by verifying the applied configuration settings, as shown below in Figure 2 on the left, or by having a look at the Event Viewer, as shown below in Figure 2 on the right. Especially, the logs of the PushNotifications-Platform source. That contains information about the cloud notifications and the usage of the network. After applying the mentioned configuration, the log will show that the MDMPolicyValue is false. That means that the notifications network is no longer available. After that remote actions performed via Microsoft Intune will no longer arrive on the device. That includes remote queries via Device query.
More information
For more information about turning off notification network usage, refer to the following docs.
- Notifications Policy CSP – Windows Client Management | Microsoft Learn
- Windows Push Notification Services (WNS) overview – Windows apps | Microsoft Learn
- Center for Internet Security (CIS) Benchmarks – Microsoft Compliance | Microsoft Learn
- 18.8.1.1 Ensure ‘Turn off notifications network usage’ is set … | Tenable®
Thank you Peter. I guess I’m having a problem getting my head around doing this if it breaks Intune core functions. Not having device query and remote wipe is not possible with any of my clients. Perhaps they will modify things to have core Intune services separated from 3rd party WNS capabilities one day? Love your posts and always learn a ton!! Thank you.
Thank you for that, David. I don’t think that will change. Just one channel handling it all. Also, not sure if it really matters for a high secure environment which app is actually pushing the notification over the channel. Think the main idea is to not have anything like that at all.
Regards, Peter