Microsoft's WiFi Sense Poses Manageable Security Risks
There are also risks associated with owning the access point that's being used. Microsoft assures everyone that the only thing people connecting through WiFi Sense will be able to do is reach the Internet. But, even if that's true, it's your company's bandwidth that's being use and it's your company's IP address that shows up on the other end of the connection. Do you really want the DEA or the local vice squad showing up at your door because of the illegal activities carried out by an interloper who got your log-in data from Facebook? Fortunately, there are some steps beyond just making sure your wireless access points use WPA2 security. Enterprise-grade WiFi access points and controllers will support 802.1X wireless authentication protocol. Using 802.1X for authentication means that only those who are authorized to access your WiFi network can actually get in. In addition, WiFi Sense will not share log-in information for networks with 802.1X authentication. Unfortunately, the infrastructure for using 802.1X is beyond the capabilities of many smaller enterprises. However, other means of secure authentication exist that are less expensive and easier to manage than 802.1X, such as the pre-shared encryption used by Ruckus Wireless and available through their WiFi controllers. Here's a video explaining that.When the time comes to start upgrading your current computers to Windows 10, and when you buy new machines with Windows 10 already installed, you can set up your standard version so that WiFi Sense isn't enabled. This may not help with BYOD devices, unfortunately, but you can make it a condition of use that employees allow you to turn that feature off before they can use personally owned devices on the company network. Fortunately, very few mobile devices will be using Windows 10, except for perhaps Surface tablets. You can place the same conditions of use on those that you place on laptops and phones. It's not a perfect solution, but by making use of 802.1X authentication or some other similar means of access control mandatory, you'll be making your network far more secure anyway. The days of the single share key in WiFi should already be over, but they're not. For your enterprise, real security is necessary, and now Microsoft has provided the impetus.
You can also rename your access points with the suffix "_optout" at the end of your network name or SSID, and that will tell WiFi Sense that you don't want to be included. In addition, many enterprise-class WiFi products may allow you to assign each user a unique password, which will also defeat the abilities of WiFi Sense.