diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-no-auth-no-internet.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-no-auth-no-internet.mdx
new file mode 100644
index 000000000000000..d70ff201fb44f67
--- /dev/null
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-no-auth-no-internet.mdx
@@ -0,0 +1,94 @@
+---
+pcx_content_type: how-to
+description: Block internet access on a Windows device until the user authenticates with the Cloudflare One Client.
+products:
+  - cloudflare-one
+title: Block internet access until user authenticates
+sidebar:
+  order: 3
+  label: No-auth-no-internet
+tags:
+  - Windows
+---
+
+import { Details } from "~/components";
+
+<Details header="Feature availability">
+
+| [Client modes](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| All modes                                                                                         | All plans                                                     |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           | TBD                  |
+| macOS    | ❌           |                      |
+| Linux    | ❌           |                      |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+When **no-auth-no-internet** is enabled, the Cloudflare One Client locks down general internet traffic on the device whenever the device is in an unauthenticated state (i.e. without a valid device registration). During this lockdown, the client allows only the traffic required for the device to remain on the network and for the user to complete IdP authentication. Once the user signs in, normal connectivity resumes and your configured Gateway, Access, RBI, and DLP policies take effect.
+
+When this feature is enabled, the authentication is done via in-app WebView2 browser instead of the default browser on the system.
+
+The lockdown re-engages automatically any time the device transitions back to an unauthenticated state — for example, if the registration expires, another OS user that has never authenticated with the Cloudflare One Client logs in while in multi-user mode, or the user switches into a new organization.
+
+## Prerequisites
+
+- The Cloudflare One Client must be [deployed via MDM](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/#windows).
+- The device must have [WebView2](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/#authenticate-in-embedded-browser) available. By default, the WebView2 runtime should be present on all Windows versions that Cloudflare One Client supports.
+
+## Enable no-auth-no-internet
+
+To enable the feature, [deploy an MDM file](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/#windows) with the `no_auth_no_internet` top-level key set to `true`:
+
+```xml
+<dict>
+  <key>no_auth_no_internet</key>
+  <true/>
+  <key>configs</key>
+  <array>
+    <dict>
+      <key>organization</key>
+      <string>your-team-name</string>
+      <key>display_name</key>
+      <string>Default</string>
+    </dict>
+  </array>
+</dict>
+```
+
+When the Cloudflare One Client reads this configuration and detects that no user is authenticated, it applies the firewall lockdown and prompts the user to authenticate. After successful authentication, the lockdown is completely lifted.
+
+## Block access to RFC 1918 ranges in lockdown state
+
+By default, the Cloudflare One Client permits traffic to [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) private address ranges (`10.0.0.0/8`, `172.16.0.0/12`, and `192.168.0.0/16`) while the device is locked down. This allows the device to reach on-premise resources such as a domain controller, an MDM server, or a local printer before the user authenticates.
+
+To block RFC 1918 traffic during lockdown, set `no_auth_no_internet_block_rfc_1918` to `true`:
+
+```xml
+<dict>
+  <key>no_auth_no_internet</key>
+  <true/>
+  <key>no_auth_no_internet_block_rfc_1918</key>
+  <true/>
+  <key>configs</key>
+  <array>
+    <dict>
+      <key>organization</key>
+      <string>your-team-name</string>
+      <key>display_name</key>
+      <string>Default</string>
+    </dict>
+  </array>
+</dict>
+```
+
+## Limitations
+
+- The lockdown is enforced only when there is an active interactive user session (for example, a user is logged in and the machine is not locked).
+- Since authentication now occurs in an embedded WebView2 window, IdP flows that depend on the user's default browser (for example, browser-specific extensions or password managers) may not work.
+- Some Windows applications, including Copilot and Teams (personal), may retain internet access while the Cloudflare One Client authentication window is open.