How to change the WiFi password on Windows stations via GPO

Last updated: Nov 8, 2023

Nowadays it's quite often that companies are using WiFi to connect their users to network. The recent protocols like WPA2 and now WPA3 offer today a rather good security but what if the password has been compromised or if we just want to renew it periodically? This can quickly become a headache especially when you manage several hundred machines.

To my knowledge there is no native tool in group policies to manage this. So we have to be cunning. We will see here how to change the WiFi password of specific SSID using a batch script. This script will be executed at user login (and managed via GPO).

What we will do :
- Preparation :
  - Create a new SSID with a new password
  - Connect to new SSID with a Windows and extract WiFi configuration to a xml file
- Create a GPO script that will run at login to :
  - Connect computers to the new SSID with the new password
  - Remove old SSID with the old password
- Once all users are migrated to the new SSID and with the new password, the old SSID can be deleted.

Commands to manage WiFi in CLI

In order to correctly understand the script it may be useful to know the main commands of WiFi management in Windows.

List WiFi commands :

C:\WINDOWS\system32>netsh wlan
The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Adds a configuration entry to a table.
connect        - Connects to a wireless network.
delete         - Deletes a configuration entry from a table.
disconnect     - Disconnects from a wireless network.
dump           - Displays a configuration script.
export         - Saves WLAN profiles to XML files.
help           - Displays a list of commands.
IHV            - Commands for IHV logging.
refresh        - Refresh hosted network settings.
reportissues   - Generate WLAN smart trace report.
set            - Sets configuration information.
show           - Displays information.
start          - Start hosted network.
stop           - Stop hosted network.

To view help for a command, type the command, followed by a space, and then type ?.

Show complete wireless device and networks information :

C:\WINDOWS\system32>netsh wlan show all

Show Wi-Fi profiles :

C:\WINDOWS\system32>netsh wlan show profiles

Profiles on interface Wi-Fi:

Group policy profiles (read only)
---------------------------------
    <None>

User profiles
-------------
    All User Profile     : FFBOXE
    All User Profile     : STD_ROCKS

Show STD_ROCKS profile :

C:\WINDOWS\system32>netsh wlan show profiles "STD_ROCKS"

Profile STD_ROCKS on interface Wi-Fi:
=======================================================================

Applied: All User Profile

Profile information
-------------------
    Version                : 1
    Type                   : Wireless LAN
    Name                   : STD_ROCKS
    Control options        :
        Connection mode    : Connect automatically
        Network broadcast  : Connect only if this network is broadcasting
        AutoSwitch         : Do not switch to other networks
        MAC Randomization  : Disabled

Connectivity settings
---------------------
    Number of SSIDs        : 1
    SSID name              : "STD_ROCKS"
    Network type           : Infrastructure
    Radio type             : [ Any Radio Type ]
    Vendor extension          : Not present

Security settings
-----------------
    Authentication         : WPA2-Personal
    Cipher                 : CCMP
    Authentication         : WPA2-Personal
    Cipher                 : GCMP
    Security key           : Present

Cost settings
-------------
    Cost                   : Unrestricted
    Congested              : No
    Approaching Data Limit : No
    Over Data Limit        : No
    Roaming                : No
    Cost Source            : Default

Export WiFi profile to «c:\Users\user\Desktop\Wi-Fi-STD_ROCKS.xml» file :

C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS" key=clear folder=c:\Users\user\Desktop\

Import WiFi profile for all users from «c:\Users\user\Desktop\STD_ROCKS.xml» file :

C:\WINDOWS\system32>netsh add profile filename="c:\Users\user\Desktop\STD_ROCKS.xml" user=all

Set the preference order of the STD_ROCKS wireless network to the highest priority :

C:\WINDOWS\system32>netsh wlan set profileorder name="STD_ROCKS" interface="Wi-Fi" priority=1

Remove the STD_ROCKS wireless network :

C:\WINDOWS\system32>netsh wlan delete profile name="STD_ROCKS" interface="Wi-Fi"

Creating a new SSID

To avoid that users suffer a network loss we need to make two Wi-Fi networks cohabit. The old one («STD_ROCKS_OLD» in the diagram below) whose password we want to replace and the new one («STD_ROCKS_NEW» in the diagram below) on which the new password will be associated. Once all users have migrated to the new network, the old one can be deleted.

Export Wi-Fi profile to a xml file

From a Windows computer, connect manually to the new wireless network («STD_ROCKS_NEW» in the diagram above).

Once connected, export Wi-Fi profile to a xml file :

C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS_NEW" key=clear folder=c:\Users\user\Desktop\

You should have the xml file on your Desktop :

Open the xml file and check the following informations :
- Wireless Network : STD_ROCKS_NEW (here)
- Password : P@WD2000 (here)

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
	<name>STD_ROCKS_NEW</name>
	<SSIDConfig>
		<SSID>
			<hex>535444524F434B5342414259</hex>
			<name>STD_ROCKS_NEW</name>
		</SSID>
	</SSIDConfig>
	<connectionType>ESS</connectionType>
	<connectionMode>auto</connectionMode>
	<MSM>
		<security>
			<authEncryption>
				<authentication>WPA2PSK</authentication>
				<encryption>AES</encryption>
				<useOneX>false</useOneX>
			</authEncryption>
			<sharedKey>
				<keyType>passPhrase</keyType>
				<protected>false</protected>
				<keyMaterial>P@WD2000</keyMaterial>
			</sharedKey>
		</security>
	</MSM>
	<MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
		<enableRandomization>false</enableRandomization>
		<randomizationSeed>1592637002</randomizationSeed>
	</MacRandomization>
</WLANProfile>

Batch script

What the script do :
- Create the file C:\WirelessSet.txt on first run, deleting the old SSID profile if the file has already been created (meaning the script has already been run once)
- Add a new wireless profile
- Set the new wireless profile as default

Create a wifi.bat file :

REM Remove REM if you want to reset GPO :
REM DEL C:\WirelessSet.txt

REM If the file C:\WirelessSet.txt exists, it means the script has already been executed once, so jump to _END switch
IF EXIST C:\WirelessSet.txt GOTO _END
REM Otherwise add wireless profile from STD_ROCKS_NEW.xml file
netsh wlan add profile filename="\\std.local\netlogon\Wi-Fi-STD_ROCKS_NEW.xml" user=all >> C:\WirelessSet.txt
REM Set new profile (STD_ROCKS_NEW) with best priority
netsh wlan set profileorder name="STD_ROCKS_NEW" interface="Wi-Fi" priority=1

REM exit script
GOTO:eof

REM _END SWITCH
:_END
REM Delete old (STD_ROCKS_OLD) wireless profile
netsh wlan delete profile name="STD_ROCKS_OLD" interface="Wi-Fi"

Then from a Active Directory server, copy the xml and wifi.bat files to C:\Windows\SYSVOL\sysvol\YOUR_DOMAIN\scripts :

Create Group Policy Object

We can now create a GPO that will execute the above script when our computers start.

Open Group Policy Manager console :

Create a new GPO and link it to OU where you have your computers objects :

Give a name to the new GPO :

Edit the GPO :

Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown). Do a Right click Startup > Properties

Click Add… and Browse to the script :

Once the computers has been rebooted they will be automaticaly migrated to new wireless network, the old one can now be deleted :

Computing

Music

Misc