Nowadays it's quite often that companies are using WiFi to connect their users to network. The recent protocols like WPA2 and now WPA3 offer today a rather good security but what if the password has been compromised or if we just want to renew it periodically? This can quickly become a headache especially when you manage several hundred machines.
To my knowledge there is no native tool in group policies to manage this. So we have to be cunning. We will see here how to change the WiFi password of specific SSID using a batch script. This script will be executed at user login (and managed via GPO).
In order to correctly understand the script it may be useful to know the main commands of WiFi management in Windows.
C:\WINDOWS\system32>netsh wlan
The following commands are available:
Commands in this context:
? - Displays a list of commands.
add - Adds a configuration entry to a table.
connect - Connects to a wireless network.
delete - Deletes a configuration entry from a table.
disconnect - Disconnects from a wireless network.
dump - Displays a configuration script.
export - Saves WLAN profiles to XML files.
help - Displays a list of commands.
IHV - Commands for IHV logging.
refresh - Refresh hosted network settings.
reportissues - Generate WLAN smart trace report.
set - Sets configuration information.
show - Displays information.
start - Start hosted network.
stop - Stop hosted network.
To view help for a command, type the command, followed by a space, and then type ?.
C:\WINDOWS\system32>netsh wlan show all
C:\WINDOWS\system32>netsh wlan show profiles
Profiles on interface Wi-Fi:
Group policy profiles (read only)
---------------------------------
<None>
User profiles
-------------
All User Profile : FFBOXE
All User Profile : STD_ROCKS
C:\WINDOWS\system32>netsh wlan show profiles "STD_ROCKS"
Profile STD_ROCKS on interface Wi-Fi:
=======================================================================
Applied: All User Profile
Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : STD_ROCKS
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "STD_ROCKS"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA2-Personal
Cipher : CCMP
Authentication : WPA2-Personal
Cipher : GCMP
Security key : Present
Cost settings
-------------
Cost : Unrestricted
Congested : No
Approaching Data Limit : No
Over Data Limit : No
Roaming : No
Cost Source : Default
C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS" key=clear folder=c:\Users\user\Desktop\
C:\WINDOWS\system32>netsh add profile filename="c:\Users\user\Desktop\STD_ROCKS.xml" user=all
C:\WINDOWS\system32>netsh wlan set profileorder name="STD_ROCKS" interface="Wi-Fi" priority=1
C:\WINDOWS\system32>netsh wlan delete profile name="STD_ROCKS" interface="Wi-Fi"
To avoid that users suffer a network loss we need to make two Wi-Fi networks cohabit. The old one («STD_ROCKS_OLD» in the diagram below) whose password we want to replace and the new one («STD_ROCKS_NEW» in the diagram below) on which the new password will be associated. Once all users have migrated to the new network, the old one can be deleted.
C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS_NEW" key=clear folder=c:\Users\user\Desktop\
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>STD_ROCKS_NEW</name>
<SSIDConfig>
<SSID>
<hex>535444524F434B5342414259</hex>
<name>STD_ROCKS_NEW</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>P@WD2000</keyMaterial>
</sharedKey>
</security>
</MSM>
<MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
<enableRandomization>false</enableRandomization>
<randomizationSeed>1592637002</randomizationSeed>
</MacRandomization>
</WLANProfile>
REM Remove REM if you want to reset GPO :
REM DEL C:\WirelessSet.txt
REM If the file C:\WirelessSet.txt exists, it means the script has already been executed once, so jump to _END switch
IF EXIST C:\WirelessSet.txt GOTO _END
REM Otherwise add wireless profile from STD_ROCKS_NEW.xml file
netsh wlan add profile filename="\\std.local\netlogon\Wi-Fi-STD_ROCKS_NEW.xml" user=all >> C:\WirelessSet.txt
REM Set new profile (STD_ROCKS_NEW) with best priority
netsh wlan set profileorder name="STD_ROCKS_NEW" interface="Wi-Fi" priority=1
REM exit script
GOTO:eof
REM _END SWITCH
:_END
REM Delete old (STD_ROCKS_OLD) wireless profile
netsh wlan delete profile name="STD_ROCKS_OLD" interface="Wi-Fi"
We can now create a GPO that will execute the above script when our computers start.
Contact :