rss logo

How to change the WiFi password on Windows stations via GPO

WiFi Logo

Nowadays, companies frequently use WiFi to connect their users to the network. Recent protocols such as WPA2 and now WPA3 offer fairly good security, but what happens if the password has been compromised, or if you simply want to renew it periodically? This can quickly become a headache, especially when you're managing several hundred machines.

As far as I know, there is no native tool in group policies to manage this. So we have to be cunning. Here's how to change the WiFi password for a specific SSID using a batch script. This script will be executed when the user logs on (and managed via GPO).

The WiFi management commands:

To understand the script properly, it may be useful to be familiar with the main Windows WiFi management commands.

  • List of WiFi commands:
C:\WINDOWS\system32>netsh wlan The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a configuration entry to a table. connect - Connects to a wireless network. delete - Deletes a configuration entry from a table. disconnect - Disconnects from a wireless network. dump - Displays a configuration script. export - Saves WLAN profiles to XML files. help - Displays a list of commands. IHV - Commands for IHV logging. refresh - Refresh hosted network settings. reportissues - Generate WLAN smart trace report. set - Sets configuration information. show - Displays information. start - Start hosted network. stop - Stop hosted network. To view help for a command, type the command, followed by a space, and then type ?.
  • Displays complete information on wireless networks and devices:
C:\WINDOWS\system32>netsh wlan show all
  • Display Wi-Fi profiles:
C:\WINDOWS\system32>netsh wlan show profiles Profiles on interface Wi-Fi: Group policy profiles (read only) --------------------------------- <None> User profiles ------------- All User Profile : FFBOXE All User Profile : STD_ROCKS
  • Display STD_ROCKS profile:
C:\WINDOWS\system32>netsh wlan show profiles "STD_ROCKS" Profile STD_ROCKS on interface Wi-Fi: ======================================================================= Applied: All User Profile Profile information ------------------- Version : 1 Type : Wireless LAN Name : STD_ROCKS Control options : Connection mode : Connect automatically Network broadcast : Connect only if this network is broadcasting AutoSwitch : Do not switch to other networks MAC Randomization : Disabled Connectivity settings --------------------- Number of SSIDs : 1 SSID name : "STD_ROCKS" Network type : Infrastructure Radio type : [ Any Radio Type ] Vendor extension : Not present Security settings ----------------- Authentication : WPA2-Personal Cipher : CCMP Authentication : WPA2-Personal Cipher : GCMP Security key : Present Cost settings ------------- Cost : Unrestricted Congested : No Approaching Data Limit : No Over Data Limit : No Roaming : No Cost Source : Default
  • Export WiFi profile to «c:\Users\user\Desktop\Wi-Fi-STD_ROCKS.xml» file:
C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS" key=clear folder=c:\Users\user\Desktop\
  • Import WiFi profile for all users from «c:\Users\user\Desktop\STD_ROCKS.xml» file:
C:\WINDOWS\system32>netsh add profile filename="c:\Users\user\Desktop\STD_ROCKS.xml" user=all
  • Set the preference order of the STD_ROCKS wireless network to the highest priority:
C:\WINDOWS\system32>netsh wlan set profileorder name="STD_ROCKS" interface="Wi-Fi" priority=1
  • Remove the STD_ROCKS wireless network:
C:\WINDOWS\system32>netsh wlan delete profile name="STD_ROCKS" interface="Wi-Fi"

Creating a new SSID

To prevent users from being cut off the network, we need to make two Wi-Fi networks coexist. The old one: «STD_ROCKS_OLD»; in the diagram below; whose password we want to replace, and the new one: «STD_ROCKS_NEW»; in the diagram below; on which the new password will be associated. Once all users have been migrated to the new network, the old one can be deleted.

Illustration showing the transition from an old Wi-Fi network (SSID: STD_ROCKS_OLD, Password: OLD2000@) to a new Wi-Fi network (SSID: STD_ROCKS_NEW, Password: P@WD2000) in an Active Directory environment.

Export Wi-Fi profile to xml file

  • From a Windows computer, manually connect to the new wireless network: «STD_ROCKS_NEW»:
Screenshot of the Windows Wi-Fi menu showing the new Wi-Fi network 'STD_ROCKS_NEW' highlighted, ready to connect.
  • Once connected, export the Wi-Fi profile to an xml file:
C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS_NEW" key=clear folder=c:\Users\user\Desktop\
  • You should have the xml file on your Desktop:
Icon of the Wi-Fi configuration file named 'Wi-Fi-STD_ROCKS_NEW.xmlr' on a Windows desktop.
  • Open the xml file and check the following informations:
    • Wireless Network: STD_ROCKS_NEW (here)
    • Password: P@WD2000 (here)
<?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>STD_ROCKS_NEW</name> <SSIDConfig> <SSID> <hex>535444524F434B5342414259</hex> <name>STD_ROCKS_NEW</name> </SSID> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <MSM> <security> <authEncryption> <authentication>WPA2PSK</authentication> <encryption>AES</encryption> <useOneX>false</useOneX> </authEncryption> <sharedKey> <keyType>passPhrase</keyType> <protected>false</protected> <keyMaterial>P@WD2000</keyMaterial> </sharedKey> </security> </MSM> <MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3"> <enableRandomization>false</enableRandomization> <randomizationSeed>1592637002</randomizationSeed> </MacRandomization> </WLANProfile>

Batch script

  • What the script does:
    • Create the file C:\WirelessSet.txt on first run, deleting the old SSID profile if the file has already been created (meaning the script has already been run once).
    • Add a new wireless profile.
    • Set the new wireless profile as the default profile.
  • Create a wifi.bat file:
REM Remove REM if you want to reset GPO : REM DEL C:\WirelessSet.txt REM If the file C:\WirelessSet.txt exists, it means the script has already been executed once, so jump to _END switch IF EXIST C:\WirelessSet.txt GOTO _END REM Otherwise add wireless profile from STD_ROCKS_NEW.xml file netsh wlan add profile filename="\\std.local\netlogon\Wi-Fi-STD_ROCKS_NEW.xml" user=all >> C:\WirelessSet.txt REM Set new profile (STD_ROCKS_NEW) with best priority netsh wlan set profileorder name="STD_ROCKS_NEW" interface="Wi-Fi" priority=1 REM exit script GOTO :EOF REM _END SWITCH :_END REM Delete old (STD_ROCKS_OLD) wireless profile netsh wlan delete profile name="STD_ROCKS_OLD" interface="Wi-Fi"
  • Then, from an Active Directory server, copy the xml and wifi.bat files into C:\Windows\SYSVOL\sysvol\YOUR_DOMAIN\scripts:
View of the Windows File Explorer showing the path to the sysvol scripts folder containing a batch file and an XML file

Create a Group Policy Object

We can now create a GPO that will execute the above script when our computers start up.

  • Open the Group Policy Manager console:
Windows Run dialog box with the command gpmc.msc entered to open the Group Policy Management Console
  • Create a new GPO and link it to the OU where your computers objects are located:
Group Policy Management Console showing the option to create a GPO in the domain and link it to a specific organizational unit
  • Give a name to the new GPO:
New GPO creation dialog box in Group Policy Management Console with the name field set to WiFi and source starter GPO set to none
  • Edit the GPO:
Group Policy Management Console showing the context menu for the WiFi GPO with the Edit option highlighted
  • Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown). Do a Right click on Startup then click to Properties
Group Policy Management Editor showing the Startup Scripts section with the Properties option highlighted for configuring startup scripts
  • Click on Add… and on Browse button, then select the wifi.bat file:
Startup Properties dialog showing the process of adding a startup script by browsing to select the wifi batch file from the sysvol scripts folder
  • Once the computers have been rebooted, they will be automatically migrated to the new wireless network, the old one can now be deleted:
Diagram showing the transition from the old Wi-Fi network SSID and password to the new Wi-Fi network SSID and password, applied to multiple laptops
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address