rss logo

How to change the WiFi password on Windows stations via GPO

WiFi Logo

Nowadays it's quite often that companies are using WiFi to connect their users to network. The recent protocols like WPA2 and now WPA3 offer today a rather good security but what if the password has been compromised or if we just want to renew it periodically? This can quickly become a headache especially when you manage several hundred machines.

To my knowledge there is no native tool in group policies to manage this. So we have to be cunning. We will see here how to change the WiFi password of specific SSID using a batch script. This script will be executed at user login (and managed via GPO).

Commands to manage WiFi in CLI

In order to correctly understand the script it may be useful to know the main commands of WiFi management in Windows.

  • List WiFi commands :
C:\WINDOWS\system32>netsh wlan The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a configuration entry to a table. connect - Connects to a wireless network. delete - Deletes a configuration entry from a table. disconnect - Disconnects from a wireless network. dump - Displays a configuration script. export - Saves WLAN profiles to XML files. help - Displays a list of commands. IHV - Commands for IHV logging. refresh - Refresh hosted network settings. reportissues - Generate WLAN smart trace report. set - Sets configuration information. show - Displays information. start - Start hosted network. stop - Stop hosted network. To view help for a command, type the command, followed by a space, and then type ?.
  • Show complete wireless device and networks information :
C:\WINDOWS\system32>netsh wlan show all
  • Show Wi-Fi profiles :
C:\WINDOWS\system32>netsh wlan show profiles Profiles on interface Wi-Fi: Group policy profiles (read only) --------------------------------- <None> User profiles ------------- All User Profile : FFBOXE All User Profile : STD_ROCKS
  • Show STD_ROCKS profile :
C:\WINDOWS\system32>netsh wlan show profiles "STD_ROCKS" Profile STD_ROCKS on interface Wi-Fi: ======================================================================= Applied: All User Profile Profile information ------------------- Version : 1 Type : Wireless LAN Name : STD_ROCKS Control options : Connection mode : Connect automatically Network broadcast : Connect only if this network is broadcasting AutoSwitch : Do not switch to other networks MAC Randomization : Disabled Connectivity settings --------------------- Number of SSIDs : 1 SSID name : "STD_ROCKS" Network type : Infrastructure Radio type : [ Any Radio Type ] Vendor extension : Not present Security settings ----------------- Authentication : WPA2-Personal Cipher : CCMP Authentication : WPA2-Personal Cipher : GCMP Security key : Present Cost settings ------------- Cost : Unrestricted Congested : No Approaching Data Limit : No Over Data Limit : No Roaming : No Cost Source : Default
  • Export WiFi profile to «c:\Users\user\Desktop\Wi-Fi-STD_ROCKS.xml» file :
C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS" key=clear folder=c:\Users\user\Desktop\
  • Import WiFi profile for all users from «c:\Users\user\Desktop\STD_ROCKS.xml» file :
C:\WINDOWS\system32>netsh add profile filename="c:\Users\user\Desktop\STD_ROCKS.xml" user=all
  • Set the preference order of the STD_ROCKS wireless network to the highest priority :
C:\WINDOWS\system32>netsh wlan set profileorder name="STD_ROCKS" interface="Wi-Fi" priority=1
  • Remove the STD_ROCKS wireless network :
C:\WINDOWS\system32>netsh wlan delete profile name="STD_ROCKS" interface="Wi-Fi"

Creating a new SSID

To avoid that users suffer a network loss we need to make two Wi-Fi networks cohabit. The old one («STD_ROCKS_OLD» in the diagram below) whose password we want to replace and the new one («STD_ROCKS_NEW» in the diagram below) on which the new password will be associated. Once all users have migrated to the new network, the old one can be deleted.

group of computers with two wifi

Export Wi-Fi profile to a xml file

  • From a Windows computer, connect manually to the new wireless network («STD_ROCKS_NEW» in the diagram above).
Available Wi-Fi on a windows machine
  • Once connected, export Wi-Fi profile to a xml file :
C:\WINDOWS\system32>netsh wlan Export Profile Name="STD_ROCKS_NEW" key=clear folder=c:\Users\user\Desktop\
  • You should have the xml file on your Desktop :
Xml file on a Windows Desktop
  • Open the xml file and check the following informations :
    • Wireless Network : STD_ROCKS_NEW (here)
    • Password : P@WD2000 (here)
<?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>STD_ROCKS_NEW</name> <SSIDConfig> <SSID> <hex>535444524F434B5342414259</hex> <name>STD_ROCKS_NEW</name> </SSID> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <MSM> <security> <authEncryption> <authentication>WPA2PSK</authentication> <encryption>AES</encryption> <useOneX>false</useOneX> </authEncryption> <sharedKey> <keyType>passPhrase</keyType> <protected>false</protected> <keyMaterial>P@WD2000</keyMaterial> </sharedKey> </security> </MSM> <MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3"> <enableRandomization>false</enableRandomization> <randomizationSeed>1592637002</randomizationSeed> </MacRandomization> </WLANProfile>

Batch script

  • What the script do :
    • Create the file C:\WirelessSet.txt on first run, deleting the old SSID profile if the file has already been created (meaning the script has already been run once)
    • Add a new wireless profile
    • Set the new wireless profile as default
  • Create a wifi.bat file :
REM Remove REM if you want to reset GPO : REM DEL C:\WirelessSet.txt REM If the file C:\WirelessSet.txt exists, it means the script has already been executed once, so jump to _END switch IF EXIST C:\WirelessSet.txt GOTO _END REM Otherwise add wireless profile from STD_ROCKS_NEW.xml file netsh wlan add profile filename="\\std.local\netlogon\Wi-Fi-STD_ROCKS_NEW.xml" user=all >> C:\WirelessSet.txt REM Set new profile (STD_ROCKS_NEW) with best priority netsh wlan set profileorder name="STD_ROCKS_NEW" interface="Wi-Fi" priority=1 REM exit script GOTO:eof REM _END SWITCH :_END REM Delete old (STD_ROCKS_OLD) wireless profile netsh wlan delete profile name="STD_ROCKS_OLD" interface="Wi-Fi"
  • Then from a Active Directory server, copy the xml and wifi.bat files to C:\Windows\SYSVOL\sysvol\YOUR_DOMAIN\scripts :

Create Group Policy Object

We can now create a GPO that will execute the above script when our computers start.

  • Open Group Policy Manager console :
Run Group Policy Management Console
  • Create a new GPO and link it to OU where you have your computers objects :
Create a GPO
  • Give a name to the new GPO :
New GPO name
  • Edit the GPO :
Edit a GPO
  • Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown). Do a Right click Startup > Properties
GPO edit scripts properties
  • Click Add… and Browse to the script :
GPO New MSI Package
  • Once the computers has been rebooted they will be automaticaly migrated to new wireless network, the old one can now be deleted :
group of computers with two wifi
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address