Friday, 3 February 2012

Sending out Wireless Settings via GPO with Key

Microsoft are an interesting bunch. When it comes to wireless settings deployment they tend to forget that wireless networks have a passphrase required in order to connect. They provide you with tools to setup wireless profiles on machines yet don't allow you to deploy the wireless key via group policy.
You can sort of understand it from a security point of view, it is probably against some form of policy to dish out wireless keys to your users but it does mean its us poor buggers that need to manually type the key into each machine before allocating them out to members of staff or putting them in trollies for the pupils. (That is if you don't use imaging, such as Ghost/MDT/Ping)
Now after a hell of a lot of Group Policy searches via Google, there doesn't seem to be anyone who has bothered to write out a step by step guide on how to send out a wireless setting with the key pre-installed. So here I go, finally solving this damn issue that has tormented god knows how many people. The beauty of this method, is that it is Microsoft Approved, as you don't need any third party tools to do this. :)
Here we go.

1. First you need a machine, ideally freshly built, no crap on it. Windows 7 of course.

2. You need to set this machine up connected to the desired wireless connection you want, in this example we are going to say the SSID of the school is: ITMagic_WPA.

So join your network and type in the wireless key, in this example we shall say the wireless key is: NoWires12345

3. Once connected to the wireless, if you want to play around with certain settings like Infrastructure only etc, do it now. This method being taught will also allow for these customisations to be exported to :)

4. So now we have a fresh Windows 7 machine, connected to our wireless network ITMagic_WPA with the network key NoWires12345 correctly implemented.

5. Now we export it using Microsofts own NetSh Command line.

(You might be turning away now, thinking i've tried this route and didn't succeed, but if you are like me, you probably didn't have time to play with it enough to understand it. Well I found time and with a little scripting experience behind me, I figured it out. I still haven't found a website that tells you this part.)

Go to Start, type Cmd and open that black window of power. - (just open command line)

6. Type in
Netsh Wlan Show Profiles
You will be presented with a list of all the "Wireless Profiles" stored on your machine, if you have only connected to one network, you will have a massive list of.. one.

Nine times out of ten, this profile name is identical to your wireless SSID. So lets say I did it with my example profile, the command line would come back with the result:

User Profiles
===========

all user profiles : ITMagic_WPA

Well now I know the name of my profile, I can export it. Of course I don't just export the name, I export everything, the name, the key and any extra settings I might of set.

7. To export type in:
Netsh Wlan Export Profile Name="ITMagic_WPA" key=clear

Remember to obviously replace my example with your profile name.

8. By default, this command will save this file to the ".\WirelessConnectionName" , basically, this location is found in C:\Users\YourLoggedInUser\ folder.

9. You will find an xml file named something like Wireless Network Connection - SSID.xml, so mine would be Wireless Network Connection-ITMagic_WPA.xml. Or something like that, depends if your machine is untouched and fresh.

Save the xml file to a shared area where people have access to, lets say the netlogon folder just to keep things simple, I mean if you have a designated Scripts Share on your server, by all means stick it in there, but remember to change the below script to suit your network.

14. Right, so i've saved my XML file as a shorter name called "WirelessConnect.xml" and saved it to the
\\dc-01\netlogon folder

15. In the netlogon folder, create a txt document and type in the following script:


IF EXIST C:\WirelessSet.txt GOTO _ENDNetsh wlan add profile filename="\\dc-01\netlogon\WirelessConnect.xml" user=all >>C:\WirelessSet.txt:_END






Just make sure your UNC path, points at the xml file in your share.

16. Save this file as Win7Wireless.bat or something like that

17. Go to group policy, and set this wireless script to run at start up for all the wireless 7 machines on your network, once run, it won't rerun providing there is a file called WirelessSet.txt on the C:\ on that computer.

Your wireless is now deployed, with a key.

Hope this helps a few people!!

17 comments:

  1. Microsoft has no way to do this as you should be using a RADIUS serer and WPA2 Enterprise to authenticate domain objects.

    ReplyDelete
    Replies
    1. Completely agree with this. This is how it "should" be done. Though of course being a blog for primary schools, many primary techs will know that Radius and WPA2 enterprise is overkill for less than 100 wireless devices, some schools have as little as 15 wireless computers. It's not cost effective for primary schools and half the time the local authority (local council) will be the ones to decide what goes in their schools.

      RADIUS is for enterprise level, a primary school is no more than a small business with few servers (sometimes just the one). Different requirements require different solutions.

      Delete
    2. Thank you so much for the detailed instructions on how to do this. I have been searching and talking to people for two days before I found this post. Your instructions are spot on, worked perfect. Again thanks.

      Delete
  2. Does the script need that end/if option. At least i tested this without it and it only adds it once even if network already exists.

    ReplyDelete
    Replies
    1. The IF is there to avoid running the command line if the .txt file exists (the script has already run at least once)

      The END is there as an anchor point for the IF statement

      If the text file exists then the script will quickly end, this is not so important in a short script like this but in longer scripts or those where you do not want to run certain sections more than once it can be very useful.

      Delete
  3. It didn't worked for me in the beginning but i figured out why.
    The reason is this part in the xml file:


    passPhrase
    true
    01000....9B3DE16


    Each time I export the profile (from different computers) the keymaterial is different. I thought it is a hash value of the wifi_key, but it seems it is calculated in a way i don't know. The result is that a profile exported on one computer is not working on another one.

    So i changed the key to "unprotected":

    passPhrase
    false
    wifi_password_in_cleartext


    Now the file works on each win7 computer.
    If you have doubts about security writing the password in cleartext don't worry because the password can be unhidden in the wifi_settings on the client anyway.

    ReplyDelete
  4. I have this GPO linked to my laptop's OU, for the Windows 7 laptops is working fine, but for Windows 8 Laptops, the text file is there, but the key has not been distributed. Any idea?

    Thanks,

    ReplyDelete
    Replies
    1. The only thing I can think of off the top of my head is something along the lines of UAC or other GPO based restrictions.

      Does the script work if you run it manually when logged on as an admin?

      Delete
  5. When I try to import the profile in the GPO, I get "The network key has been removed". When I try using hte script, the profile is created but it still asks for a key. Any suggestions?

    ReplyDelete
  6. An alternative command which can be used to dump all wireless profiles on a machine is as follows, this will create an xml file for any wireless profile encountered and save it to the folder that the command line is run in

    netsh wlan export profile folder=. key=clear

    The command will ensure that the wireless key is saved in the file in cleartext which should allow the import to be fully successful and prevent any messages along the lines of "The Network Key has been removed"

    ReplyDelete
  7. Thank you so much for this. You made a huge headache so simple.

    ReplyDelete
  8. Thanks for this, I found this very useful.

    I've embraced and extended it and thought I should share

    What I did

    1) export the wlan XML file as above
    2) add the plaintext key in as gerd explains
    3) Use a Group Policy preference to run the script below. I do this by adding HCU\Software\Microsoft\Windows\CurrentVersion\RunOnce and set to run once and do not reapply. This means it runs once when the user first logs into that PC






    ' WifI Loader
    ' Loads WiFi profile
    ' Used to import a WiFi profile with an embedded password
    ' Colin@Chaplin.me.uk
    ' V0.2 Add multiple XMLs



    option explicit

    on error resume next

    dim XMLFilenames

    XMLFilenames= array("\\fileserver\share\wifiprofile.xml","\\fileserver\share\wifi2.xml")
    Const HKEY_CURRENT_USER = &H80000001
    Const SW_NORMAL = 1

    dim strComputer,strXMLWifI

    strComputer = "."

    for each strXMLWiFi in XMLFilenames
    addWiFi(strXMLWiFi)
    next

    function addWifi(XMLFilename)

    dim objStartup,objConfig,objProcess
    dim objWMIService
    dim intProcessID,intReturn
    dim strCommand
    logit "Adding Wifi Profile " & XMLFilename,4

    strCommand = "cmd /c ""netsh wlan add profile filename=""" & XMLFilename & """ user=all"""

    Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_

    objConfig.ShowWindow = 12

    Set objProcess = objWMIService.Get("Win32_Process")
    intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)


    'wscript.echo "done"
    end function


    function nukeReg
    dim objRegistry, strKeyPath, strValueName,strValue



    Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

    strKeyPath = "Software\Microsoft\Windows\CurrentVersion\RunOnce"
    strValueName = "InjectBBIWifI2"
    strValue = ""

    objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue

    end function

    Function logit(text,level)
    ' Writes a simple message to the windows event log
    dim Wshshell
    set WshShell = CreateObject("WScript.Shell")
    WshShell.LogEvent level, text
    logit=1
    end Function

    ReplyDelete
  9. I've used this a couple of times now so though it would be only fair to share a couple of flourishes I've made


    Below is a Vbscript that will import multiple WifI profiles prepared as described above.

    I would then call it by setting a group policy preference to drop a registry key into

    Software\Microsoft\Windows\CurrentVersion\RunOnce

    of Reg SZ, calling the script, i.e.

    wscript "\\yourdomain\netlogon\LoadWiFi.vbs"

    This will mean the user will get the Wifi settings on first login, silently.






    ' WifI Loader
    ' Loads WiFi profile
    ' Used to import a WiFi profile with an embedded password

    ' Colin@Chaplin.me.uk
    ' V0.2 Add multiple XMLs



    option explicit

    on error resume next

    dim XMLFilenames

    XMLFilenames= array("\\yourdomain\netlogon\profile1.xml","\\yourdomain\netlogon\profile2.xml")
    Const HKEY_CURRENT_USER = &H80000001
    Const SW_NORMAL = 1

    dim strComputer,strXMLWifI

    strComputer = "."

    for each strXMLWiFi in XMLFilenames
    addWiFi(strXMLWiFi)
    next

    function addWifi(XMLFilename)

    dim objStartup,objConfig,objProcess
    dim objWMIService
    dim intProcessID,intReturn
    dim strCommand
    logit "Adding Wifi Profile " & XMLFilename,4

    strCommand = "cmd /c ""netsh wlan add profile filename=""" & XMLFilename & """ user=all"""

    Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_

    objConfig.ShowWindow = 12

    Set objProcess = objWMIService.Get("Win32_Process")
    intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)


    'wscript.echo "done"
    end function



    Function logit(text,level)
    ' Writes a simple message to the windows event log
    dim Wshshell
    set WshShell = CreateObject("WScript.Shell")
    WshShell.LogEvent level, text
    logit=1
    end Function

    ReplyDelete
  10. I have followed your instructions and it works great for the first user logging in, any subsequent logons it doesn't run. I ran the batch file manually for the second user and it has worked.

    Is anyone aware of a modification to the script so that it checks each user profile rather than just if it is in C:?

    Thanks

    ReplyDelete
    Replies
    1. You probably just need to set the login script to the computer, not user.

      Delete
  11. I have been working with this for a couple months and it would not work. I finally resolved my two biggest issues:

    1) As mentioned in comments above, I had to edit the XML file to store the clear passphrase unencrypted. (Even though I used the key=clear option in the netsh export command).

    2) This is one I haven't seen anyone else mention...I had to remove the quotes from my UNC path to the xml file. I don't know why this is, and thankfully I don't have any spaces in my path.
    I am using GPO to run a bat file as a logon script, and it wasn't working at all. I decided to run the batch file locally from command prompt and it said the path wasn't found. When it replied with the filename, the quotes were replaced by ö. So I removed the quotes from my bat file and it works perfectly!

    ReplyDelete
  12. Thank you for the wonderful information/steps/details. Much appreciated.

    I took your process a step further and created a package that contains an automated way to push out the changing of a SSID across the network, called: lccWirelessSettingsScripts. I hope this helps others.

    link: http://lcc.ctc.edu/demo/projectlid/LCCWirelessSettingsScripts

    - David Mielcarek

    ReplyDelete

Please enter your comment here, all comments are subject to moderation