You can sort of understand it from a security point of view, it is probably against some form of policy to dish out wireless keys to your users but it does mean its us poor buggers that need to manually type the key into each machine before allocating them out to members of staff or putting them in trollies for the pupils. (That is if you don't use imaging, such as Ghost/MDT/Ping)
Now after a hell of a lot of Group Policy searches via Google, there doesn't seem to be anyone who has bothered to write out a step by step guide on how to send out a wireless setting with the key pre-installed. So here I go, finally solving this damn issue that has tormented god knows how many people. The beauty of this method, is that it is Microsoft Approved, as you don't need any third party tools to do this. :)
Here we go.
1. First you need a machine, ideally freshly built, no crap on it. Windows 7 of course.
2. You need to set this machine up connected to the desired wireless connection you want, in this example we are going to say the SSID of the school is: ITMagic_WPA.
So join your network and type in the wireless key, in this example we shall say the wireless key is: NoWires12345
3. Once connected to the wireless, if you want to play around with certain settings like Infrastructure only etc, do it now. This method being taught will also allow for these customisations to be exported to :)
4. So now we have a fresh Windows 7 machine, connected to our wireless network ITMagic_WPA with the network key NoWires12345 correctly implemented.
5. Now we export it using Microsofts own NetSh Command line.
(You might be turning away now, thinking i've tried this route and didn't succeed, but if you are like me, you probably didn't have time to play with it enough to understand it. Well I found time and with a little scripting experience behind me, I figured it out. I still haven't found a website that tells you this part.)
Go to Start, type Cmd and open that black window of power. - (just open command line)
6. Type in
You will be presented with a list of all the "Wireless Profiles" stored on your machine, if you have only connected to one network, you will have a massive list of.. one.
Nine times out of ten, this profile name is identical to your wireless SSID. So lets say I did it with my example profile, the command line would come back with the result:
===========
Well now I know the name of my profile, I can export it. Of course I don't just export the name, I export everything, the name, the key and any extra settings I might of set.
7. To export type in:
Remember to obviously replace my example with your profile name.
8. By default, this command will save this file to the ".\WirelessConnectionName" , basically, this location is found in C:\Users\YourLoggedInUser\ folder.
9. You will find an xml file named something like Wireless Network Connection - SSID.xml, so mine would be Wireless Network Connection-ITMagic_WPA.xml. Or something like that, depends if your machine is untouched and fresh.
Save the xml file to a shared area where people have access to, lets say the netlogon folder just to keep things simple, I mean if you have a designated Scripts Share on your server, by all means stick it in there, but remember to change the below script to suit your network.
14. Right, so i've saved my XML file as a shorter name called "WirelessConnect.xml" and saved it to the
15. In the netlogon folder, create a txt document and type in the following script:
IF EXIST C:\WirelessSet.txt GOTO _END Netsh wlan add profile filename="\\dc-01\netlogon\WirelessConnect.xml" user=all >>C:\WirelessSet.txt :_END
Just make sure your UNC path, points at the xml file in your share.
16. Save this file as Win7Wireless.bat or something like that
17. Go to group policy, and set this wireless script to run at start up for all the wireless 7 machines on your network, once run, it won't rerun providing there is a file called WirelessSet.txt on the C:\ on that computer.
Your wireless is now deployed, with a key.
Hope this helps a few people!!
Microsoft has no way to do this as you should be using a RADIUS serer and WPA2 Enterprise to authenticate domain objects.
ReplyDeleteCompletely agree with this. This is how it "should" be done. Though of course being a blog for primary schools, many primary techs will know that Radius and WPA2 enterprise is overkill for less than 100 wireless devices, some schools have as little as 15 wireless computers. It's not cost effective for primary schools and half the time the local authority (local council) will be the ones to decide what goes in their schools.
DeleteRADIUS is for enterprise level, a primary school is no more than a small business with few servers (sometimes just the one). Different requirements require different solutions.
Thank you so much for the detailed instructions on how to do this. I have been searching and talking to people for two days before I found this post. Your instructions are spot on, worked perfect. Again thanks.
DeleteDoes the script need that end/if option. At least i tested this without it and it only adds it once even if network already exists.
ReplyDeleteThe IF is there to avoid running the command line if the .txt file exists (the script has already run at least once)
DeleteThe END is there as an anchor point for the IF statement
If the text file exists then the script will quickly end, this is not so important in a short script like this but in longer scripts or those where you do not want to run certain sections more than once it can be very useful.
It didn't worked for me in the beginning but i figured out why.
ReplyDeleteThe reason is this part in the xml file:
passPhrase
true
01000....9B3DE16
Each time I export the profile (from different computers) the keymaterial is different. I thought it is a hash value of the wifi_key, but it seems it is calculated in a way i don't know. The result is that a profile exported on one computer is not working on another one.
So i changed the key to "unprotected":
passPhrase
false
wifi_password_in_cleartext
Now the file works on each win7 computer.
If you have doubts about security writing the password in cleartext don't worry because the password can be unhidden in the wifi_settings on the client anyway.
I have this GPO linked to my laptop's OU, for the Windows 7 laptops is working fine, but for Windows 8 Laptops, the text file is there, but the key has not been distributed. Any idea?
ReplyDeleteThanks,
The only thing I can think of off the top of my head is something along the lines of UAC or other GPO based restrictions.
DeleteDoes the script work if you run it manually when logged on as an admin?
When I try to import the profile in the GPO, I get "The network key has been removed". When I try using hte script, the profile is created but it still asks for a key. Any suggestions?
ReplyDeleteAn alternative command which can be used to dump all wireless profiles on a machine is as follows, this will create an xml file for any wireless profile encountered and save it to the folder that the command line is run in
ReplyDeletenetsh wlan export profile folder=. key=clear
The command will ensure that the wireless key is saved in the file in cleartext which should allow the import to be fully successful and prevent any messages along the lines of "The Network Key has been removed"
Thank you so much for this. You made a huge headache so simple.
ReplyDeleteThanks for this, I found this very useful.
ReplyDeleteI've embraced and extended it and thought I should share
What I did
1) export the wlan XML file as above
2) add the plaintext key in as gerd explains
3) Use a Group Policy preference to run the script below. I do this by adding HCU\Software\Microsoft\Windows\CurrentVersion\RunOnce and set to run once and do not reapply. This means it runs once when the user first logs into that PC
' WifI Loader
' Loads WiFi profile
' Used to import a WiFi profile with an embedded password
' Colin@Chaplin.me.uk
' V0.2 Add multiple XMLs
option explicit
on error resume next
dim XMLFilenames
XMLFilenames= array("\\fileserver\share\wifiprofile.xml","\\fileserver\share\wifi2.xml")
Const HKEY_CURRENT_USER = &H80000001
Const SW_NORMAL = 1
dim strComputer,strXMLWifI
strComputer = "."
for each strXMLWiFi in XMLFilenames
addWiFi(strXMLWiFi)
next
function addWifi(XMLFilename)
dim objStartup,objConfig,objProcess
dim objWMIService
dim intProcessID,intReturn
dim strCommand
logit "Adding Wifi Profile " & XMLFilename,4
strCommand = "cmd /c ""netsh wlan add profile filename=""" & XMLFilename & """ user=all"""
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 12
Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)
'wscript.echo "done"
end function
function nukeReg
dim objRegistry, strKeyPath, strValueName,strValue
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "InjectBBIWifI2"
strValue = ""
objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
end function
Function logit(text,level)
' Writes a simple message to the windows event log
dim Wshshell
set WshShell = CreateObject("WScript.Shell")
WshShell.LogEvent level, text
logit=1
end Function
I've used this a couple of times now so though it would be only fair to share a couple of flourishes I've made
ReplyDeleteBelow is a Vbscript that will import multiple WifI profiles prepared as described above.
I would then call it by setting a group policy preference to drop a registry key into
Software\Microsoft\Windows\CurrentVersion\RunOnce
of Reg SZ, calling the script, i.e.
wscript "\\yourdomain\netlogon\LoadWiFi.vbs"
This will mean the user will get the Wifi settings on first login, silently.
' WifI Loader
' Loads WiFi profile
' Used to import a WiFi profile with an embedded password
' Colin@Chaplin.me.uk
' V0.2 Add multiple XMLs
option explicit
on error resume next
dim XMLFilenames
XMLFilenames= array("\\yourdomain\netlogon\profile1.xml","\\yourdomain\netlogon\profile2.xml")
Const HKEY_CURRENT_USER = &H80000001
Const SW_NORMAL = 1
dim strComputer,strXMLWifI
strComputer = "."
for each strXMLWiFi in XMLFilenames
addWiFi(strXMLWiFi)
next
function addWifi(XMLFilename)
dim objStartup,objConfig,objProcess
dim objWMIService
dim intProcessID,intReturn
dim strCommand
logit "Adding Wifi Profile " & XMLFilename,4
strCommand = "cmd /c ""netsh wlan add profile filename=""" & XMLFilename & """ user=all"""
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 12
Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)
'wscript.echo "done"
end function
Function logit(text,level)
' Writes a simple message to the windows event log
dim Wshshell
set WshShell = CreateObject("WScript.Shell")
WshShell.LogEvent level, text
logit=1
end Function
I have followed your instructions and it works great for the first user logging in, any subsequent logons it doesn't run. I ran the batch file manually for the second user and it has worked.
ReplyDeleteIs anyone aware of a modification to the script so that it checks each user profile rather than just if it is in C:?
Thanks
You probably just need to set the login script to the computer, not user.
DeleteI have been working with this for a couple months and it would not work. I finally resolved my two biggest issues:
ReplyDelete1) As mentioned in comments above, I had to edit the XML file to store the clear passphrase unencrypted. (Even though I used the key=clear option in the netsh export command).
2) This is one I haven't seen anyone else mention...I had to remove the quotes from my UNC path to the xml file. I don't know why this is, and thankfully I don't have any spaces in my path.
I am using GPO to run a bat file as a logon script, and it wasn't working at all. I decided to run the batch file locally from command prompt and it said the path wasn't found. When it replied with the filename, the quotes were replaced by รถ. So I removed the quotes from my bat file and it works perfectly!
Thank you for the wonderful information/steps/details. Much appreciated.
ReplyDeleteI took your process a step further and created a package that contains an automated way to push out the changing of a SSID across the network, called: lccWirelessSettingsScripts. I hope this helps others.
link: http://lcc.ctc.edu/demo/projectlid/LCCWirelessSettingsScripts
- David Mielcarek
espectacular my friend!!!!!... 10 beer please for this Lord
ReplyDelete