The Ether: Deploying Wireless LAN settings with a Pre-Shared Key (PSK) from the command line

Deploying Wireless LAN settings with a Pre-Shared Key (PSK) from the command line

Issue

It is possible to deploy Wireless LAN settings in a Group Policy Object (GPO), but a pre-shared key for WPA-PSK cannot be specified.

Resolution

An existing configuration can be exported, altered and then deployed using netsh.

To export an existing Wireless LAN configuration to the current folder:

netsh wlan export profile name="TheEther" folder=.

This will create an XML file Wireless Network Connection-TheEther.xml:

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
	<name>TheEther</name>
	<SSIDConfig>
		<SSID>
			<hex>1A2B3C4D5E6F7G8H</hex>
			<name>TheEther</name>
		</SSID>
		<nonBroadcast>false</nonBroadcast>
	</SSIDConfig>
	<connectionType>ESS</connectionType>
	<connectionMode>auto</connectionMode>
	<MSM>
		<security>
			<authEncryption>
				<authentication>WPA2PSK</authentication>
				<encryption>AES</encryption>
				<useOneX>false</useOneX>
			</authEncryption>
			<sharedKey>
				<keyType>passPhrase</keyType>
				<protected>true</protected>
				<keyMaterial>01000000D08C9DDF0115D1118C7...</keyMaterial>
			</sharedKey>
		</security>
	</MSM>
</WLANProfile>

Now the protected attribute needs to be set to false and the keyMaterial attributes needs to be set to the actual key:

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
	<name>TheEther</name>
	<SSIDConfig>
		<SSID>
			<hex>1A2B3C4D5E6F7G8H</hex>
			<name>TheEther</name>
		</SSID>
		<nonBroadcast>false</nonBroadcast>
	</SSIDConfig>
	<connectionType>ESS</connectionType>
	<connectionMode>auto</connectionMode>
	<MSM>
		<security>
			<authEncryption>
				<authentication>WPA2PSK</authentication>
				<encryption>AES</encryption>
				<useOneX>false</useOneX>
			</authEncryption>
			<sharedKey>
				<keyType>passPhrase</keyType>
				<protected>false</protected>
				<keyMaterial>myS3cr3t</keyMaterial>
			</sharedKey>
		</security>
	</MSM>
</WLANProfile>

It may be possible in later versions to export an existing Wireless LAN configuration with a cleartext password using the key=clear parameter:

netsh wlan export profile name="TheEther" key=clear folder=.

This XML file can then be imported to any PC:

netsh wlan add profile filename="Wireless Network Connection-TheEther.xml" user=all

References

Netsh Commands for Wireless Local Area Network (WLAN) in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc755301.aspx

WPA2-Personal Profile Sample
http://msdn.microsoft.com/en-us/library/aa370032.aspx

Products

Microsoft Windows 7 x64 RTM
Microsoft Windows 7 RTM

Created: 2nd September 2010
Updated: 13th December 2017