Summary: In the K12 Education world, laptops are becoming more and more prevelant, and so is Wi-Fi. Unfortunately, limited users are allowed to forget Wi-Fi networks and turn on Airplane Mode and disable Wi-Fi altogether, ruining the experience for the next user.

Technical Details and Assumptions

  • We are assuming there is no MDM solution in place (i.e. Jamf, Intune, etc)
  • We assume you’re running on-prem Active Directory (for the Group Policy portions)
  • We assume you are not using certificate-based authentication (and therefore, not simply deploying Wi-Fi Profiles with GPO)
  • We assume the profile has been loaded somehow already

Requirements

  • You have a method of deploying the Wi-Fi key (i.e. with netsh wlan add profile filename=Private-Wi-Fi.xml user=all)
  • A method to do this offline (which is what I’m doing)
  • Tested on Windows 11 and 10

Method

  1. Create (or edit) a Group Policy Object targetting the computers.
  2. Edit the GPO above with the following:
    1. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (802.11) Policies -> Create new policy
      • This policy is to filter out any networks that are not your network. Ensure you type in your private Wi-Fi name correctly - this will block all other networks from being visible or connectable until removed.
      • Click the Network Permissions tab.
      • Add -> Network Name - Private-WiFi, Network type - Infrastructure, Permission - Allow
      • Prevent connections to ad-hoc networks
      • Prevent connections to infrastructure networks
    2. Computer Configuration -> Preferences -> Windows Settings -> Files (NOTE: Replace anything in ALL CAPS with the correct values - GUID is the GPO’s GUID and changes for each object you create)
      • Source File - \\DOMAIN\SysVol\DOMAIN\Policies\{GUID}\Machine\Scripts\Startup\Set-NetAdapterRadioPowerState.ps1
      • Destination File - C:\TECH-SUPPORT\Set-NetAdapterRadioPowerState.ps1
      • Supress errors on individual file actions
    3. Computer Configuration -> Preferences -> Windows Settings -> Files (NOTE: Replace anything in ALL CAPS with the correct values - GUID is the GPO’s GUID and changes for each object you create)
      • Source File - \\DOMAIN\SysVol\DOMAIN\Policies\{GUID}\Machine\Scripts\Startup\Force Wireless On.cmd
      • Destination File - C:\TECH-SUPPORT\Force Wireless On.cmd
      • Supress errors on individual file actions
    4. Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks -> New Windows 7 and higher
      • Security Options -> Run as NT AUTHORITY\SYSTEM, (o) Run whether user is logged on or not, Run with highest privileges
      • Triggers -> New… -> Being the task - At startup
      • Actions -> New… -> Start a program -> C:\TECH-SUPPORT\Force Wireless On.cmd

Scripts used

Set-NetAdapterRadioPowerState.ps1

# Set-NetAdapterRadioPowerState.ps1
# credit to ben-n on superuser; adapted from https://superuser.com/a/1293303

[CmdletBinding()] Param (
    [Parameter(Mandatory=$true)][ValidateSet('Off', 'On')][string]$WifiStatus
)

Add-Type -AssemblyName System.Runtime.WindowsRuntime
$asTaskGeneric = ([System.WindowsRuntimeSystemExtensions].GetMethods() | ? { $_.Name -eq 'AsTask' -and $_.GetParameters().Count -eq 1 -and $_.GetParameters()[0].ParameterType.Name -eq 'IAsyncOperation`1' })[0]
Function Await($WinRtTask, $ResultType) {
    $asTask = $asTaskGeneric.MakeGenericMethod($ResultType)
    $netTask = $asTask.Invoke($null, @($WinRtTask))
    $netTask.Wait(-1) | Out-Null
    $netTask.Result
}
[Windows.Devices.Radios.Radio,Windows.System.Devices,ContentType=WindowsRuntime] | Out-Null
[Windows.Devices.Radios.RadioAccessStatus,Windows.System.Devices,ContentType=WindowsRuntime] | Out-Null
Await ([Windows.Devices.Radios.Radio]::RequestAccessAsync()) ([Windows.Devices.Radios.RadioAccessStatus]) | Out-Null
$radios = Await ([Windows.Devices.Radios.Radio]::GetRadiosAsync()) ([System.Collections.Generic.IReadOnlyList[Windows.Devices.Radios.Radio]])
$wifi = $radios | ? { $_.Kind -eq 'WiFi' }
[Windows.Devices.Radios.RadioState,Windows.System.Devices,ContentType=WindowsRuntime] | Out-Null
Await ($wifi.SetStateAsync($WifiStatus)) ([Windows.Devices.Radios.RadioAccessStatus]) | Out-Null

Force Wireless On.cmd

@echo off
echo Checking for Wi-Fi interface...
netsh interface show interface | find "Wi-Fi"
IF %ERRORLEVEL% EQU 1 goto EndOfScript

echo Disabling Airplane mode...
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RadioManagement\SystemRadioState /ve /t REG_DWORD /d 0 /f
%__APPDIR__%wbem\wmic.exe path win32_networkadapter where NetConnectionID="Wi-Fi" call enable
netsh interface set interface "Wi-Fi" admin=enabled
echo Enabling software radio...
%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe -Noninteractive -ExecutionPolicy Bypass -Noprofile -File C:\TECH-SUPPORT\Set-NetAdapterRadioPowerState.ps1 -WifiStatus On

ping -n 3 127.0.0.1

REM *******
REM *** Wi-Fi should be on now
REM *******
netsh wlan show interfaces | find "Private-WiFi"
IF %ERRORLEVEL%==1 (
    netsh wlan connect name=Private-WiFi
)

:EndOfScript

Testing

As a standard user:

  • Go to the Quick Access area, and turn off the Wi-Fi. If you reboot, it should come back
  • Go to the Quick Access area, and turn on Airplane mode. If you reboot, it should come back
  • Go to the Quick Access area, and tell Wi-Fi to forget your network and disconnect. If you reboot, it should come back