Some time ago, I was asked whether the additional SSID that is to be broadcast in a certain place will not affect people working and connected to the corporate network. This new SSID was intended to be similar and equally important as the corporate one, adhering to the same security policies, but dedicated for different purposes.
I immediately asked about the profile configuration that is to be sent to corporate computers. I got a response and after some time of thinking, I concluded that the answer is not obvious. I conducted tests, which I will describe below. But before I do that, I would like to focus on two things that can be configured in the Wi-Fi profile on a Windows machine, which can have a significant impact on the final result. These are the two following elements that are important in the profile configuration and the final effect we will achieve as a result of implementation:
- ConnectionMode – The ConnectionMode setting in Wi-Fi wireless profiles on a Windows machine is an option that determines how the computer connects to wireless networks. We have two options:
- Manual – When ConnectionMode is set to ‘Manual’, the computer will not automatically connect to the wireless network. Instead, the user must manually select the network and initiate the connection process. This mode is useful for networks that are used infrequently or for networks that require a higher level of security.
- Auto – In ‘Auto’ ConnectionMode, the computer automatically connects to the wireless network whenever it is in range. This is convenient for networks that are used regularly, such as your home or work Wi-Fi. The computer remembers the network and automatically establishes a connection when possible.
- autoSwitch – this parameter in wireless profiles on Windows systems serves to control the automatic switching behavior of the wireless network adapter.
- true/false – when enabled, this feature allows the wireless adapter to automatically switch to a more preferable wireless network if it becomes available. This ensures that the device always maintains the best possible connection without requiring manual intervention. It’s important to note, however, that this feature might lead to frequent network switches in areas with many overlapping wireless networks, which can sometimes cause interruptions or instability in the network connection.
Returning to the analysis, when I analyzed the configuration of the profiles that were to be pushed to the computers, I noticed that the Connection Mode was set to Auto and autoSwitch to true. I assumed what we could expect but nevertheless, I proceeded to the tests.
I created a baseline scenario where one SSID is broadcasted and that SSID has a profile configured and available on the test computer which is POC-SSID-1:
- ConnectionMode: Auto
- autoSwitch: true
The test computer is connected to the test SSID (POC-SSID-1).
The current SSID and the one I will start broadcasting later will be available only for one frequency, in my case 5 GHz.
Profiles available on the computer:
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
Networks visible to the computer, broadcast by the Wi-Fi network:
D:\>netsh wlan show networks | findstr POC-SSID
SSID 1 : POC-SSID-1
Currently connected to the wi-fi network:
D:\>netsh wlan show interface | findstr POC-SSID
SSID : POC-SSID-1
Profile : POC-SSID-1
Then I added a new profile (POC-SSID-2) on the computer with ConnectionMode setup as Auto and autoSwitch as true. At this point, it’s important to note one thing. POC-SSID-2 is not yet broadcasted by the wireless network, only POC-SSID-1 is. Furthermore, when we add a new profile (manually or, for example, through Intune), it will appear at the top of the list, which means it will be preferred more than other profiles below. This depends on the availability of individual SSIDs are being broadcasted.
The situation before adding a new profile:
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
The situation after adding an additional profile:
D:\>netsh wlan add profile filename="Wi-Fi-POC-SSID-2.xml" interface="Wi-Fi"
Profile POC-SSID-2 is added on interface Wi-Fi.
Order of profiles on the computer after adding a new profile:
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-2
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
The next step I checked was whether the current SSID to which the computer is connected will become more preferred than the SSID I just added. First, I checked if after turning off the Wi-Fi interface and then turning it back on and automatically connecting to POC-SSID-1, this profile will become the preferred one. Here are the results
Disabling the interface:
C:\Windows\System32>netsh interface set interface "Wi-Fi" admin=DISABLED
Status before turning on the interface:
C:\Windows\System32>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-2
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
Turning o the interface back.
C:\Windows\System32>netsh interface set interface "Wi-Fi" admin=ENABLED
Connecting to POC-SSID-1
C:\Windows\System32>netsh wlan show interface | findstr POC-SSID
SSID : POC-SSID-1
Profile : POC-SSID-1
The order of profiles after connecting to the network
C:\Windows\System32>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-2
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
Unfortunately, POC-SSID-1 is still second on the list, after reconnecting to this SSID where I still don’t broadcast the second SSID, POC-SSID-2. The next step I took was to restart the computer and check if after this action and connecting to POC-SSID-1, this profile would jump to the first place on the list.
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-2
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
Unfortunately, after re-adding the already present SSID POC-SSID-1, nothing changed. POC-SSID-2 is still in the first place.
At this stage, I started broadcasting the new SSID to confirm that as the new SSID appears, the computer will see it and automatically switch to it according to the profile list.
The SSID to which the computer is connected
D:\>netsh wlan show interface | findstr POC-SSID
SSID : POC-SSID-2
Profile : POC-SSID-2
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-2
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
As soon as I started broadcasting the SSID, the computer automatically connected to the profile that is first on the list, which is the last added profile POC-SSID-2.
At this stage, we already know a lot, so what I did next was to change the autoSwitch setting in the profiles to false.
After the test, I can confirm that after starting the broadcast of POC-SSID-2, the computer did not automatically switch to this SSID, which is the first on the list.
Unfortunately, even if we change the autoSwitch option to false, after disconnecting from the current network to which we were connected, with the ConnectionMode set to auto and the fact that SSID POC-SSID-2 is at the top of the list, we will automatically connect to this SSID without even knowing it. This creates a problem because for end-users it may be an issue, especially when the two SSIDs serve different purposes.
Finally, I should mention that the extra SSID I was instructed to broadcast is intended to facilitate automatic user connections within its range, based on the last SSID they connected to. In essence, if a user opts to connect to this new SSID, they must do so manually. Once connected, the connection should remain stable regardless of circumstances, unless the user chooses to switch back to a different SSID.
In order to achieve this, firstly, we must ensure that ‘autoSwitch’ is not set to ‘true’ for. Secondly, to ensure a seamless migration for users, we need to adjust the priority of the currently used SSID (to the highest) after deploying the new profile to corporate computers. This will place the current SSID back at the top of the list. If someone wishes to connect to the new SSID, they will do so manually and remain connected until they manually switch back to the original SSID.
In an Enterprise environment, this can be accomplished, for example, using Intune. In my test environment, I did this manually, of course before I started broadcasting the new SSID. Here’s the outcome:
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-2
All User Profile : POC-SSID-1
All User Profile : POC_GUEST
D:\>netsh wlan set profileorder name=POC-SSID-1 interface="Wi-Fi" priority=1
Priority order of profile "POC-SSID-1" is updated successfully.
D:\>netsh wlan show profile
User profiles
-------------
All User Profile : POC-SSID-1
All User Profile : POC-SSID-2
All User Profile : POC_GUEST
Summary
If we want to manage two SSIDs that will be broadcast in a given location and have their ConnectionMode set to Auto, I recommend considering the following elements:
- Broadcasting two SSIDs on the same frequency. Otherwise, we might encounter an effect of uncontrolled switching, which is determined by the end device.
- The ‘autoSwitch’ option in the profile should always be set to ‘false’.
- Before we begin broadcasting the new SSID, we should change the priority of the current SSID to the highest after deploying the profiles to corporate computers.