Any way to mask or hide WiFi keys?

Hi,

I'm starting to deploy Windows 7 in a corporate environment. The problem I've encountered so far is that there's no way to hide the SSID keys. For example, if I configure a laptop for a user, I want to configure the WiFi settings without the person being able to snoop around in the settings and see the WiFi key. This was easy in XP.

I've also looked at Dell ControlPoint utility which is bundled with our new machines. It's doable with the Dell utility, but that thing is pure bloatware and is a pain to use, even for seasoned IT pros.

Thanks for any insight,
danzero

If this is on the Pro version you may be able to leverage something in Group Policy to disable the option box for hiding the key. I don't have access to a version that would have that ability so I can't point you in that direction.

Hi!

I have found a solution, which is not very elegant but it works.

The way is to find the key in the registry where you can unlock the viewing of the WIFI Key.

For that, you have to find a Key where the value is "CElevateWlanUi"

In my case, it was in HKEY_CLASSES_ROOT\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}.
Under this key you have 3 values :

• The first one (default) with the value "CElevateWlanUi"
• The second one AccessPermission of type Reg_Binary with a binary value (does'nt matter to understand what it means)
• The third one is called DllSurrogate with a null value.

The way I solved the problem is to setup the authorizations of the main Key {86F80216-5DD6-4F43-953B-35EF40A35AEE} by a right-click, then "autorizations".
After you have to take possession of this key.
I setup the owner as our domain administrator.
For that click on the the button "Advanced" then on the tab "owner" and replace TrustedInstaller by the administrator of my domain.
Then, I came back to the main panel of authorizations of the main key.
I deleted the entry LAP505\administrators and the entry LAP505\domain users, and added the entry for my domain administrator with all rights. (LAP505 is the computer name)
I applied all the modifications.
I repeated the operation for the second occurence of the key :
HKEY_LOCAL_MACHINE\Software\classid\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}

And when I logged on with a user with local admin privileges, I could connect to WIFI network, I could access to the network center but I could'nt unmark the "Hide caracters". It works!

Second point : As my users want also to connect their laptop at home on their box, I checked the possibility to add a WIFI connection and it worked also! The only restriction is that they can't see the key once it is entered (for modification, they have to delete the connection a re-create it.
I hope it will help you!

Best regards.
Bernard (from a country where we are more proud of our national rugby team than our national football team (if you see what I mean ...))

Hi,

thanks for the greatful solution. It works.
Do you know the registrykey for the button to export the wlan-profil (see the attached picture).
Because the user is able to export the wlan profil to usb-stick and can import the profile to another pc.
The biggest problem of the export to usb-stick, there will be create a file on the stick with the name "wsettings.txt" . In this file the user can read the wlan security key in uncrypted charakters. This is realy a security leck.

I hope someone have a solution for this problem.

Thanks

You can disable the WCN (the button to export the wlan profile) with local security policy or a GPO, there are two settings (translated from german:computer configuration - policies - administrative templates - network - windows connect now), you can deny the access to WCN and you can say what can be configured with WCN , i blocked Flash memory.

for the Checkbox, it can also be done with GPO. Create a new GPO, add a value under computer - policies - windows - security - policies - registry and name it CLASSES_ROOT\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}. configure this key, say replace settings for all sub keys, and change the security of the value to enable admin access (set admin or local admins as owner, check CHANGE). this is needed that the GPO can change the values.
under computer - settings - windows settings - registry, add a reg binary with the name AccessPermission, select HKEY_CLASSES_ROOT as structure, AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE} as Path, AccessPermission as Name, REG_BINARY as ValueType and a hex value like 010004804400 (...).

How to get the hex value (or how to do this all without GPO, for instance if you use images to deploy windows you can use this):

use one windows 7 pc, open registry editor, navigate to KEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}, change the permissions of the key to have admin as owner and give him full access (incl. sub keys)
start dcomcnfg (or use control panel),navigate to component services computer - workplace - dcom config, find the object CElevateWlanUi and change the Access permissions to what you like (defaults to system, interactive and self, remove interactive and self, and/or add domain admins or users who should be able to see the wlan key) and test.

after this, you will find this access list in the registry under KEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE} in the reg_binary AccessPermission.
export the key, it will look like:
"AccessPermission"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,14,00,\
00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,\

remove the line breaks (\), remove the comma, so that you have a single number like 010004804400005400... , this is the value that you need for the GPO

you could also only change the access rights to the key as mentioned above to prevent TrustedInstaller from accessing it, but since the AccessPermission is exactly what the name says, i find this better and it can be easily reversed.

steffen0815 said:

Hi,

thanks for the greatful solution. It works.
Do you know the registrykey for the button to export the wlan-profil (see the attached picture).
Because the user is able to export the wlan profil to usb-stick and can import the profile to another pc.
The biggest problem of the export to usb-stick, there will be create a file on the stick with the name "wsettings.txt" . In this file the user can read the wlan security key in uncrypted charakters. This is realy a security leck.

I hope someone have a solution for this problem.

Thanks

I have found the regitry key which prevent user from exporting to Flash-Usb,
it is HKEY_CLASS_ROOT\AppID\{C100BEBB-D33A-4a4b-BF23-BBEF4663D017}

If you do the same operation than above (modifying authorizations), it works. And the user can always add a new wifi profile (for example at home)
It tooks me a lot of time but I found it!

And overall, Happy New Year!

I cannot find where to do the following. I am in the GPO but don't see the path listed. (policies - windows - security - policies - registry) Thanks!

for the Checkbox, it can also be done with GPO. Create a new GPO, add a value under computer - policies - windows - security - policies - registry and name it CLASSES_ROOT\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}. configure this key, say replace settings for all sub keys, and change the security of the value to enable admin access (set admin or local admins as owner, check CHANGE). this is needed that the GPO can change the values.
under computer - settings - windows settings - registry, add a reg binary with the name AccessPermission, select HKEY_CLASSES_ROOT as structure, AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE} as Path, AccessPermission as Name, REG_BINARY as ValueType and a hex value like 010004804400 (...).