Skip to main content

Windows Wifi Policy

Easily push secure, pre-configured wireless profiles to Windows devices

Updated over 3 weeks ago

What the policy does

The Windows Wi-Fi Policy lets you create one or more wireless profiles and deliver them to any Windows 10/11 edition that supports MDM (Pro, Enterprise, Education, SE, IoT Enterprise / LTSC). As soon as the profile arrives, Swif writes the settings to the native Windows WLAN service, so users connect to the right network the next time Wi-Fi is in range—without having to see or type a password.

If you are looking for RADIUS Wi-Fi policy, you can refer to Configuring a Policy for RADIUS Wi-Fi on Windows.


Typical use-cases

Scenario

Why the Wi-Fi policy helps

First-day provisioning of company laptops

Devices boot, pick up the corporate SSID, and finish onboarding without manual steps.

Rotating PSKs after a security event

Update the Pre-Shared Key / Passphrase field and redeploy—old keys are overwritten automatically.

Moving to WPA2-Enterprise or WPA3-Enterprise

Supply EAP settings and certificates once; every targeted device switches to certificate-based auth.

Guest network with proxy

Push a separate guest SSID, mark it Metered and attach proxy details so browsers route traffic correctly.


Supported OS versions

  • Windows 10+: Pro, Enterprise, Education

  • Windows SE 10+

  • IoT Enterprise / LTSC 10+


Key settings you’ll see in the Swif console

Field

What it controls

Notes / Minimum OS

SSID (Network name)

The broadcast name of the WLAN the device should join.

Required

Hidden network

True = connect even if SSID isn’t advertised.

Win 10+

Connect automatically

Join as soon as the network is in range.

Win 10+

Authentication

Open, WPA-Personal/WPA2-Personal, WPA2-Enterprise, WPA3, etc.

Choose Personal for PSK, Enterprise for EAP.

Encryption

TKIP, AES, GCMP (varies by auth type).

Auto-selected for most modes.

Pre-Shared Key / Passphrase

The PSK used in WPA-Personal modes.

Stored encrypted in the policy payload.

EAP Method

TLS, PEAP-MSCHAPv2, TTLS, FAST.

Enterprise modes only.

Root CA certificate

Thumbprint or upload of the CA that issued the AP cert.

Ensures validation on connect.

Client certificate

User or device certificate for EAP-TLS.

Optional unless EAP-TLS is selected.

Proxy settings

None / Manual / PAC file.

Use for guest or inspection networks.

Metered connection

True marks the network as metered to reduce background data usage.

Win 10+

Priority

If a device has multiple Wi-Fi profiles, lower numbers are tried first.


Creating the policy

  1. Device Management → Policies → Add Policy → Windows tabWindows Wi-Fi Policy.

  2. Fill the Policy name and (optionally) a description.

  3. Complete the Settings section using the table above.

    • For enterprise auth, upload or reference certificates before saving.

  4. Click Continue, choose the devices or device groups that should receive the profile, and Publish.

Swif queues the profile immediately. Most online devices apply it within a few minutes; offline devices receive it at their next check-in.


What the end-user sees

Nothing. The profile is added under Settings → Network & Internet → Wi-Fi → Manage known networks. If Connect automatically is set, Windows switches to the new network silently. If credentials are wrong or a certificate is missing, Windows shows its standard network-error toast and Swif records a Failed status on the device.


Monitoring & troubleshooting

  • Device details → Policies tab shows whether the Wi-Fi policy is Pending, Succeeded, or Failed.

  • Activity Log records every policy delivery and any Windows MDM error codes.

  • To rotate keys or change settings, edit the existing policy; Swif pushes a revision and overwrites the old profile.


Tips & best practices

Tip

Why it matters

Push enterprise Wi-Fi + root CA + client cert in one policy

Ensures the network is usable on first attempt—no partial connections.

Use Priority = 1 for corporate, 2 for guest

Devices always prefer the secure network when both are available.

Enable Metered on mobile-hotspot SSIDs

Prevents Windows Update or OneDrive sync from consuming cellular data.

Rotate PSKs every quarter

Just update the passphrase and save—the new key is distributed automatically.

With the Windows Wi-Fi Policy, network onboarding and key rotation are no longer ticket-generating events—one save and Swif handles the rest.

Swif Policy glossary – see All Windows policies article for context.

Did this answer your question?