I've got 300+ win7 clients I need to deploy WPA2 Personal PSK on. I can use a GPO to deploy the SSID information on the clients which is good but not the PSK. Is there a clean/easy way to script it so the PSK can be entered on the machines?
If possible I don't want to give the PSK to the end users.
If you preinstall a shared key on 300+ machines in the hands of users, don't expect it to remain a secret for long.
Even if you don't want to do per-user authentication, you'd be better off going with WPA2-Enterprise (WPA2 with 802.1X authentication) and using EAP-TLS and per-machine certificates. That way, even if someone does manage to export/extract the private key that goes with their machine's TLS cert, you can revoke and re-key that one machine without having to re-key your entire fleet.
(Apologies if this is me being dense)
If you did find a way to deploy the key, surely you would break wireless connectivity for your users since you find yourself in a catch-22 situation.
Example
Old WPA key is
abc(which the laptops already have stored). Your script deploys the new key123. Wireless is now broken because the laptop now thinks the key is123but your access points know it is stillabc.Conversely, you change your access points so the key is now
123, but your laptops still believe it to beabc, thus they cannot connect to get group policy settings, to be deployed this new key.You also have the problem, which has already been pointed out that the key can very easily be obtained. I personally have used such programs before as a favour to one of our employees who got a new laptop, didn't know their home wireless password but had it on their old laptop.