If you're constantly switching between your home Wi-Fi, the office network, the university network, or your mobile hotspot, manually changing network settings is a real pain. Luckily, Windows and other operating systems offer ways to create automatic profiles based on the WiFi network you connect to, control which interface is activated at any given time and apply security policies or firewalls adapted to each environment.
In this article you will see, in great detail, how they work network profilesWhat they allow you to do in Windows, how to integrate them with tools like Intune or with security solutions, what third-party programs you have to go further, and how all this fits with concepts like locations, interface priority groups, or IPsec profiles in enterprise routers.
What is a network profile and why would you be interested in using it?
A network profile is basically a set of predefined parameters that are applied to a connection (or several) depending on certain conditions: the WiFi network you connect to, the active interface, the location, etc. These parameters can range from IP and DNS to firewall rules, VPN usage, printers, shared resources, or even custom scripts.
In Windows, the system already classifies networks as public or privateWhen you connect to a Wi-Fi or LAN network for the first time, the system asks if it's a trusted network. If you say yes, it's considered private; if no, public. Based on this decision, it adjusts the firewall and your device's visibility on the network, relaxing security on home networks or small offices, and strengthening it on networks in hotels, airports, or cafes.
In a private networkWindows assumes you control who connects and that the devices are known. This allows you, for example, to discover other computers on the network, access shared folders, send print jobs to network printers, or use features like HomeGroup or streaming to a Smart TV. The system reduces restrictions because it understands the environment is relatively secure.
In a public networkWindows assumes the network is untrusted. Therefore, it disables device discovery, file and printer sharing, and other services that could expose you to attacks from other connected devices. vulnerabilities like those in WhatsAppYou can still browse the internet, but your device is isolated from the rest, which is crucial when you connect to the WiFi in a shopping mall, airport, or an open network.
The problem arises when the same laptop is moved around multiple networks with very different requirementsOne might require a static IP address, another use DHCP; one might require you to go through a corporate proxy, another to activate a VPN, and yet another might not. Changing this manually each time is tedious and prone to errors. That's where advanced network profiles come in, both in Windows and through specialized programs.
Automate settings when switching WiFi networks in Windows
Windows allows you to define different parameters per network profile (public or private) and per specific connection, but the integrated management falls short if you want Change IP, DNS, proxy, VPN and firewall all at once every time you detect a different SSID. For this, the usual approach is to combine what the system offers with external tools that manage advanced profiles.
In the graphical network management interface of some environments (for example, distributions that use concepts similar to Solaris' NCPs) a distinction is made reactive and fixed network profilesThe "Automatic" reactive profile first attempts to establish a wired connection and, if that fails, resorts to a wireless connection. The "DefaultFixed" fixed profile defines a static set of interfaces that remain unchanged until modified using command-line tools.
These profiles control which interfaces can be activate or deactivate at any timeOn a typical laptop with Ethernet and Wi-Fi, you might want to use only Ethernet when a cable is available and turn off Wi-Fi for security, or vice versa. The Network Preferences GUI usually offers connection status, network profile, and connection properties views, where you can see the current status, which profile is active, and specific properties (IP address, IPv4/IPv6, favorite wireless networks, etc.).
In addition, you can define locations These settings group together configurations such as name services, firewall, and IPsec, and are activated manually or conditionally according to rules (for example, an "Office" location if you obtain an IP address from a certain range, and a "Home" location with different policies). Only one location can be active at a time, and it can be changed from the network status icon or with commands like netadm on Solaris-like systems.
Programs to create automatic profiles per WiFi network
To go beyond what Windows offers by default, there are specific tools that allow create and apply complete network profiles It depends on the network (SSID) you connect to or the active adapter. Many of them support Windows XP through Windows 11.
Easy Net Switch
Easy Net Switch It's a paid program for Windows that stands out for the enormous number of network settings it can handle. Although its interface is reminiscent of the Windows XP era, it remains compatible with Windows XP, 7, 8, 10 and 11, and includes both GUI and command-line mode for advanced users.
With Easy Net Switch you can define profiles that control virtually everything: IP address, subnet mask, gateway, DNS, WINS, NetBIOS, MAC spoofing, WiFi, VPN, proxy, firewall, default printer, network drives, static routesand even run scripts or modify the hosts file. Each parameter is optional; you can limit yourself to the IP and DNS or set up a very complex profile for a corporate environment.
Creating a profile is usually done by clicking the "New" button, using a basic wizard that you can then customize. In the "Network" section, you choose whether the IP address and DNS are obtained via DHCP or are static, and in "Advanced" you can modify WINS, NetBIOS, change the MAC address, clear the DNS cache, and much more. When applying a profile, the program displays a Summary of changes and if there have been any errorswhich makes it easier to diagnose if something is not working.
In the WiFi section, Easy Net Switch allows you to define wireless profiles linked to specific SSIDsYou can scan for available networks or enter the name manually, and adjust the authentication: from pre-shared keys (PSK) to strong authentication with RADIUS and various EAP protocols. This allows, for example, the profile with the correct key, appropriate EAP authentication, and, if necessary, the VPN to be automatically prepared every time you see the company's SSID.
The program also manages settings for corporate proxy (including authentication), Dial-Up, VPN, and even offers integrated tools like ping and traceroute, as well as a desktop widget to view the current IP address at all times. Its options include starting with Windows, minimizing to the system tray, disabling automatic Wi-Fi network detection, and password-protecting program access to prevent unauthorized changes.
TCP/IP Manager
TCP/IP Manager It's a free and open-source project that, although it hasn't been updated in years, still works well on recent versions of Windows. It focuses on creating unlimited network profiles that quickly change the IP configuration, subnet mask, gateway, DNS, proxy, workgroup name, and MAC address.
One of its advantages is that it allows import current configuration The system allows you to create a profile from your existing settings without having to manually enter everything. It also offers the option to associate batch files with each profile, so that activating it automatically executes additional commands (for example, mounting network drives or launching a VPN).
Switching between profiles can be done from the interface itself or via hotkeysIdeal for users who need to move quickly between environments (corporate network, lab, client, etc.). Furthermore, the program updates automatically via the web when new versions are available, eliminating the need for manual downloads.
IP Shifter
IP Shifter It's a lightweight and free option designed for those who need something simpler. It supports Windows XP and later versions, including Windows 10 and Windows 11and works with different adapters, both Ethernet and WiFi.
Its main function is to allow you to change without restarting the IP configuration, subnet mask, gateway and DNS of the adapters. It also handles proxy configurations for browsers like Microsoft Edge or Firefox, integrates a quick ping command, and can detect the devices present on the LAN, as well as display the public IP address that the Internet sees.
It doesn't have the level of depth of Easy Net Switch or NetSetMan, but for switch between two or three basic environments (for example, a static IP address in an industrial network and DHCP at home) is usually sufficient.
NetSetMan
NetSetMan It's probably the most powerful free alternative to Easy Net Switch. It has a free version with up to eight profiles and a paid Pro version with Unlimited profiles and more business-oriented optionsTheir philosophy is that with a single click you can activate a complete set of network settings.
Among the configurations it allows are the classic ones (IP, mask, gateway, DNS), the workgroup, default printer, network drives, routing table, SMTP server, PC name, MAC address, network card status, interface speed, MTU, VLAN and much more. You can also define VPN server parameters, launch batch, VBScript, or JavaScript scripts when switching profiles, run other programs, and even manage WiFi settings in detail.
The Pro version adds features such as advanced proxy configurations and network domainsThese are very useful for integrating with corporate domain environments and centralized proxy servers. However, the free version cannot be used on Windows Server and limits the number of profiles to eight, something to keep in mind if you manage many locations.
WiFi profiles managed with Microsoft Intune
In corporate environments where you manage hundreds or thousands of devices, you can't rely on each user to configure their Wi-Fi network correctly. This is where Microsoft Intune comes in, allowing you to Create WiFi profiles and distribute them to Windows, Android, iOS, and macOS devices. and others, in a centralized manner.
Un Intune WiFi profile It's a set of connection parameters (SSID, security type, authentication method, password, certificates, etc.) assigned to groups of users or devices. Once a device receives the profile, the network appears in the list of known networks, and if it's within range, the device can connect automatically without the user having to change any settings.
To create a standard WiFi profile in Intune, you follow a similar process to other policies: you access the Microsoft Intune Admin CenterGo to Devices, Settings, create a new policy, choose the platform (Android, iOS, macOS, Windows 10/11, etc.), and select "Wi-Fi" or the corresponding template as the profile type. Then define the profile name, a description, and configure the platform-specific options: SSID, authentication type (WPA2, WPA3, EAP-TLS, etc.), certificate usage, advanced parameters, and finally assign the profile to the appropriate groups.
The allocation can be filtered with scope labelsThese are useful for separating responsibilities between different IT teams (for example, a local support team managing only one country). Once distributed, the profile appears in the Intune profile list and is automatically applied when devices sync.
WiFi profiles with PSK and XML configuration using Intune
In addition to standard WiFi profiles, Intune allows you to define WiFi profiles based on pre-shared key (PSK) and EAP using custom directives and WiFi CSP. This is done through XML files that describe the wireless profile and are sent to devices via OMA-URI.
Pre-shared keys are commonly used for authenticate users on home WiFi networks or small wireless LANsWith Intune, you can create a custom device configuration policy that contains the Wi-Fi profile in XML format and an OMA-URI configuration that delivers it to the operating system. This option is available for Android (including Enterprise and Work profile modes), Windows, and EAP-based networks.
For it to work, you need to prepare an XML file that describes the profile, including Profile name, SSID (in text and hexadecimal), authentication type, encryption type, key, connection mode, whether the network is hiddenetc. Optionally, you can extract this XML from a Windows computer that already has the network configured using netsh commands.
Creating a custom policy in Intune involves going back to Devices, Settings, creating a new policy, choosing the platform, and selecting "Custom" as the type. Within the configuration options Add a new OMA-URI entry indicating:
- Name and configuration description.
- El OMA-URI suitable, for example:
- On Android: ./Vendor/MSFT/WiFi/Profile/{SSID}/Settings
- On Windows: ./Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml
- Data type "String".
- In «Value», the complete XML of the WiFi profile.
It is important that the value of {SSID} in the OMA-URI matches the descriptive network name in the XML profileIf the name contains spaces, they must be encoded as %20 in the OMA-URI. Additionally, in the XML, the field It must remain false so that the key is sent in plaintext (encrypted by the management channel, but not obfuscated within the XML). If set to true, the device might expect an encrypted password and fail to connect.
A generic example of a WiFi profile with PSK would include a block with the name, the SSID in hex and text, ESS , car , a block with the authentication type (e.g., WPA2PSK) and encryption (AES), and a block with passPhrase , false and password , where "password" is the plaintext key.
For EAP-based networks, the XML is much more complex because it includes configurations of EapHostConfig, certificates, server validation, CA hash lists, EKU, etc.Parameters such as the EAP type (e.g., 13 for EAP-TLS), the credential source (certificate store), whether or not server validation is allowed, and possible certificate filters using client authentication EKUs are defined.
Once the custom policy is created, it's assigned to the same groups you would use with a standard Wi-Fi profile. When registering or syncing, the device receives the XML file, imports it as a wireless profile, and is ready to automatically connect to that network.
Create the XML from an existing WiFi connection
In many cases, it's more convenient to let Windows generate the XML from an existing, working connection. To do this on a Windows computer, you can follow these basic steps: export the WiFi profile:
- Create a local folder, for example, c:\WiFi.
- Open a command prompt as administrator.
- Run netsh wlan show profiles to see the names of existing profiles.
- Export the desired profile with
netsh wlan export profile name=»ProfileName» folder=c:\WiFi.
If the profile includes a pre-shared key and you want the XML to contain the password in plain text (necessary for Intune to use it correctly), the parameter is added. key = clear to the export command. The generated XML file (with a name similar to Wi-Fi-ProfileName.xml) can be opened with a text editor, reviewed, and copied directly into the OMA-URI configuration value in Intune.
Certain details need to be monitored, such as the element The exported profile does not include spaces that could cause allocation errors when using Intune, or that the value match the specified SSID. Additionally, special characters in XML (such as the ampersand &) must be properly escaped to avoid processing errors.
Best practices when using PSK and rotating keys
When managing WiFi networks with PSK in a corporate environment, it is essential to plan the password rotationChanging the password abruptly without warning can disconnect many devices that rely on that network to communicate with Intune and receive the new settings.
It is advisable to first check that the devices can connect directly to the access point With the planned configuration, design the key change so that there is an alternative internet connection: a guest network, a temporary parallel Wi-Fi network, or mobile data. This way, even if the corporate Wi-Fi changes its PSK, devices can use the secondary connection to receive the new profile.
It is also advisable to schedule the deployment of new profiles in off-peak hours and notify users that connectivity may be affected for a period of time. This reduces the impact on productivity and facilitates the monitoring of errors or anomalies during the process.
Network connection profiles and firewall rules
Some security solutions, such as endpoint protection suites (hexlock), allow defining custom network connection profiles These profiles are applied to specific connections based on triggers or conditions. They add an extra layer to the Windows configuration, adjusting the firewall, device visibility, and other protections according to the network.
In the advanced configuration console, there is usually a "Network Connection Profiles" section with predefined profiles such as Private y Public These profiles cannot be modified or deleted. The Private profile is intended for trusted networks (home or office), where access to shared files, printers, incoming RPC communication, and remote desktop is permitted. The Public profile, on the other hand, blocks file and resource sharing and is intended for untrusted networks.
In addition to these profiles, you can create custom profiles and adjust parameters such as name, description, additional trusted addresses, whether the connection is considered trusted (adding entire subnets to the secure area), and enable features such as "Weak WiFi Encryption Report", which alerts you when you connect to open or poorly protected networks.
Each profile can have activatorsThat is, conditions that must be met for a profile to be applied to a connection: gateway IP address, Wi-Fi SSID, network type, etc. Profiles are evaluated according to a priority order, and the first one that matches the conditions is applied. This allows, for example, having a specific profile for the company's Wi-Fi, a generic one for home networks, and a very restrictive one for any unknown public network.
Profile and location management in advanced environments
In more advanced systems or in enterprise networks with Solaris or other platforms, the concept of network profile is combined with Network Configuration Units (NCUs), priority groups, and locationsThrough a graphical interface of Network Preferences or commands such as ipadm, dladm, netcfg and netadm, you can create reactive and fixed profiles, group interfaces, and define activation rules.
The Network Profile view of the GUI displays a list of available profileswith indicators showing which one is active. System-defined profiles, such as "Automatic" and "DefaultFixed," cannot be edited or deleted, but you can create multiple custom reactive profiles. Each profile includes a set of connections (NCUs) that are activated or deactivated when the profile takes effect.
To organize interfaces, the following are used: priority groups with three main types:
- Exclusive: only one connection in the group can be active, and while one is active, lower priority groups are not touched.
- Shared: all possible connections in the group are activated, and as long as at least one is active, lower groups are not used.
- All: all must be active; if one fails, all are deactivated, without attempting lower priority groups.
The "Automatic" profile, for example, usually has the following in its highest priority group: wired interfacesWireless connections are in a lower priority group. Therefore, if a cable is available, Ethernet is always prioritized, and Wi-Fi is avoided unless absolutely necessary.
As for the network locationsThese settings group configurations for name services (DNS, LDAP, etc.) and security (configuration files for IP and IPsec firewalls). System locations (Automatic, NoNet, DefaultFixed), manual locations, or conditional locations can be defined. Manual locations are activated manually through the Locations dialog box, while conditional locations are activated based on rules (e.g., network type, obtained IP address, etc.).
From the GUI you can change the activation mode of a location, set it to "manual only" or "triggered by rules", and edit those rules to define exactly In what situations is each set of policies used?Activating a new location always deactivates the previous one, ensuring that only one is active at any given time.
IPsec profiles on routers for secure connections
This whole profiling system isn't limited to end-user devices. It also applies to professional routers, such as the series. Cisco RV160 and RV260IPsec profiles are used that define how traffic between sites is protected using VPN.
Un IPsec profile It groups the algorithms and parameters used in key negotiation (phase I and IKE) and data encryption (phase II). This includes aspects such as the encryption algorithm (3DES, AES-128, AES-192, AES-256), the authentication method (MD5, SHA1, SHA2-256), the Diffie-Hellman group (e.g., Group 2 of 1024 bits or Group 5 of 1536 bits), the duration of security associations (SAs), and whether automatic keying mode (IKEv1 or IKEv2) or manual keying mode is used.
La phase I It establishes a secure, authenticated communication between the two VPN endpoints, negotiating keys and authenticating the peers. In this phase, IKEv1 or IKEv2 is chosen, along with the DH group, the encryption algorithm, and the authentication hash, as well as the SA lifetime (for example, 28800 seconds). IKEv2 is usually preferred because it is more efficient, requires less packet exchange, and supports more authentication options.
La phase II It handles encrypting the actual traffic. You define whether to use ESP (for encryption and, optionally, authentication) or AH (authentication only, without confidentiality), select the encryption and hashing algorithms again, check if Perfect Forward Secrecy (PFS) is desired, and adjust the IPsec SA lifetime (for example, 3600 seconds). The recommendation is usually that the lifetime of Phase I be greater than that of phase IIso that data keys are renewed more frequently than channel keys.
In the configuration of an RV160/RV260, go to the VPN menu > IPSec VPN > IPSec Profiles, add a new profile, name it (for example, "HomeOffice"), choose the key creation mode (Automatic), the IKE version (ideally IKEv2 if both ends support it), the Phase I and Phase II parameters, enable PFS if possible, and select the DH group again for Phase II. Finally, apply and save the configuration so that it persists across reboots by copying the configuration running at startup.
It is crucial that both ends of a site-to-site tunnel have the same profile parameters (same algorithms, lifetimes, IKE version, PSK or certificates, etc.). Otherwise, the negotiation will fail and the tunnel will not be established.
Taken together, this combination of WiFi profiles, network profiles, locations, Intune configuration, and IPsec profiles on routers allows you to build environments where your computer, laptop, or mobile device almost automatically adapts to the network it's on. Choose the right interface, apply the correct security, connect to WiFi without user intervention, activate the VPN when needed, and adjust the firewall to the context.That is, in the end, the most practical and secure way to create automatic profiles based on the WiFi network you use. Share this information so that more users know about the topic..