How to Disconnect from a Wi-Fi Network in Batch Script
There are times when the most secure network is no network at all. If you are performing a sensitive local backup, running a system diagnostic, or preparing a laptop for secure transit, you may want to ensure the wireless card is not connected or searching for open hotspots. Rather than physically disabling the hardware or clicking through the system tray, a Batch script can force an immediate, clean disconnection from your current Wi-Fi network. This allows for air-gapped automation where your machine only stays online when it is absolutely necessary.
This guide will explain how to programmatically disconnect from Wi-Fi using netsh.
Method 1: Disconnecting from the Current Network
The netsh wlan disconnect command immediately breaks the current wireless association without disabling the Wi-Fi card itself. The card remains powered on and can scan for networks, but it will not be connected to any.
@echo off
setlocal enabledelayedexpansion
rem --- Verify the Wireless AutoConfig service is running ---
sc query WlanSvc 2>nul | findstr /i /c:"RUNNING" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] The Wireless AutoConfig service is not running.
echo [INFO] This machine may not have a Wi-Fi adapter.
endlocal
pause
exit /b 1
)
rem --- Check if there is an active Wi-Fi connection to disconnect from ---
set "CurrentSSID="
for /f "tokens=1,* delims=:" %%a in (
'netsh wlan show interfaces 2^>nul ^| findstr /r /c:"^ *SSID"'
) do (
echo %%a | findstr /i /c:"BSSID" >nul
if !errorlevel! neq 0 (
if not defined CurrentSSID (
set "CurrentSSID=%%b"
if defined CurrentSSID set "CurrentSSID=!CurrentSSID:~1!"
)
)
)
if not defined CurrentSSID (
echo [INFO] No active Wi-Fi connection detected. Already disconnected.
endlocal
pause
exit /b 0
)
echo [SECURITY] Disconnecting from "!CurrentSSID!"...
rem --- Force the current wireless interface to drop the connection ---
netsh wlan disconnect
if %errorlevel% neq 0 (
echo [ERROR] Disconnect command failed.
endlocal
pause
exit /b 1
)
rem --- Wait briefly for the disconnection to take effect ---
timeout /t 3 /nobreak >nul
rem --- Verify the disconnection actually happened ---
set "VerifySSID="
for /f "tokens=1,* delims=:" %%a in (
'netsh wlan show interfaces 2^>nul ^| findstr /r /c:"^ *SSID"'
) do (
echo %%a | findstr /i /c:"BSSID" >nul
if !errorlevel! neq 0 (
if not defined VerifySSID (
set "VerifySSID=%%b"
if defined VerifySSID set "VerifySSID=!VerifySSID:~1!"
)
)
)
if not defined VerifySSID (
echo [SUCCESS] Wi-Fi disconnected.
echo [INFO] The Wi-Fi radio is still on but not associated with any network.
echo [INFO] If an Ethernet cable is connected, you may still have network access.
) else (
echo [WARN] Disconnect command was sent but "!VerifySSID!" is still connected.
echo [WARN] Windows may have auto-reconnected. See Method 3 to prevent this.
)
endlocal
pause
Key details:
- Pre-check: The script detects the current SSID before disconnecting, so it can report what it is disconnecting from and detect if there is nothing to disconnect.
- Post-verification:
netsh wlan disconnectreturnserrorlevel 0when the command is accepted, not when the disconnection is confirmed. The script waits 3 seconds and then checks whether an SSID is still active. - Ethernet awareness: The success message reminds the user that disconnecting Wi-Fi does not guarantee the machine is fully offline. An active Ethernet connection will continue to provide network access.
- BSSID exclusion: When reading the SSID from
show interfaces, the script filters outBSSIDlines to avoid matching the router's MAC address.
Disconnect ≠ Disable. When you disconnect from Wi-Fi, the radio is still on. The adapter continues listening for nearby networks and is visible to wireless scanners. If you need to completely silence the radio for security or battery savings, use netsh interface set interface "Wi-Fi" disable instead.
Method 2: Disconnecting a Specific Adapter
If your laptop has two Wi-Fi cards (e.g., an internal card and a USB dongle) and you only want to disconnect one of them, specify the interface name.
@echo off
setlocal enabledelayedexpansion
set "Adapter=Wi-Fi 2"
rem --- Verify the Wireless AutoConfig service is running ---
sc query WlanSvc 2>nul | findstr /i /c:"RUNNING" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Wireless AutoConfig service is not running.
endlocal
pause
exit /b 1
)
rem --- Verify the specified adapter exists ---
netsh wlan show interfaces 2>nul | findstr /i /c:"%Adapter%" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Adapter "%Adapter%" not found.
echo [INFO] Available wireless interfaces:
echo.
rem --- List adapter names (the "Name" label may be translated, ---
rem --- but adapter names themselves are language-independent) ---
netsh wlan show interfaces
endlocal
pause
exit /b 1
)
echo [ACTION] Disconnecting adapter "%Adapter%"...
netsh wlan disconnect interface="%Adapter%"
if %errorlevel% neq 0 (
echo [ERROR] Disconnect command failed for "%Adapter%".
endlocal
pause
exit /b 1
)
timeout /t 3 /nobreak >nul
echo [SUCCESS] Adapter "%Adapter%" disconnected.
endlocal
pause
Finding adapter names: Run netsh wlan show interfaces and look for the Name field. Common names include Wi-Fi, Wi-Fi 2, Wireless Network Connection, or custom names assigned by the user. The adapter name itself is not translated: it is either a Windows default or user-defined.
Method 3: Persistent Disconnection (Prevent Auto-Reconnect)
The biggest problem with simply disconnecting is that Windows has an aggressive auto-connect feature. Within seconds, it may detect the same network's signal and reconnect automatically. This script disconnects and sets all saved profiles to manual connection mode, ensuring the machine stays offline until you explicitly reconnect.
@echo off
setlocal enabledelayedexpansion
echo [HARDENING] Entering offline mode...
rem --- Verify the Wireless AutoConfig service is running ---
sc query WlanSvc 2>nul | findstr /i /c:"RUNNING" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Wireless AutoConfig service is not running.
endlocal
pause
exit /b 1
)
rem --- Step 1: Disconnect from the current network ---
echo [STEP 1] Disconnecting from Wi-Fi...
netsh wlan disconnect >nul 2>&1
timeout /t 2 /nobreak >nul
rem --- Step 2: Set all saved profiles to manual connection mode ---
rem --- This prevents Windows from auto-reconnecting to any network ---
echo [STEP 2] Disabling auto-connect on all saved profiles...
set "ProfileCount=0"
for /f "tokens=1,* delims=:" %%a in (
'netsh wlan show profiles 2^>nul'
) do (
rem --- Only process lines that contain a profile name ---
rem --- Profile lines have a value after the colon ---
set "ProfileName=%%b"
if defined ProfileName (
rem --- Trim the leading space after the colon ---
set "ProfileName=!ProfileName:~1!"
rem --- Skip empty results and header lines ---
if defined ProfileName (
rem --- Verify this is actually a profile name by checking ---
rem --- if it contains typical non-profile characters ---
echo "!ProfileName!" | findstr /r /c:"^\"-" >nul
if !errorlevel! neq 0 (
netsh wlan set profileparameter name="!ProfileName!" connectionmode=manual >nul 2>&1
if !errorlevel! equ 0 (
echo [OK] "!ProfileName!" set to manual.
set /a ProfileCount+=1
)
)
)
)
)
if !ProfileCount! equ 0 (
echo [INFO] No saved Wi-Fi profiles found.
) else (
echo [INFO] !ProfileCount! profile^(s^) set to manual connection mode.
)
rem --- Step 3: Verify disconnection ---
timeout /t 2 /nobreak >nul
set "StillConnected="
for /f "tokens=1,* delims=:" %%a in (
'netsh wlan show interfaces 2^>nul ^| findstr /r /c:"^ *SSID"'
) do (
echo %%a | findstr /i /c:"BSSID" >nul
if !errorlevel! neq 0 (
if not defined StillConnected (
set "StillConnected=%%b"
if defined StillConnected set "StillConnected=!StillConnected:~1!"
)
)
)
if not defined StillConnected (
echo.
echo [SUCCESS] Wi-Fi is disconnected and auto-connect is disabled.
echo [INFO] To reconnect, run: netsh wlan connect name="YourNetwork"
echo [INFO] To re-enable auto-connect, run Method 4 (Restore^) below.
) else (
echo.
echo [WARN] Wi-Fi still shows "!StillConnected!" as connected.
echo [WARN] Try disconnecting manually or disabling the adapter.
)
endlocal
pause
Method 4: Restoring Auto-Connect
After using Method 3, you need a way to restore automatic connections when you want to go back online.
@echo off
setlocal enabledelayedexpansion
echo [RESTORE] Re-enabling auto-connect on all saved profiles...
set "ProfileCount=0"
for /f "tokens=1,* delims=:" %%a in (
'netsh wlan show profiles 2^>nul'
) do (
set "ProfileName=%%b"
if defined ProfileName (
set "ProfileName=!ProfileName:~1!"
if defined ProfileName (
echo "!ProfileName!" | findstr /r /c:"^\"-" >nul
if !errorlevel! neq 0 (
netsh wlan set profileparameter name="!ProfileName!" connectionmode=auto >nul 2>&1
if !errorlevel! equ 0 (
echo [OK] "!ProfileName!" set to automatic.
set /a ProfileCount+=1
)
)
)
)
)
if !ProfileCount! equ 0 (
echo [INFO] No saved Wi-Fi profiles found.
) else (
echo [INFO] !ProfileCount! profile^(s^) restored to automatic mode.
echo [INFO] Windows will now auto-connect to known networks.
)
endlocal
pause
How to Avoid Common Errors
Wrong Way: Assuming Disconnect Means Fully Offline
Disconnecting Wi-Fi drops the wireless association, but the machine may still have network access through Ethernet, a VPN adapter, or a mobile hotspot USB device.
rem *** BAD: assumes the machine is completely offline ***
netsh wlan disconnect
echo Machine is now air-gapped.
Correct Way: If you need a true air gap, verify all network interfaces are down, not just Wi-Fi.
rem --- Check if any adapter still has connectivity ---
ping -n 1 -w 1000 8.8.8.8 >nul 2>&1
if %errorlevel% equ 0 (
echo [WARN] Machine still has network access (likely Ethernet^).
) else (
echo [OK] No network connectivity detected.
)
Wrong Way: Not Handling Auto-Reconnect
Windows aggressively reconnects to saved networks. A simple disconnect may last only seconds before the connection is silently restored.
rem *** BAD: Windows reconnects within seconds ***
netsh wlan disconnect
echo Offline forever!
Correct Way: Use Method 3 to set profiles to manual mode, or disconnect and immediately disable the adapter if you need a guaranteed offline state.
Wrong Way: Parsing Profile Names Without Quotes
Profile names can contain spaces (e.g., "Office Guest WiFi"). Passing them to netsh without quotes breaks the command.
rem *** BAD: breaks on profile names with spaces ***
netsh wlan set profileparameter name=Office Guest WiFi connectionmode=manual
Correct Way: Always quote the profile name.
rem *** GOOD: handles spaces in profile names ***
netsh wlan set profileparameter name="Office Guest WiFi" connectionmode=manual
Best Practices and Rules
1. Check for Ethernet Fallback
Disconnecting from Wi-Fi does not guarantee offline status. If an Ethernet cable is plugged in, Windows automatically routes traffic through it. Always verify actual connectivity status if a true air gap is required.
2. Verify the Disconnection
After running netsh wlan disconnect, check netsh wlan show interfaces to confirm no SSID is active. The netsh command returns success when the command is sent, not when the disconnection is confirmed.
3. Log Security-Sensitive Disconnections
In high-security environments, log every manual disconnection with a timestamp and username. This provides an audit trail showing when and why the machine was taken offline.
echo %date% %time% - %USERNAME% - Manual Wi-Fi disconnect >> "%~dp0security_audit.log"
4. Remember to Restore Auto-Connect
If you use Method 3 to disable auto-connect on all profiles, remember to restore them when the offline period is over. Otherwise, users will find that their laptop no longer connects to Wi-Fi automatically after a reboot, leading to confusion and support tickets.
5. Use setlocal / endlocal
Always wrap scripts in setlocal and endlocal to prevent variables from leaking into the parent environment.
Conclusions
Disconnecting from a Wi-Fi network via Batch script provides a vital layer of security and control for mobile Windows environments. The key challenges are: Windows aggressively auto-reconnects to saved networks (solved by setting profiles to manual mode), netsh wlan disconnect confirms the command was sent but not that the disconnection succeeded (solved by post-verification), and disconnecting Wi-Fi does not guarantee the machine is fully offline (Ethernet may still be active). By combining immediate disconnection, auto-connect suppression, verification, and logging, you build a reliable automation tool for air-gapped operations, secure transit preparation, and controlled network isolation.