Mark Minasi's Windows Networking Tech Page
Issue #106 April 2013

Document copyright 2013 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Learn with My Seminars, Audio Recordings and More!
  • Tech Section
    • Solving the "How Do I Change My Firewall Profile in Windows 8?" Puzzle
  • Conferences
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

This issue is a short but, I hope, useful one.  Ever since Windows 8 appeared, I've seen people ask on various forums and sites, "how the heck do I switch a network connection's firewall profile from Public to Private and vice versa?  It was easy in Windows 7...," and you can probably guess the rest.  I have to make the switch regularly to make some useful PowerShell remote stuff work, so it seemed worth spending a little time documenting how to make the Public/Private split in both the GUI (it's not where you expect) and via PowerShell (which really is the easier way in many cases).  But first, a word from our sponsor...

Bring Mark's Windows 10 Support Class and Our PowerShell Classes to Your Site

Mark has delivered his new "Deploying, Managing and Securing "the Last Windows: Working with Windows 10" class to nearly a dozen clients, and the reviews are uniformly great.  Designed for the Windows 7 support pro, this course tells you everything you need to know to support, deploy, or manage Windows 10 systems.  Fast-paced, lecture-based and entertaining, this course gives you the shortest path to Windows 10 expertise. Learn about Windows 10's completely new licensing approach.  See how to enable the new "parallel universe" security tools.  Discover the cloud-y new tools in Windows 10 like joining a system not to an Active Directory but instead to a cloud.  Find out what you can learn at our course outline at http://www.minasi.com/w10class.htm. 

To bring this class to your site, just drop us a line at assistant@minasi.com.

And while you're at it, are your folks PowerShell adepts?  There really isn't a productivity-enhancer available for Windows support people like PowerShell.  Bring Mark's "Learning PowerShell: Hands-On with AD, Networking, and More" class to your site and he'll make your command-line-hating techies into PowerShell fans.  Outline at http://www.minasi.com/Posh2day/. 

Changing a NIC's Firewall Profile Between "Private" and "Public"

If you work with PowerShell remoting, event log collections, IIS 7/8 management or any other number of Windows remote management issues, you may have to enable the protocol "WinRM." Windows Remote Management first appeared in Vista and it's a important computer-to-computer protocol that is slowly replacing the old standard Remote Procedure Call (RPC) protocol that's been in Windows since the mid-80's.  (Start up Outlook and get your email from Exchange and you're talking over RPC.)  RPC's a nice protocol and has served us well, but Microsoft designed it in a time before we all decided that it'd be a great idea to connect our home and office networks to a single world-wide network that happens to be populated by millions of criminals.  (I speak in that context, of course, about the Internet.)  Microsoft designed WinRM from the ground up with security and cross-platform compatibility in mind, and as far as many of us are concerned, the more WinRM-based remoting -- which implies less RPC-based remoting -- the better.

By default, most Windows boxes from Vista onward can make requests over WinRM -- act as clients -- but are cannot hear (and therefore cannot respond to) to requests from other systems.  To allow a Windows system to be able to respond to WinRM requests, you have to enable what Microsoft calls a WinRM "listener."  The easiest way to turn on a WinRM listener on a system is to open an elevated command prompt and type

winrm quickconfig -q

That normally works fine (or you can use a group policy setting in Computer Configuration / Administrative Templates / System / Windows Remote Management (WinRM) /WinRM Service called "Allow remote server management through WinRM"), but sometimes you get this fairly scary-looking error:

PS C:\windows> winrm quickconfig
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = WinRM firewall exception will not work
since one of the network connection types on this machine is set
to Public. Change the network connection type to either Domain or
Private and try again.

Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network c
onnection types on this machine is set to Public. Change the netw
ork connection type to either Domain or Private and try again.

So the first time I connected to a network on one or more of my NICs, then Windows asked me if the network it was connecting to was public or private.  Vista and Windows 7 pop up a Windows dialog to ask, but Windows 8 shows something like this:

Metro UI for choosing filewall profile

So, assuming that I want to mess with PowerShell remoting on my Windows boxes, I've got to figure out which NICs are set to public, and from there I need to know how to change it.

The Metro piece above doesn't tell you your current settings, but if you go to the Network and Sharing Center (doesn't that sound like a place that's got milk and cookies available 24/7?) then you see something like this:Control panel UI showing NICs and firewall profiles (but they don't let you change the profiles there)

Now, in Vista and 7, you could change the network type between public and private right here in the Center, but Windows 8's got another way.  Go to the settings configuration page -- press the Windows key and "I" -- and then click the icon in the lower left-hand part of your screen that represents your network.  Right-click on any NIC's connection and you'll get the choice to enable or disable sharing, as you see in this screen shot:

Metro UI to change profiles -- turning sharing on or off is the key

As you've probably figured out, turning sharing on leads to your network being classified as "Private," and turning sharing off makes it "Public."  I have to admit that doing this stumped me when Windows 8 first came out, as I kept wanting to poke around the Network and Sharing Center -- the cookies there are great -- to locate what I imagined was a well-hidden icon that would let me do the Public/Private shift.  Finally, my colleague Doug Spindler posted it on a distribution list we're both on.  ("Duh!"  Can't win 'em all, I guess.)  That led me to do a bit more research, and so I can tell you that...

There is also a PowerShell way, via two commands:  Get-NetConnectionProfile and Set-NetConnectionProfile.  If you type simple "get-netconnectionprofile," then you get a list of your NICs and several pieces of information about each one, including

  • "Name," which would probably be better named "network name" or "SSID."  The network and access point names that you see in the above screen shot -- PleaseStayOff5G, JP4620L, PleaseStayOff, TWDB815 and the rest -- are what these two PowerShell commands call your NIC's "name."
  • "InterfaceAlias," which is just the name that your NIC shows in ipconfig.  Pre-Windows 8, most wired NICs got names like "Local Area Connection" or "Wireless Network Connection," but Windows 8 changes those to "Ethernet" or "Wi-Fi," which are nice -- no blanks in the names to make scripting harder.
  • NetworkCategory:  this is the firewall profile type value that we're looking for.  It'll either be DomainAthenticated, Public, or Private.
  • IPv6 and IPv4:  what kind of connectivity you have on either or both flavors of IP.

For example, here's a run of get-networkconnectionprofile for just my wireless card which, again, is named "Wi-Fi;"

PS C:\> Get-NetConnectionProfile -InterfaceAlias wi-fi


Name : PleaseStayOff 
InterfaceAlias : Wi-Fi
InterfaceIndex : 13
NetworkCategory : Public
IPv4Connectivity : Internet
IPv6Connectivity : Internet

To change this from a Public NIC to a Private NIC, I just use Set-NetConnectionProfile and identify the NIC that I want to change either with its name ("PleaseStayOff" in this example) or its InterfaceAlias ("Wi-Fi" here).  Thus, I could run either of the following two commands to change this adapter to Private:

Set-NetConnectionProfile -name "PleaseStayOff5g" -NetworkCategory private

Set-NetConnectionProfile -interfacealias Ethernet -NetworkCategory Private

So if you're playing with PowerShell remoting but can't get to first base, check to see if you can't make the silly thing happy by shifting your NIC's "NetworkCategory."

Upcoming Conferences


  • I will be keynoting the free Tampa IT Pro Camp 2016 on 20 August 2016. Great speakers, sign up now to learn great stuff from some terrific speakers.  https://www.eventbrite.com/e/tampa-it-pro-camp-2016-tickets-24569378673 and tell 'em Mark sent you.
  • I will be presenting at IT/Dev Connections in Vegas the week of 10 October. Http://www.itdevconnections.com/dc16/Public/Enter.aspx for more info.
  • I will also be speaking at the Intersection show also in Vegas the week of 24 October.  Visit https://next.devintersection.com for more info. 
  • December TechMentor is in Orlando this year and I'm keynoting about Server 2016. https://techmentorevents.com/Home.aspx for all the scoop!
I hope to see some of you at one of these shows!

To Subscribe, Read Old Newsletters, Send Me a Comment or Change Your Email Address

To subscribe: (which just means I'll send you about a three-tweet-sized message in plain text via email including a link to my latest newsletter), please visit http://www.minasi.com/nwsreg.htm.

To change e-mail or other info, drop me a line (haven't figured out a secure method yet).

To read old newsletters: visit http://www.minasi.com/nwstoc.htm and, if you like 'em, please consider subscribing.

To send me a comment:  I'm at help@minasi.com.

All contents copyright 2013 Mark Minasi.  I encourage you to quote this material, so long as you include this entire document. Thanks very much for reading, and see you next time.