Mark Minasi's Windows Networking Tech Page
Issue #106 April 2013

Document copyright 2013 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Learn with My Seminars, Audio Recordings and More!
  • Tech Section
    • Solving the "How Do I Change My Firewall Profile in Windows 8?" Puzzle
  • Conferences
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

This issue is a short but, I hope, useful one.  Ever since Windows 8 appeared, I've seen people ask on various forums and sites, "how the heck do I switch a network connection's firewall profile from Public to Private and vice versa?  It was easy in Windows 7...," and you can probably guess the rest.  I have to make the switch regularly to make some useful PowerShell remote stuff work, so it seemed worth spending a little time documenting how to make the Public/Private split in both the GUI (it's not where you expect) and via PowerShell (which really is the easier way in many cases).  But first, a word from our sponsor...

My Three-Day Server 2012/2012R2 Class is Running in California at a Great Price!

MISAC, a nonprofit group of IT pros who work in support roles for cities throughout California, have hired me to do my in-depth three-day Server 2012/2012R2 class in three cities in California. The class normally runs $1600 per student, but they're offering it to their members for $799/student. Now, I've unfortunately been too busy to put together a public seminar calendar for 2014 yet -- apologies -- so I asked them if they'd be interested in opening their enrollment to the public at large, and they kindly agreed. They're offering seats for non-MISAC members for $999, a $601 discount. The first class runs next Tuesday-Thursday (25-27 February 2014) in Petaluma, followed by a session in March at Diamond Bar (25-27 March 2014) and then in April in Encinitas (22-24 April 2014). Anyone's welcome, and you'd register with MISAC on their Web site, not me. Find out more here: http://www.misac.org/

Changing a NIC's Firewall Profile Between "Private" and "Public"

If you work with PowerShell remoting, event log collections, IIS 7/8 management or any other number of Windows remote management issues, you may have to enable the protocol "WinRM." Windows Remote Management first appeared in Vista and it's a important computer-to-computer protocol that is slowly replacing the old standard Remote Procedure Call (RPC) protocol that's been in Windows since the mid-80's.  (Start up Outlook and get your email from Exchange and you're talking over RPC.)  RPC's a nice protocol and has served us well, but Microsoft designed it in a time before we all decided that it'd be a great idea to connect our home and office networks to a single world-wide network that happens to be populated by millions of criminals.  (I speak in that context, of course, about the Internet.)  Microsoft designed WinRM from the ground up with security and cross-platform compatibility in mind, and as far as many of us are concerned, the more WinRM-based remoting -- which implies less RPC-based remoting -- the better.

By default, most Windows boxes from Vista onward can make requests over WinRM -- act as clients -- but are cannot hear (and therefore cannot respond to) to requests from other systems.  To allow a Windows system to be able to respond to WinRM requests, you have to enable what Microsoft calls a WinRM "listener."  The easiest way to turn on a WinRM listener on a system is to open an elevated command prompt and type

winrm quickconfig -q

That normally works fine (or you can use a group policy setting in Computer Configuration / Administrative Templates / System / Windows Remote Management (WinRM) /WinRM Service called "Allow remote server management through WinRM"), but sometimes you get this fairly scary-looking error:

PS C:\windows> winrm quickconfig
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = WinRM firewall exception will not work
since one of the network connection types on this machine is set
to Public. Change the network connection type to either Domain or
Private and try again.

Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network c
onnection types on this machine is set to Public. Change the netw
ork connection type to either Domain or Private and try again.

So the first time I connected to a network on one or more of my NICs, then Windows asked me if the network it was connecting to was public or private.  Vista and Windows 7 pop up a Windows dialog to ask, but Windows 8 shows something like this:

Metro UI for choosing filewall profile

So, assuming that I want to mess with PowerShell remoting on my Windows boxes, I've got to figure out which NICs are set to public, and from there I need to know how to change it.

The Metro piece above doesn't tell you your current settings, but if you go to the Network and Sharing Center (doesn't that sound like a place that's got milk and cookies available 24/7?) then you see something like this:Control panel UI showing NICs and firewall profiles (but they don't let you change the profiles there)

Now, in Vista and 7, you could change the network type between public and private right here in the Center, but Windows 8's got another way.  Go to the settings configuration page -- press the Windows key and "I" -- and then click the icon in the lower left-hand part of your screen that represents your network.  Right-click on any NIC's connection and you'll get the choice to enable or disable sharing, as you see in this screen shot:

Metro UI to change profiles -- turning sharing on or off is the key

As you've probably figured out, turning sharing on leads to your network being classified as "Private," and turning sharing off makes it "Public."  I have to admit that doing this stumped me when Windows 8 first came out, as I kept wanting to poke around the Network and Sharing Center -- the cookies there are great -- to locate what I imagined was a well-hidden icon that would let me do the Public/Private shift.  Finally, my colleague Doug Spindler posted it on a distribution list we're both on.  ("Duh!"  Can't win 'em all, I guess.)  That led me to do a bit more research, and so I can tell you that...

There is also a PowerShell way, via two commands:  Get-NetConnectionProfile and Set-NetConnectionProfile.  If you type simple "get-netconnectionprofile," then you get a list of your NICs and several pieces of information about each one, including

  • "Name," which would probably be better named "network name" or "SSID."  The network and access point names that you see in the above screen shot -- PleaseStayOff5G, JP4620L, PleaseStayOff, TWDB815 and the rest -- are what these two PowerShell commands call your NIC's "name."
  • "InterfaceAlias," which is just the name that your NIC shows in ipconfig.  Pre-Windows 8, most wired NICs got names like "Local Area Connection" or "Wireless Network Connection," but Windows 8 changes those to "Ethernet" or "Wi-Fi," which are nice -- no blanks in the names to make scripting harder.
  • NetworkCategory:  this is the firewall profile type value that we're looking for.  It'll either be DomainAthenticated, Public, or Private.
  • IPv6 and IPv4:  what kind of connectivity you have on either or both flavors of IP.

For example, here's a run of get-networkconnectionprofile for just my wireless card which, again, is named "Wi-Fi;"

PS C:\> Get-NetConnectionProfile -InterfaceAlias wi-fi


Name : PleaseStayOff 
InterfaceAlias : Wi-Fi
InterfaceIndex : 13
NetworkCategory : Public
IPv4Connectivity : Internet
IPv6Connectivity : Internet

To change this from a Public NIC to a Private NIC, I just use Set-NetConnectionProfile and identify the NIC that I want to change either with its name ("PleaseStayOff" in this example) or its InterfaceAlias ("Wi-Fi" here).  Thus, I could run either of the following two commands to change this adapter to Private:

Set-NetConnectionProfile -name "PleaseStayOff5g" -NetworkCategory private

Set-NetConnectionProfile -interfacealias Ethernet -NetworkCategory Private

So if you're playing with PowerShell remoting but can't get to first base, check to see if you can't make the silly thing happy by shifting your NIC's "NetworkCategory."

Upcoming Conferences

TechEd Houston May 2014 is my only conference on the schedule at the moment. I'm doing an on-stage conversation with Mark Russinovich about his Azure cloud experiences. I'm also doing "Modern Apps for IT Pros," a look inside those tablet-y "Metro" apps. If you're coming to TechEd I hope you'll stop by.

TechMentor: by the way, I won't be there, as they didn't like my proposed talks on clusters, ADFS, modern apps, or PowerShell, explaining to me that none of them were "really enterprise topics." Ah well. Another year, perhaps.

To Subscribe, Read Old Newsletters, Send Me a Comment or Change Your Email Address

To subscribe: (which just means I'll send you about a three-tweet-sized message in plain text via email including a link to my latest newsletter), please visit http://www.minasi.com/nwsreg.htm.

To change e-mail or other info, drop me a line (haven't figured out a secure method yet).

To read old newsletters: visit http://www.minasi.com/nwstoc.htm and, if you like 'em, please consider subscribing.

To send me a comment:  I'm at help@minasi.com.

All contents copyright 2013 Mark Minasi.  I encourage you to quote this material, so long as you include this entire document. Thanks very much for reading, and see you next time.