Windows has three types of network profiles: domain, private, and public. The former is automatically assigned to all computers that are members of an AD domain, and this cannot be changed. On the other hand, you can switch between private and public to activate the associated security settings.

When Windows detects a new network, it asks whether you want to allow your PC to be discoverable by other PCs and devices on this network.

If you choose Yes, it will mark the network in question as private; if No, it signs it as public.

The dialog box for marking new networks as private or public

The dialog box for marking new networks as private or public

If the PC is a member of an AD domain, and this dialog box appears in the corporate LAN, this is most likely a sign that it cannot find the domain controller.

Differences between private and public

Network discovery is switched off by default in the public network profile so that the computer is not displayed by the browser service of other PCs and it cannot see other devices in the network itself.

Default settings for public networks

Default settings for public networks

In addition, a public profile disables file and printer sharing. In the private network, on the other hand, it is enabled, as is network discovery. Hence, a public network is more secure than a private one and is therefore set as the default for WLANs outside the AD domain.

The distinction between public and private also causes the firewall to assign different rules to a network based on profiles.

Windows Firewall applies rules based on the networks profile type

Windows Firewall applies rules based on the networks profile type

Change the network profile from private to public

If you want to change a network profile between private and public, you can do so via the Settings app. The relevant option can be found under Network and Internet. There, you can open Ethernet, for example, and then switch between profile types.

Change the profile type of Ethernet via the Settings app

Change the profile type of Ethernet via the Settings app

If a computer is a member of a domain, then the Network profile type section is missing because there is no option to change the domain type.

For a Wi-Fi, navigate to Network and Internet > Wi-Fi and follow the Manage known networks link there.

Open the list of known WLANs to edit their properties

Open the list of known WLANs to edit their properties

In the overview of wireless networks, select the desired one and click Properties.

In the properties of a WLAN you can switch between the profile types of private and public

In the properties of a WLAN you can switch between the profile types of private and public

You can then switch between private and public.

Change the network profile to private or public using PowerShell

With the following command, you can easily get an overview of all network profiles and their types:

Get-NetConnectionProfile

You can change the profile type with the following command:

Set-NetConnectionProfile -InterfaceAlias Ethernet -NetworkCategory Public

To identify the network, the cmdlet accepts Name, InterfaceAlias, or InterfaceIndex. You can get all three values from the Get-NetConnectionProfile output.

Change the profile type for the Ethernet network from public to private using PowerShell

Change the profile type for the Ethernet network from public to private using PowerShell

If you want to change all networks in one command, you can do it as follows:

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

If you try to assign the DomainAuthenticated type, the command fails with the following error message:

"Unable to set NetworkCategory to 'DomainAuthenticated'. This NetworkCategory type will be set automatically when authenticated to a domain network."

The same applies to the reverse process from private or public to domain.

The DomainAuthenticated profile type cannot be changed or assigned

The DomainAuthenticated profile type cannot be changed or assigned

Control permissions for profile types via group policies

Group policies allow admins to block users from changing profile types. The setting for this is called All Networks and is found under Computer Configuration > Policies > Administrative Templates > Windows Settings > Security Settings > Network List Manager Policies.

Restrict the users permission to change the profile type

Restrict the users permission to change the profile type

The User cannot change location option means that users are not allowed to switch a network between public and private.

Summary

Windows assigns a profile to each network. In the case of domains, its type is set automatically. In all other cases you can choose between public and private, and for wired networks Windows will ask the user. WLANs outside the domain network are public by default.

Depending on the selected profile type, a network has its own security settings. This applies to network discovery, file and printer sharing, and firewall rules.

Subscribe to 4sysops newsletter!

You can switch between public and private afterward, using either the GUI of the Settings app or PowerShell.

avataravatar
1 Comment
  1. Thanks Wolfgang for this article, I find it really informative and particularly Powershell commands are useful for quickly change the network profile.

    avatar

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account