[ - or: How does Windows Firewall know which profile to load? ]
As I read this one in the Microsoft Newsgroups, I was a little astonished. I never asked myself this question.
Of course I knew that Windows Firewall has two profiles which can be configured: Domain profile (for times when the machine resides in the domain, a managed network) and the standard profile (when the machine is not within the domain, on the road, somewhere at a user’s home…). But I never asked myself how Windows Firewall - or Windows itself determines which profile to load.
So how does that work? Well, first, there is the Windows Network Location Awareness (NLA) service. It informs all applications and the operating system when connection parameters have changed. Whenever the NLA informs the operating system of a network change, the GP subsystem needs to check whether the profile needs to be switched.
First, the algorithm checks whether the computer is already joined to a domain. If it is not, it just loads the standard profile. If it is, it enumerates all connected devices (only devices that are not connected over a PPP or SLIP line) - for each connected device, it checks whether the DNs suffix of the connection matches the DNS suffix connection of the last successful Group Policy application (which is stored in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName). If one of those DNS suffices match the last good DNS suffix from the registry, we’re in the domain. Therefore, we use the domain profile.
This behavior is also described in “The Cable Guy - May 2004″ article found here:
P.S.: The graphic is cool, huh? Made it with Visio.