Windows Firewall Network Determination

Posted June 12, 2007

[ - or: How does Windows Firewall know which profile to load? ]

As I read this one in the Microsoft Newsgroups, I was a little astonished. I never asked myself this question.

Of course I knew that Windows Firewall has two profiles which can be configured: Domain profile (for times when the machine resides in the domain, a managed network) and the standard profile (when the machine is not within the domain, on the road, somewhere at a user’s home…). But I never asked myself how Windows Firewall - or Windows itself determines which profile to load.

So how does that work? Well, first, there is the Windows Network Location Awareness (NLA) service. It informs all applications and the operating system when connection parameters have changed. Whenever the NLA informs the operating system of a network change, the GP subsystem needs to check whether the profile needs to be switched.

First, the algorithm checks whether the computer is already joined to a domain. If it is not, it just loads the standard profile. If it is, it enumerates all connected devices (only devices that are not connected over a PPP or SLIP line) - for each connected device, it checks whether the DNs suffix of the connection matches the DNS suffix connection of the last successful Group Policy application (which is stored in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName). If one of those DNS suffices match the last good DNS suffix from the registry, we’re in the domain. Therefore, we use the domain profile.

This behavior is also described in “The Cable Guy - May 2004″ article found here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

P.S.: The graphic is cool, huh? Made it with Visio.

Posted in Group Policy

9 Comments so far

  1. zWaR on June 18th, 2009

    Hi!

    In my userenv.log there is an error: ProcessGPOs: GetNetworkName failed with 10013. Everytime I get this error the standard Windows Firewall profile is loaded and the mentioned registry key (NetworkName) is empty. What can cause this? How can I simulate Windows Firewall network determination (a script example or something like that)?

  2. zWaR on June 18th, 2009

    Oh, I forgot to mention the connection-specific DNS suffix is correctly used (and retrieved from DHCP server).

  3. florian on June 19th, 2009

    Howdie!

    Are you on Windows XP machines? If so, please check the infamous “Always wait for the network” Group Policy and enable it if you haven’t already.

    I think you sometimes have a status where the system is up but the network subsystem hasn’t fully loaded yet so that the network determination fails and puts the machine into the “standard” profile.

    Cheers,
    Florian

  4. zWaR on June 22nd, 2009

    Thank you so very much for this hint!! As it seems this could finaly be IT! :) I have been struggeling for so long with this issue now …

  5. florian on June 23rd, 2009

    Thanks for the feedback. I’m glad to hear that it seems that you finally solved it. Those are the little tidbits that get us mad some times :)

    Florian

  6. zWaR on July 1st, 2009

    Hello!

    After a week of fine situation on our computers, the error is back …. :( And it appeared as suddenly as it disappeared after I set the suggested option. Any ideas what else could causing it?

  7. florian on July 2nd, 2009

    That’s strange.
    How’s DNS configured on the machines? Is there anything in the userenv.log files that points to an error?

    Florian

  8. zWaR on July 20th, 2009

    Yes it is strange … DNS parameters are set via DHCP server and I believe the settings are OK. Otherwise I would expect other trouble too and that on all machines. Right now the error occours on around 40% of computers. And it is funny, because the error affects always the same group of machines, but not every day all of those machines. For example: today there were just 2 such machines in the whole network, a few days ago there were none, then on some other day, there were 10 such machines etc. (but the affected machines are allways out of the same group). The behaviour would normally lead me to think it is a hardware failure, but those computers have different configurations … Then I also thought it could be a startup process they have in common, but besides of the antivirus we use on all machines there was no startup process they would had the same.

    I have also tried to use higher verbosity for userenv.log in the past. I must confess, I did not findy anything corelated to this error that could point to an actual cause. But I must admit, I am not a specialist on this area, so I could have overlooked something …

    If you are willing to inspect it, I could paste here a piece of verbose userenv.log, surrounding the 10013 error message.

  9. florian on July 21st, 2009

    Howdie!

    Feel free to shoot me an email with the log attached. I’ll look into it.

    Cheers,
    Florian