Method 1
One way I've dealt with this issue on a critical Windows Server system in one environment I maintain was with a batch script that uses Set-NetConnectionProfile and netsh, and explicitly set each trusted NIC/adapter on the machine to private at system startup with Task Scheduler using Run whether user is logged on or not
and Run with highest privileges
option.
Note: While the bounty note states "The solution must not cause loss of network connectivity to implement" I wanted to mention that since when this issue occurs you have a network disruption anyway, that running this script if the issue occurs randomly when the system is not rebooted that simply running this same script then will still quickly resolve the issue and get the OS machine network access back in the working and expected order.
Furthermore, you can use the Get-NetConnectionProfile to get the NIC alias names and index numbers to put into the example batch script below for your needs and/or systems.
Batch Script
@ECHO ON
::: The below PowerShell will set all the nework adapters to private rather than public and unknown as happens.
:DynamicPSScriptBuild
SET PSScript=%temp%\%~n0.ps1
IF EXIST "%PSScript%" DEL /Q /F "%PSScript%"
ECHO Set-NetConnectionProfile -InterfaceIndex 12 -NetworkCategory Private>>"%PSScript%"
ECHO Set-NetConnectionProfile -InterfaceIndex 20 -NetworkCategory Private>>"%PSScript%"
ECHO Set-NetConnectionProfile -InterfaceIndex 22 -NetworkCategory Private>>"%PSScript%"
ECHO Set-NetConnectionProfile -InterfaceIndex 24 -NetworkCategory Private>>"%PSScript%"
:PowerShell
SET PowerShellDir=C:\Windows\System32\WindowsPowerShell\v1.0
CD /D "%PowerShellDir%"
Powershell -ExecutionPolicy Bypass -Command "& '%PSScript%'"
:: The below will disable and then re-enable each NIC one-by-one so the unidentfied goes away after set to "private" above
:ResetNICs
SET Array="Ethernet", "Ethernet 2", "Ethernet 3", "Ethernet 4"
FOR %%A IN (%Array%) DO (
netsh int set int "%%~A" admin=disable
netsh int set int "%%~A" admin=enable
)
EXIT
Below are a few other methods, with one of the many being what you have tried but I left it in there for others that come across this post in case it helps them, but these are a few ways to prevent this entirely perhaps but there are always going to be upsides and downsides to any method you choose to use so pick your poison and test accordingly.
Method 2 (Multiple Methods)
If NLA can't determine a connections location, it names it
"Unidentified" and marks the location as Public. It chooses Public
because that is most secure and you wouldn’t want anything less if the
connection is on the DMZ.
There are two easy ways to fix this. One uses the Local Security
Policy to change the default location of unidentified networks. The
second method uses a change to the network connection properties to
give NLA the information it needs to properly place the location.
Using Local Security Policy
Caution: This should only be used if the computer will never have any connections on the Public LAN. Otherwise, you run the risk of
having a less secure firewall profile applied to your public
connection.
Open "Local Security Policy".
Click on "Network List Manager Policies" in the left pane. (This selection is buried in older versions of Windows.)
Double-click on "Unidentified Networks" in the right pane.
For computers that only exist on the private network, it is OK to set "Location type" to "private".
Using Network Connection Properties
This is not about adding a gateway IP as that doesn’t work properly on
a multi-homed server. Instead we will be adding a DNS suffix so that
NLA can properly locate the domain controller which is how it knows to
mark the location as “Domain network”.
Go to Network Connections (from the Network and Sharing Center, click on "Change adapter settings".)
Go to the properties of one network connection marked as "Unidentified" but on the private LAN.
Go to the properties for IPv4.
Click the "Advanced..." button.
Select the DNS tab.
Enter your domain name into the text box for "DNS suffix for this connection:".
Disable and then enable the connection to get NLA to re-identify the
location. After enabling the connection, the Status should change to
the domain name and Network Category to "Domain network". Depending on
your setup, it is likely that you only need to "fix" one connection to
get all the related connections to see the domain.
Move from Private to Public
There are two common ways to force NLA to mark a connection as public.
One is to use a firewall rule to block NLA so that it has no choice
but to use the default location. The other is to use the registry to
disable NLA on the connection.
Using the Firewall
I haven’t tested this but the theory seems sound.
Open "Windows Firewall with Advanced Security" (i.e wf.msc
).
Go to Outbound rules.
Click on "New Rule…".
Use these settings:
- Rule Type: Custom
- Program: Select "All programs" and then click on "Customize…". Select "Network Location Awareness" (short name is
NlaSvc).
- Protocol and Ports: Protocol type = Any.
- Scope: Local IPs = Enter all your public IPs. Double-check for connections with multiple IPs.
- Action: Block
- Profile: All
Once rule is enabled, disable and then enable the network connection to get NLA to re-identify the location.
Using the Registry
I have not had this work for me but my circumstance may be different from yours. Finding the correct connection number is a bit
hit or miss as there are a lot more entries than you would expect.
Run regedit
Go to HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Underneath you should see several keys labeled 0000, 0001, 0002 etc… Look through these and find the adapters where you want to
disable NLA.
For each of the adapters, add a new DWORD value named "*NdisDeviceType" and set it to 1 (make sure you get the * at the
beginning of the name).
Getting Drastic
The location profiles are housed in the registry and it seems harmless
to delete them and let Windows rebuild them. You will definitely want
to backup the registry first and you will likely need to be connected
to the server via KVM rather than remote (RDP). I will not take any
responsibility if you choose this step as I am primarily putting this
here for reference.
The location of the profiles is:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
source