Cisco AnyConnect VPN client - prevent connecting as work network

Question

From Windows 7 I'm using "Cisco AnyConnect Secure Mobility Client 3.0" to connect to our corporate network.

Every time I establish the VPN connection Windows will set the type as "work network". I don't want this. So I go to "network and sharing center" and manually / interactively change it to "public network". But I have to repeat it for every new VPN connection.

• Is there any way to make Windows remember / persist this configuration?
• Can it be configured in the VPN client?
• Do our IT admins need to change something at server end?

Motivation: A "work network" per default uses different firewall settings that allows for stuff like "network discovery" and "file shares". But I absolutely don't want this for the VPN connection!
I just need "remote desktop" (mstsc). That's all.

Additional info: Our IT admins claimed this would be Windows default behaviour and there was nothing we could do about it: Windows would always initiate a VPN connection as "work network". Based on this statement I assume this is a "general" issue and went ahead posting here (at superuser.com).
From what I've read so far it could be related to Microsoft / Windows NLA and related configuration parameters?

Update1: The situation has become even worse. Previously i would establish the VPN connection and then manually change to "public network". But now - after some time running with VPN connection - the network type automatically switches back to "work network". This means: I need to frequently check the network type and adjust when required.
Help! How can i stop this?

Update2: still the same problem with Cisco AnyConnect Secure Mobility Client 3.1.04072

Update3: still the same problem with Cisco AnyConnect Secure Mobility Client 3.1.05182

---

observations so far:

it seems the following registry locations are playing a role:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures]

in particular:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{<Network GUID>]
"Category"=dword:00000000
"CategoryType"=dword:00000000

where:

0 = Public
1 = Private (includes "Home" and "Work")
2 = Domain

and in my case the "Category" keeps flipping back from "0" to "1".
the question is: why?
and how can i prevent this?

Answer 1

Here's what has worked for me:

• start the VPN client and connect
• now run secpol.msc
• go to the node Network List Manager Policies
• open the properties of your remote domain network
• go to the tab "Network Location"
• change "Location type" to Public
• (optional?) change "User permissions" to "User cannot change location"

From now on windows will retain the network type as "public".

Technically speaking this will populate entries below the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\

Those policies take precedence over the following entries - which (due to whatever logic) may change dynamically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\

--
Confirmed with:
Cisco AnyConnect Secure Mobility Client 3.1.06079 @ Win7 x64

Update:
still working fine with Cisco AnyConnect Secure Mobility Client 3.1.10010 @ Win7 x64

Answer 2

Use the following process:

• Navigate to each key in regedit:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures
• Change the value to 0
• Right click on the key name, then select Permissions
• Click Administrators
• Click Deny for each checkbox below