Exclude VMware Virtual Adapters from Vista/2008 Network Awareness and Windows Firewall

by Daniel Petri - January 13, 2009

I've been using VMware Workstation to run my virtual machines on my Vista laptop. After being installed, VMware Workstation creates several virtual network adapters which are simply dummy adapters for VMware’s host bridging, which in turn allows the virtual machine to access the host machine’s network.

While I like this product very much, one of the nasty annoyances is the fact that after each reboot, the Windows Firewall switches the VMware virtual network adapters from the “public” network profile to a “private” network profile each time I reboot the laptop. Because the VMware virtual network adapters appear to be in a “Public network”, Windows thinks that the whole machine is exposed to a public network, and it triggers the public profile for Windows Firewall. While in most cases this helps protect the entire computer from external access, sometimes you actually need to have external access, and therefore you need to manually change the setting. MSDN has an explanation for this behavior - see Keywords Not Displayed in the User Interface It turns out that Windows Vista automatically identifies and monitors the networks to which a computer connects. However, if the NDIS_DEVICE_TYPE_ENDPOINT flag is set on the network adapter, this means that the device is an endpoint device and is not a connection to a true external network. Because of that, Windows ignores the endpoint device when Windows identifies networks. The Network Awareness APIs indicate that the device does not connect the computer to a network. For end users in this situation, the Network and Sharing Center and the network icon in the notification area do not show the NDIS endpoint device as connected. However, the connection is shown in the Network Connections Folder. Also, if NDIS_DEVICE_TYPE_ENDPOINT is set, the Windows Firewall ignores the connection when Windows Firewall enforces public, private, or domain policies. MVP Oisin Grehan has created a nice PowerShell script that scans the computer's network adapters for VMware’s virtual network interface cards and makes the necessary registry changes. The script will also disable/enable cycle the adapters so that the changes take effect without having to reboot the computer. After the script runs you will see VMware’s virtual network interface cards in the Network Connections page without a network category - and the connections will no longer appear in the Network and Sharing Center nor will they affect your Windows Firewall policy no matter how many times you reboot the computer. Cool! Here's the script source: Nivot Ink - VMWare VMNET Adapters Triggering Public Profile for Windows Firewall

# see http://msdn2.microsoft.com/en-us/library/bb201634.aspx
# *NdisDeviceType
# The type of the device. The default value is zero, which indicates a standard
# networking device that connects to a network.
# Set *NdisDeviceType to NDIS_DEVICE_TYPE_ENDPOINT (1) if this device is an
# endpoint device and is not a true network interface that connects to a network.
# For example, you must specify NDIS_DEVICE_TYPE_ENDPOINT for devices such as
# smart phones that use a networking infrastructure to communicate to the local
# computer system but do not provide connectivity to an external network.
# Usage: run in an elevated shell (vista/longhorn) or as adminstrator (xp/2003).
# PS> .\fix-vmnet-adapters.ps1

# boilerplate elevation check

$identity = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = new-object Security.Principal.WindowsPrincipal $identity
$elevated = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)  

if (-not $elevated) {
    $error = "Sorry, you need to run this script"
    if ([System.Environment]::OSVersion.Version.Major -gt 5) {
        $error += " in an elevated shell."
    } else {
        $error += " as Administrator."
    throw $error

function confirm {
$host.ui.PromptForChoice("Continue", "Process adapter?",
[Management.Automation.Host.ChoiceDescription[]]@("&No", "&Yes"), 0) -eq $true


# adapters key pushd 'hklm:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}' # ignore and continue on error dir -ea 0 | % { $node = $_.pspath $desc = gp $node -name driverdesc if ($desc -like "*vmware*") { write-host ("Found adapter: {0} " -f $desc.driverdesc) if (confirm) { new-itemproperty $node -name '*NdisDeviceType' -propertytype dword -value 1 } } } popd # disable/enable network adapters gwmi win32_networkadapter | ? {$_.name -like "*vmware*" } | % { # disable write-host -nonew "Disabling $($_.name) ... " $result = $_.Disable() if ($result.ReturnValue -eq -0) { write-host " success." } else { write-host " failed." } # enable write-host -nonew "Enabling $($_.name) ... " $result = $_.Enable() if ($result.ReturnValue -eq -0) { write-host " success." } else { write-host " failed." } }

Copy the above text, paste into a text file and save it with the PS1 extension. Next, open a PowerShell prompt. Note that you need to run it with elevated credentials (i.e. "Run as Administrator"). Navigate to the folder where you've placed the script, and execute it. You can type the first letter of the script's name and press TAB to auto complete the script's name. Note: If PowerShell gives you this error:

File D:\Tools\Admin\Scripts\VMware - VMNET Adapters Triggering Public Profile for Windows Firewall\script.ps1 cannot be loaded because the execution of 

scripts is disabled on this system. Please see "get-help about_signing" for more details.

You will need to change the Signing and Execution Policies by typing the following command:

Set-ExecutionPolicy Unrestricted

After running the command, you will be prompted to press "Y" for each VMware adapter. When finished, the script will make the necessary changes. I hope you have found this article useful!

Got a question? Post it on our Windows Server 2008 forums!

Join The Petri Insider - Weekly IT Tutorial and Tips, Whitepaper and Webinars