Exclude VMware Virtual Adapters from Vista/2008 Network Awareness and Windows Firewall

Posted on January 13, 2009 by Daniel Petri in VMware with

I’ve been using VMware Workstation to run my virtual machines on my Vista laptop. After being installed, VMware Workstation creates several virtual network adapters which are simply dummy adapters for VMware’s host bridging, which in turn allows the virtual machine to access the host machine’s network.

While I like this product very much, one of the nasty annoyances is the fact that after each reboot, the Windows Firewall switches the VMware virtual network adapters from the “public” network profile to a “private” network profile each time I reboot the laptop. Because the VMware virtual network adapters appear to be in a “Public network”, Windows thinks that the whole machine is exposed to a public network, and it triggers the public profile for Windows Firewall. While in most cases this helps protect the entire computer from external access, sometimes you actually need to have external access, and therefore you need to manually change the setting. MSDN has an explanation for this behavior – see Keywords Not Displayed in the User Interface It turns out that Windows Vista automatically identifies and monitors the networks to which a computer connects. However, if the NDIS_DEVICE_TYPE_ENDPOINT flag is set on the network adapter, this means that the device is an endpoint device and is not a connection to a true external network. Because of that, Windows ignores the endpoint device when Windows identifies networks. The Network Awareness APIs indicate that the device does not connect the computer to a network. For end users in this situation, the Network and Sharing Center and the network icon in the notification area do not show the NDIS endpoint device as connected. However, the connection is shown in the Network Connections Folder. Also, if NDIS_DEVICE_TYPE_ENDPOINT is set, the Windows Firewall ignores the connection when Windows Firewall enforces public, private, or domain policies. MVP Oisin Grehan has created a nice PowerShell script that scans the computer’s network adapters for VMware’s virtual network interface cards and makes the necessary registry changes. The script will also disable/enable cycle the adapters so that the changes take effect without having to reboot the computer. After the script runs you will see VMware’s virtual network interface cards in the Network Connections page without a network category – and the connections will no longer appear in the Network and Sharing Center nor will they affect your Windows Firewall policy no matter how many times you reboot the computer. Cool! Here’s the script source: Nivot Ink – VMWare VMNET Adapters Triggering Public Profile for Windows Firewall

Copy the above text, paste into a text file and save it with the PS1 extension. Next, open a PowerShell prompt. Note that you need to run it with elevated credentials (i.e. “Run as Administrator”). Navigate to the folder where you’ve placed the script, and execute it. You can type the first letter of the script’s name and press TAB to auto complete the script’s name. Note: If PowerShell gives you this error:

You will need to change the Signing and Execution Policies by typing the following command:

After running the command, you will be prompted to press “Y” for each VMware adapter. When finished, the script will make the necessary changes. I hope you have found this article useful!

Got a question? Post it on our Windows Server 2008 forums!

Register for this Webinar

How Replication Supports Your Company’s RTOs & RPOs
Join us for this free webinar

Can you have your workloads running within the agreed RTOs? Join this webinar with expert speakers from Veeam to exceed business objectives with an RPTO<15 min for ALL of your application and data.

Thursday, December 14, 2017 at 11 a.m EST