Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!

Exclude VMware Virtual Adapters from Vista/2008 Network Awareness and Windows Firewall

I’ve been using VMware Workstation to run my virtual machines on my Vista laptop. After being installed, VMware Workstation creates several virtual network adapters which are simply dummy adapters for VMware’s host bridging, which in turn allows the virtual machine to access the host machine’s network.

While I like this product very much, one of the nasty annoyances is the fact that after each reboot, the Windows Firewall switches the VMware virtual network adapters from the “public” network profile to a “private” network profile each time I reboot the laptop. Because the VMware virtual network adapters appear to be in a “Public network”, Windows thinks that the whole machine is exposed to a public network, and it triggers the public profile for Windows Firewall. While in most cases this helps protect the entire computer from external access, sometimes you actually need to have external access, and therefore you need to manually change the setting. MSDN has an explanation for this behavior – see Keywords Not Displayed in the User Interface It turns out that Windows Vista automatically identifies and monitors the networks to which a computer connects. However, if the NDIS_DEVICE_TYPE_ENDPOINT flag is set on the network adapter, this means that the device is an endpoint device and is not a connection to a true external network. Because of that, Windows ignores the endpoint device when Windows identifies networks. The Network Awareness APIs indicate that the device does not connect the computer to a network. For end users in this situation, the Network and Sharing Center and the network icon in the notification area do not show the NDIS endpoint device as connected. However, the connection is shown in the Network Connections Folder. Also, if NDIS_DEVICE_TYPE_ENDPOINT is set, the Windows Firewall ignores the connection when Windows Firewall enforces public, private, or domain policies. MVP Oisin Grehan has created a nice PowerShell script that scans the computer’s network adapters for VMware’s virtual network interface cards and makes the necessary registry changes. The script will also disable/enable cycle the adapters so that the changes take effect without having to reboot the computer. After the script runs you will see VMware’s virtual network interface cards in the Network Connections page without a network category – and the connections will no longer appear in the Network and Sharing Center nor will they affect your Windows Firewall policy no matter how many times you reboot the computer. Cool! Here’s the script source: Nivot Ink – VMWare VMNET Adapters Triggering Public Profile for Windows Firewall

# see http://msdn2.microsoft.com/en-us/library/bb201634.aspx
# *NdisDeviceType
# The type of the device. The default value is zero, which indicates a standard
# networking device that connects to a network.
# Set *NdisDeviceType to NDIS_DEVICE_TYPE_ENDPOINT (1) if this device is an
# endpoint device and is not a true network interface that connects to a network.
# For example, you must specify NDIS_DEVICE_TYPE_ENDPOINT for devices such as
# smart phones that use a networking infrastructure to communicate to the local
# computer system but do not provide connectivity to an external network.
# Usage: run in an elevated shell (vista/longhorn) or as adminstrator (xp/2003).
# PS> .\fix-vmnet-adapters.ps1

# boilerplate elevation check

$identity = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = new-object Security.Principal.WindowsPrincipal $identity
$elevated = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)  

if (-not $elevated) {
    $error = "Sorry, you need to run this script"
    if ([System.Environment]::OSVersion.Version.Major -gt 5) {
        $error += " in an elevated shell."
    } else {
        $error += " as Administrator."
    throw $error

function confirm {
$host.ui.PromptForChoice("Continue", "Process adapter?",
[Management.Automation.Host.ChoiceDescription[]]@("&No", "&Yes"), 0) -eq $true


# adapters key pushd 'hklm:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}' # ignore and continue on error dir -ea 0 | % { $node = $_.pspath $desc = gp $node -name driverdesc if ($desc -like "*vmware*") { write-host ("Found adapter: {0} " -f $desc.driverdesc) if (confirm) { new-itemproperty $node -name '*NdisDeviceType' -propertytype dword -value 1 } } } popd # disable/enable network adapters gwmi win32_networkadapter | ? {$_.name -like "*vmware*" } | % { # disable write-host -nonew "Disabling $($_.name) ... " $result = $_.Disable() if ($result.ReturnValue -eq -0) { write-host " success." } else { write-host " failed." } # enable write-host -nonew "Enabling $($_.name) ... " $result = $_.Enable() if ($result.ReturnValue -eq -0) { write-host " success." } else { write-host " failed." } }

Copy the above text, paste into a text file and save it with the PS1 extension. Next, open a PowerShell prompt. Note that you need to run it with elevated credentials (i.e. “Run as Administrator”). Navigate to the folder where you’ve placed the script, and execute it. You can type the first letter of the script’s name and press TAB to auto complete the script’s name. Note: If PowerShell gives you this error:

​File D:\Tools\Admin\Scripts\VMware - VMNET Adapters Triggering Public Profile for Windows Firewall\script.ps1 cannot be loaded because the execution of 

scripts is disabled on this system. Please see "get-help about_signing" for more details.

You will need to change the Signing and Execution Policies by typing the following command:

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

​Set-ExecutionPolicy Unrestricted

After running the command, you will be prompted to press “Y” for each VMware adapter. When finished, the script will make the necessary changes. I hope you have found this article useful!

Got a question? Post it on our Windows Server 2008 forums!

Related Topics:

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By