Why is my network detected as “unknown” by Windows Vista or Windows Server 2008?

A question that has come up from time to time is how and why Windows Vista and Windows Server 2008 detect a network as “unknown”. I hope the following explanation is helpful.

Network Location Awareness or NLA is the service that determines what kind of connectivity you have on a Windows Vista or Windows Server 2008. It makes connection specific information available to other applications and services. The Advanced Firewall in Windows Vista and Windows Server 2008 uses the NLA information to apply specific firewall settings. For example, if you are connected only to a Domain network, then the Advanced Firewall will apply the Domain firewall profile.

The following TechNet article details how the decision process happens in NLA. http://technet.microsoft.com/en-us/magazine/2007.06.vistafirewall.aspx Jump to the “Network Profiles” section.

The Domain profile is only applied if you are connected to a Domain network. There is no way for a user to manually set the Domain profile.

When a network is detected that is not a Domain based network, you will be prompted to supply a network profile. Here is a breakdown of the network profile options and the firewall profile that will apply:

Since you are likely to connect to the same network, such as your home network, Windows tries to uniquely identify each network. A key part of this identification is based on the gateway device. If there is enough information for Windows to uniquely identify the connection, then Windows will remember your choice of network profiles and apply it the next time you connect. Now that’s handy!

If the connection has no gateway, then the network is labeled as “Unknown”. When you see this, think to yourself, “There is not enough information for Windows to uniquely identify this network”. I won’t go into too much detail about what is used to uniquely identify the network, other than to say that Windows needs a minimum amount of information to make sure that it is not connecting to spoofed version of a network. An “Unknown” network will apply the Public network profile and the Public firewall profile. The user can manually change the network profile to Work or Home to have a less restrictive firewall profile applied.

Since Windows cannot uniquely identify the network, Windows is not going to know if you connect to it again. So, your network profile choice is transient and will only be applied until you lose connectivity to that network. If you reboot your machine, you will need to set a network profile for the “Unknown” connection again.

At first blush this may seem like a lot of extra work. However, consider the security impact of setting a persistent network profile on a network that Windows cannot identify. Since Windows cannot uniquely identify the network, if a persistent network profile were applied, it may be applied on a network that the user did not originally intend to be marked as a private network.

Here are a couple of points to consider:

1. An “Unknown” network is, well, unknown. Windows cannot uniquely identify it.
2. All networks that are detected as “Unknown” will always apply the Public profile.
3. Although each connection is identified separately by NLA, only one firewall profile is applied per machine. Security being the top priority in Windows Vista, the most restrictive firewall profile is applied. So if any network is using the Public profile this will cause the firewall to operate in the Public firewall profile mode. Changing the network profile to Private for the “Unknown” network will allow the private firewall profile to be applied.
4. If a user manually changes the network profile for an “Unknown” network, the new setting will only apply until a change on that connection occurs such as a new gateway, disconnect/reconnect, reboot, new IP settings, etc.
5. Since security is a top priority in Windows Vista, falling back to most secure is the best option if Windows cannot identify a network.

If the connection should be identified as a Domain network and is not, then the likely causes are failure to contact DNS servers or domain controllers on that interface. Make sure that these resources are available.

If the network is not a Domain network and there is no default gateway configured, or the gateway is not available, the network will be categorized as “Unknown” and the Public profile and Public firewall policy will be applied to the computer.

I hope this helps you understand why a network may be identified as an “Unknown” network.

The Windows 7 beta is available and there are some changes to the way NLA handles network identification. If you are interested checking out what is in the beta, I’d encourage you to download it from your MSDN or TechNet subscription and check it out. I think you will like it!

- Joel-E-O