Windows 11 does not prompt for Public/Private network (Windows Firewall setting)

[glimberg]

In Windows 10 and prior you would get the following screen when joining a ZeroTier network:

Answering "Yes" would set the windows firewall as a "private" network and allow discovery, file sharing, etc. "No" sets the network to public causing Windows Firewall to disable file sharing, etc.

Windows 11 no longer pops up this prompt and instead just forces the network to Public and hardening windows firewall for the Public configuration.

What should be happening?

There should be a way to specify Public or Private network.

Workaround:

## To check public/private setting
Get-NetConnectionProfile | Where-Object "InterfaceAlias" -like "Zero*"

## To set all ZeroTier networks to Private
Get-NetConnectionProfile | Where-Object "InterfaceAlias" -like "Zero*" | Set-NetConnectionProfile -NetworkCategory Private

[tepke22]

Thank you so much, also noticed that prompt didn't pop up and ZeroTierOne wasn't working, but your fix worked like a charm. 🥳

[Aweguy]

One question, how to use these command. My system doesn't recognize them.

[glimberg]

@Aweguy They only work in PowerShell, so if you're using regular old CMD, they won't work

[Aweguy]

i am getting an error when i apply the command. I am not sure what i should do since this is the first time ever i use powershell.

"Set-NetConnectionProfile : Unable to set the NetworkCategory due to one of the following possible reasons: not running
PowerShell elevated; the NetworkCategory cannot be changed from 'DomainAuthenticated'; user initiated changes to
NetworkCategory are being prevented due to the Group Policy setting 'Network List Manager Policies'.
At line:1 char:74

• ... as" -like "Zero*" | Set-NetConnectionProfile -NetworkCategory Private

•                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : PermissionDenied: (MSFT_NetConnect...5A33DAB1334E}"):root/StandardCi...nnectionProfile)
    [Set-NetConnectionProfile], CimException
  • FullyQualifiedErrorId : MI RESULT 2,Set-NetConnectionProfile"

[glimberg]

You may need to do it in an Administrator PowerShell prompt. Anything changing network related settings on a system typically require Admin access

[Aweguy]

aah ok. Thanks a lot. It made it private, but there's a new problem, but it's irrelevant to this issue.

[ERF4]

You may need to do it in an Administrator PowerShell prompt. Anything changing network related settings on a system typically require Admin access

Thankfully, just tried this on a PC where I don't have local admin and it still worked fine. Many thanks for this.

[laduke]

Windows 11 doesn't put up that prompt for real interfaces either.

Should ZeroTier just set it's interfaces to Private?
We'd probably need to pop up a similar prompt to the Windows 10 one in our GUI, which we're not really set up to do at the moment. A switch like the allow managed switch would be do able.
Also, that'd mean an allowManaged= type network setting, a setting that would only apply on one operating system. Ugh. There's no good name for it. AllowWindowsPrivate 😫

Microsofts summary isn't half bad

Public network (Recommended). Use this for networks you connect to at home, work, or in a public place. You should use this in most cases. Your PC will be hidden from other devices on the network. Therefore, you can’t use your PC for file and printer sharing.

Private network. Your PC is discoverable to other devices on the network, and you can use your PC for file and printer sharing. You should know and trust the people and devices on the network.

[AlexisTM]

This option was set for me in the settings for the real networks, but I can't access zerotier's configuration from there.

This only happened for Windows 11 pro, the home version worked out of the box for me (tested with python -m http.server)

[crimsonclyde]

Brilliant! Rly you saved me wasting more precious time.
Check server logs, checked service log, checked versions, updated, restarted networks, ping whatever I have tested all failed. This simple one liner and all seems to be back normal without timeouts again.

Superb - THX

[dajhorn]

On Windows 11 with a default Windows Defender Firewall configuration, setting ZeroTier interfaces to "private" enables .local name resolution on ZT networks that have IPv4 disabled and IPv6 enabled.

The given PowerShell command makes file servers appear in Network Neighborhood and fixes other name lookups on Windows 11 clients.

This should probably be the default interface configuration for Windows clients because ZT networks usually carry fully or semi-trusted traffic.

[AnAncientMonk]

@glimberg i just would like to know that i logged into this dusty old github account i dont use just to formally thank you for these powershell commands! fixed it like a charm. had to change both on server and on client.