More about on how Network Location Awareness Works
Because on some recent issues I had with NLA I’ve started to dig a bit on this subject and since there isn’t a lot of information about NLA available I though to share some of my findings:
– For everyone having issues with Domain detection please apply this workaround
– The domain profile isn’t set just based on the discovery of the domain (LDAP ping or DNS records). It requires Kerberos mutual authentication. So in order for NLA to set the domain profile, it needs the whole network stack to be initialized and fully operational.
– There is a security KB mentioning the update of NLA to use Kerberos authentication: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-005
– If your computer account is out of sync, or deleted/reset, NLA will fail to set the Domain profile and you will end up in Private/Public. Check your Kerberos errors.
– Set-NetConnectionProfile can’t be used to set the Domain profile. The documentation is confusing.
– For the other profiles Private/Public, detection is based on the MAC address of the gateway device and stored in the registry in this location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
Everything will probably be in this unmanaged section. Managed are the ones you preset via GPO.