Thanks — that’s clear. Below are the most common causes and a short, safe checklist with explicit commands you can run (as Administrator) to find and fix the root cause so your network stays "Private" instead of you having to re-set it at every boot.
Before you start
- Tell me: which Windows edition/version are you running (Settings → System → About — or run
winver)?
- Are you on a domain? Do you run any third‑party firewall/AV (e.g. ZoneAlarm, Norton, etc. or a VPN that starts at boot?
Quick explanation
- Windows decides Private/Public using the Network Location Awareness (NLA) / Network List Service. If NLA can't identify the network (no gateway, active probing disabled, NLA or Network List service not running, Group Policy, or third‑party firewall interference) you get "Unknown network" or the Private/Public toggle disappears and PowerShell is the only way to change it temporarily.
Step 1 — Check the NLA and Network List services
Open an elevated Command Prompt (Run as administrator) and run:
- sc query NlaSvc
- sc query netprofm
If either is not RUNNING, set them to automatic and start them:
- sc config NlaSvc start= auto
- sc config netprofm start= auto
- net start NlaSvc
- net start netprofm
Step 2 — Make sure NLA active probing is enabled
If active probing is disabled NLA often can’t identify the network. In an elevated prompt run:
- reg query "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v EnableActiveProbing
If the value is 0 or the value/key is missing, enable it:
- reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v EnableActiveProbing /t REG_DWORD /d 1 /f
Then restart the two services (or reboot).
Step 3 — Check what Windows thinks the connection is and set it (short term)
Open an elevated PowerShell and run:
Note the InterfaceIndex and NetworkCategory. To set Private (what you already do):
- Set-NetConnectionProfile -InterfaceIndex <n> -NetworkCategory Private
We’ll make it persistent below — this PS command alone can be reset later by services/GPO/third‑party software.
Step 4 — Check whether a policy or third‑party software is forcing Public
- Do you have Local Group Policy (gpedit.msc) settings under:
Computer Configuration → Windows Settings → Security Settings → Network List Manager Policies ?
If "Unidentified networks" is set to "Public" there, change it to Private (or “Users can change location”).
- Temporarily disable any 3rd‑party firewall/AV and reboot to test. Some security suites force networks to Public.
Step 5 — Check the registry network profile (make persistent)
Windows stores profiles here:
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles{GUID}
To see profiles and current Category values (run in elevated PowerShell):
- Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles*' |
Select-Object PSChildName, Name, Description, Category
Category values: 0 = Public, 1 = Private, 2 = Domain.
If you find the profile for your network and Category = 0, set it to Private:
- Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles{GUID}" -Name Category -Value 1
Warning: editing registry — back up the key first (export it) or create a System Restore point.
Step 6 — If the profile is missing or broken: delete old profiles to force Windows to recreate them
Sometimes Windows has a broken profile so it never recognizes the network. Backup then delete the Profiles keys (Windows will recreate them):
- Export the Profiles key in regedit or run (elevated PowerShell):
Copy-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles' -Destination 'C:\Temp\NetworkListProfilesBackup' -Recurse
Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles*' -Recurse
Then reboot and connect — Windows should create a new profile which NLA can classify.
Step 7 — Check network configuration (gateway, DNS)
If your Ethernet has no default gateway Windows may treat the network as unidentified:
- In an elevated prompt run: ipconfig /all
Look for IPv4 Default Gateway. If there's none, fix router/DHCP or static settings.
Step 8 — If nothing else works: check Event Viewer logs
Open Event Viewer → Applications and Services Logs → Microsoft → Windows → NetworkProfile/NetworkList or NlaSvc logs for errors around the time of boot. These messages point at what's failing.
Common causes I see in these cases
- EnableActiveProbing is set to 0 (prevents identification)
- NlaSvc or Network List Service not starting early enough
- Group Policy forcing Unidentified networks to Public (common in corporate-managed machines)
- Third‑party firewall/AV or VPN marking network Public at startup
- Broken profile in registry that never gets re-created correctly
- Missing default gateway (DHCP/router)
What I suggest you try now (in this order)
- Run the two service checks + enable active probing (Steps 1 & 2). Reboot and test.
- If it’s still happening, run Get-NetConnectionProfile and paste the output here.
- If you run a third‑party firewall/AV, temporarily disable/uninstall it and reboot to test.
- If the problem persists, run these (elevated PowerShell) and paste results:
- Get-NetConnectionProfile | Format-List *
- Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles*' |
Select PSChildName, Name, Description, Category
I can walk you through the exact registry changes or Group Policy change once you paste your Get-NetConnectionProfile output and tell me your Windows version and whether this is a domain-joined machine or not.
