File and Print Sharing Broken After Windows Update — Network Profile Switched to Public
After Windows 10/11 cumulative or feature updates, network adapters may silently switch from Private/Domain to Public profile, which disables file and print sharing by activating the restrictive Public firewall profile that blocks SMB (TCP 445). Affected machines cannot browse network shares, connect to shared printers, or be discovered via Network Discovery. Resolution involves correcting the network profile back to Private or Domain using PowerShell or GUI, then re-enabling sharing settings and firewall rules. This is a recurring L2 ticket pattern following Patch Tuesday deployments.
Indicators
- Unable to access network shares — connection refused or 'resource not found' errors when browsing UNC paths (\\hostname\sharename)
- Shared printers no longer accessible from other machines on the same subnet
- Network profile shown as 'Public' in Settings > Network & Internet despite being on a trusted LAN or domain network
- File and print sharing toggle disabled or greyed out in Network and Sharing Centre
- Other machines cannot ping or discover the affected host via Network Discovery
- Get-NetConnectionProfile returns NetworkCategory: Public for the primary adapter
- SMB connection errors vary by failure type: 'access denied' suggests auth/permission issue; 'network path not found' or timeout suggests firewall or discovery block — helps distinguish root cause
Likely causes
- Windows cumulative or feature update resets the network profile of existing connections to Public, triggering the restrictive Public firewall profile which blocks SMB (TCP 445) and related sharing traffic
- Network profile flipped to Public disables File and Printer Sharing firewall rules that are only active under Private or Domain profiles
- Sharing options (Network Discovery, File and Printer Sharing) disabled in Network and Sharing Centre as a side-effect of the profile change
- Non-domain-joined machines rely on manually set network profiles, making them more vulnerable to profile resets after updates as there is no GPO enforcement to restore the correct category
Diagnostic steps
-
Check the current network profile for all adapters using PowerShell: Get-NetConnectionProfileConfirms whether any network adapter is set to Public rather than Private or DomainAuthenticated — the root condition causing sharing to break
-
Navigate to Settings > Network & Internet > [Adapter] > Properties and check whether the profile is set to Public or Private. Alternatively, open Control Panel > Network and Sharing Centre and review the active network profile displayed.Provides UI-level confirmation of the network profile state and allows the technician to verify the user-facing symptom
-
Open Control Panel > Network and Sharing Centre > Change advanced sharing settings, and verify whether 'Turn on file and printer sharing' is enabled for the Private (and/or Domain) profile, and whether 'Turn on network discovery' is also enabled.Determines whether sharing options were disabled as a consequence of the profile flip or were separately disabled
-
Run PowerShell command: Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | Select DisplayName, Enabled, ProfileConfirms whether the File and Printer Sharing firewall rules are enabled and which profiles they apply to — rules may be correct but the wrong profile is active
-
Check Windows Update history via Settings > Windows Update > Update History to identify any recent cumulative or feature update that preceded the onset of the issue.Establishes causal link between an update event and the profile/sharing change — useful for scoping the issue across the estate and for escalation to Microsoft if it is a known issue
-
Attempt to access the affected machine's shares from a remote host (e.g., via \\<hostname>\sharename) and note whether the error is 'access denied', 'network path not found', or a timeout.Characterises the failure mode and helps distinguish between a firewall block, a sharing configuration issue, or an authentication/permission problem
-
On domain-joined machines, run 'gpresult /h gpresult.html' in an elevated prompt and review applied GPO settings related to network profile and firewall.Determines if Group Policy is enforcing the Public profile or blocking sharing, which would require a GPO-level fix rather than a local settings change
Resolution path
- 1. Set the network profile back to Private using PowerShell (replace InterfaceIndex as appropriate): Set-NetConnectionProfile -InterfaceIndex <index> -NetworkCategory Private
- 2. If the machine is domain-joined and the profile should be DomainAuthenticated, verify the machine can reach a domain controller (Test-NetConnection <DC> -Port 389) and then re-join or reconnect to the domain network to allow Windows to auto-assign the Domain profile.
- 3. Re-enable File and Printer Sharing in Control Panel > Network and Sharing Centre > Change advanced sharing settings: enable 'Turn on network discovery' and 'Turn on file and printer sharing' for the Private/Domain profile, then click 'Save changes'.
- 4. If firewall rules remain disabled, re-enable them via PowerShell: Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"
- 5. Restart the affected services if sharing still does not work: Restart-Service -Name LanmanServer; Restart-Service -Name LanmanWorkstation
- Rollback — if switching to Private causes unexpected behaviour on a machine intentionally on an untrusted network, revert: Set-NetConnectionProfile -InterfaceAlias '<InterfaceAlias>' -NetworkCategory Public
- Rollback — if firewall rules were modified and a full config backup exists, restore defaults: netsh advfirewall reset (resets all custom rules — use with caution)
- Rollback — if GPO changes were deployed, revert the GPO and run 'gpupdate /force' on affected machines, confirm with 'gpresult /r'
Prevention
- Deploy a Group Policy Object (GPO) to enforce the correct network profile on domain-joined machines: configure 'Network List Manager Policies' under Computer Configuration > Windows Settings > Security Settings to set the profile to Private or Domain and prevent users or updates from changing it.
- Monitor network profile changes at scale using a scheduled task or PowerShell script querying Get-NetConnectionProfile across the estate, alerting when any adapter is set to Public on a machine in a known-trusted subnet — run this check post-update as part of the patch deployment verification procedure.
- Include a file and print sharing smoke test (Test-NetConnection on port 445 to a known share host) in the post-update validation checklist run against a representative sample of machines after each Patch Tuesday deployment.
- Deploy a GPO that enforces the 'File and Printer Sharing' firewall rules as enabled on Private/Domain profiles across all client machines, ensuring updates do not disable the rules independently of the profile setting.
- Use Windows Update rings or staged deployment to roll out cumulative/feature updates to a pilot group first, allowing sharing breakage to be detected and remediated before wide estate impact.
Tools
- Get-NetConnectionProfile (PowerShell — check current network profile category)
- Set-NetConnectionProfile (PowerShell — change network profile category)
- Get-NetFirewallRule / Enable-NetFirewallRule (PowerShell — inspect and enable File and Printer Sharing firewall rules)
- Test-NetConnection (PowerShell — verify TCP port reachability for SMB on port 445)
- Network and Sharing Centre (Control Panel UI — change sharing and discovery settings)
- Restart-Service (PowerShell — restart LanmanServer and LanmanWorkstation services)
- gpresult (CLI — review applied Group Policy for network profile and firewall settings)
- gpupdate (CLI — force Group Policy refresh after GPO changes)
- Windows Defender Firewall with Advanced Security (GUI — review and edit inbound sharing rules)