How to Disable Network Discovery To Hide Devices Using Group Policy on Windows Server 2025

If you’re managing a Windows Server 2025 environment, you know that security isn’t just about firewalls and antivirus software. Sometimes, the best security measure is simply making your devices invisible to prying eyes on the network.

Today, we’re diving into something that might seem simple but packs a serious security punch: disabling Network Discovery through Group Policy. Whether you’re running a small business network or managing an enterprise infrastructure, this guide will walk you through the entire process.

Why Should You Care About Network Discovery?

Before we get into the technical stuff, let’s talk about why this matters. Network Discovery is that handy Windows feature that lets computers see each other on the same network. It’s convenient for file sharing and printer access, but here’s the catch: if your devices can see each other, potentially unwanted visitors can see them too.

Think of it like leaving your curtains open at night. Sure, it’s convenient to see outside, but everyone walking by can also see inside your house. Not exactly ideal for security-conscious environments, right?

In corporate settings, you might want certain departments or servers completely hidden from general network browsing. Maybe you’ve got sensitive file servers, development machines, or administrative workstations that shouldn’t be visible to everyone on the network.

Understanding Network Discovery in Windows Server 2025

Network Discovery actually controls several services working together behind the scenes:

• DNS Client – Handles name resolution for network resources
• Function Discovery Provider Host – Manages discovery of network devices
• Function Discovery Resource Publication – Publishes your computer to the network
• SSDP Discovery – Discovers UPnP devices on the network
• UPnP Device Host – Allows UPnP devices to be hosted

When you disable Network Discovery, you’re essentially telling Windows to stop advertising your device’s presence on the network and stop looking for other devices.

Prerequisites: What You’ll Need

Before we begin, make sure you have:

• Administrative access to your Windows Server 2025 domain controller
• Group Policy Management Console (GPMC) installed
• A clear understanding of which Organizational Units (OUs) you want to target
• A test environment (always test before rolling out to production!)

Step-by-Step Tutorial: Disabling Network Discovery via Group Policy

I’ll walk you through this process step by step.

Step 1: Open the Group Policy Management Console

First things first, we need to access the Group Policy Management tool.

1. Press Windows Key + R to open the Run dialog
2. Type gpmc.msc and hit Enter
3. The Group Policy Management Console will open up

If you’re prompted for administrator credentials, go ahead and enter them.

Step 2: Create a New Group Policy Object

Rather than modifying an existing policy, let’s create a fresh one. This keeps things organized and makes troubleshooting easier down the road.

1. In the GPMC tree, expand your domain
2. Right-click on Group Policy Objects and select New
3. Give your GPO a descriptive name like “Disable Network Discovery – Security Policy”
4. Click OK

Pro tip: Always use descriptive names for your GPOs. Your future self (and your colleagues) will thank you when you’re troubleshooting at 2 AM.

Step 3: Edit the Group Policy Object

Now we’re getting to the good stuff.

1. Right-click your newly created GPO
2. Select Edit
3. The Group Policy Management Editor will open in a new window

Step 4: Navigate to the Network Discovery Settings

Here’s where you’ll configure the actual settings. The path is a bit nested, but just follow along:

1. In the Group Policy Management Editor, navigate to:
   • Computer Configuration
   • Policies
   • Administrative Templates
   • Network
   • Network Connections
   • Windows Defender Firewall
   • Domain Profile (or Standard Profile, depending on your network type)
2. Look for the policy named “Windows Defender Firewall: Define inbound port exceptions” and “Windows Defender Firewall: Prohibit notifications”

Wait, that’s not quite right. Let me give you the correct path for Network Discovery specifically:

1. Navigate to:
   • Computer Configuration
   • Policies
   • Administrative Templates
   • Network
   • Link-Layer Topology Discovery
2. You’ll see two settings here:
   • Turn on Mapper I/O (LLTDIO) driver
   • Turn on Responder (RSPNDR) driver

Step 5: Configure the Network Discovery Settings

Now let’s actually disable these services:

1. Double-click on “Turn on Mapper I/O (LLTDIO) driver”
2. Select Disabled
3. Click Apply, then OK
4. Double-click on “Turn on Responder (RSPNDR) driver”
5. Select Disabled
6. Click Apply, then OK

Step 6: Configure Windows Defender Firewall Rules (Additional Security Layer)

For even more control, let’s also configure the firewall rules related to Network Discovery:

1. Navigate to:
   • Computer Configuration
   • Policies
   • Windows Settings
   • Security Settings
   • Windows Defender Firewall with Advanced Security
   • Windows Defender Firewall with Advanced Security – LDAP://…
   • Inbound Rules
2. Right-click on Inbound Rules and select New Rule
3. Select Predefined and choose Network Discovery from the dropdown
4. Click Next
5. Check all the Network Discovery rules
6. Click Next
7. Select Block the connection
8. Click Finish

Step 7: Link the GPO to the Appropriate Organizational Unit

Creating the policy is only half the battle. Now we need to apply it to the right computers.

1. Close the Group Policy Management Editor
2. Back in the Group Policy Management Console, find the OU containing the computers you want to affect
3. Right-click the OU and select “Link an Existing GPO…”
4. Select your “Disable Network Discovery” GPO from the list
5. Click OK

Step 8: Force Group Policy Update

You don’t want to wait for the next automatic Group Policy refresh, especially if you’re testing. Here’s how to force an immediate update:

On the target computer, open Command Prompt as Administrator and run:

gpupdate /force

This will immediately apply your new Group Policy settings.

Step 9: Verify the Settings

Let’s make sure everything worked correctly:

1. On a target computer, open Control Panel
2. Go to Network and Sharing Center
3. Click on Change advanced sharing settings
4. You should see that Network discovery is turned off and grayed out (unavailable to change)

You can also verify via PowerShell:

powershell

Get-NetConnectionProfile
Get-NetFirewallRule -DisplayGroup "Network Discovery" | Select-Object DisplayName, Enabled, Direction

Wrapping Up

We’ve successfully learned how to disable Network Discovery using Group Policy in Windows Server 2025. Your devices are now stealthier, your network is more secure, and you’ve got one more tool in your IT security toolkit.

Remember, security is an ongoing process, not a one-time setup. Regularly review your Group Policies, stay updated on security best practices, and always test changes before rolling them out to production.