The Windows Firewall's built-in "Local subnet" option refers to the network segment where the host's IP address resides, calculated using the interface's subnet mask. This automatic detection doesn't accommodate scenarios where:

• Multiple trusted subnets exist beyond the local segment
• VPN-connected networks need firewall access
• Hybrid cloud environments require additional trusted ranges

For domain environments, the most maintainable approach is through Group Policy:

<!-- Example GPO configuration -->
1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to: 
   Computer Configuration → Policies → Windows Settings → 
   Security Settings → Windows Firewall with Advanced Security
3. Right-click "Windows Firewall with Advanced Security" → Properties
4. Under "Private Profile" or "Domain Profile", click "Customize"
5. In "Allowed inbound connections from these subnets", add your additional ranges

For scripting scenarios, use the NetSecurity module:

# Get current firewall rule
$rule = Get-NetFirewallRule -DisplayName "Your Rule Name" | Get-NetFirewallAddressFilter

# Add additional trusted subnets (CIDR notation)
$newRemoteAddrs = $rule.RemoteAddress + ",192.168.100.0/24,10.2.0.0/16"

# Apply changes
Set-NetFirewallRule -DisplayName "Your Rule Name" -RemoteAddress $newRemoteAddrs

For non-domain systems, modify these registry keys (backup first):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"RemoteIpAddresses"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
00,2e,00,30,00,2f,00,32,00,34,00,2c,00,31,00,30,00,2e,00,30,00,2e,00,30,00,\
2e,00,30,00,2f,00,38,00,00,00,00,00

Note: The hex value represents "192.168.1.0/24,10.0.0.0/8" in Unicode format.

Here's a complete PowerShell function to manage trusted subnets:

function Update-FirewallTrustedSubnets {
    param (
        [string[]]$AdditionalSubnets,
        [string]$RuleName = "File and Printer Sharing"
    )
    
    try {
        $rule = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction Stop
        $addressFilter = $rule | Get-NetFirewallAddressFilter
        
        # Parse existing addresses
        $currentSubnets = if ($addressFilter.RemoteAddress) {
            $addressFilter.RemoteAddress -split ','
        } else { @() }
        
        # Merge and deduplicate
        $newSubnets = ($currentSubnets + $AdditionalSubnets) | Select-Object -Unique
        
        # Apply changes
        Set-NetFirewallRule -DisplayName $RuleName -RemoteAddress ($newSubnets -join ',')
        
        Write-Host "Updated firewall rule with subnets: $($newSubnets -join ', ')"
    }
    catch {
        Write-Error "Firewall rule update failed: $_"
    }
}

# Usage:
Update-FirewallTrustedSubnets -AdditionalSubnets "172.16.0.0/12","10.100.0.0/24"

After making changes:

1. Run Get-NetFirewallRule -DisplayName "Your Rule" | Get-NetFirewallAddressFilter
2. Test connectivity from hosts in the new subnets
3. Check Event Viewer → Windows Logs → Security for firewall events

Windows Firewall's "Local subnet" scope is predefined based on the machine's network interface configuration. When you need to treat additional non-local subnets as trusted networks (e.g., branch office VPN ranges), you'll need to modify system settings at a deeper level than the GUI allows.

The most direct approach involves editing the Windows Registry to define additional trusted subnets:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"AdditionalSubnets"="/v 192.168.100.0/24 /v 10.2.0.0/16"

For enterprise deployment, use this PowerShell script to modify the trusted networks list:

# Define additional trusted subnets
$newSubnets = @("192.168.100.0/24","10.2.0.0/16")

# Get current firewall profile
$profile = Get-NetFirewallProfile -Profile Domain

# Add to existing LocalSubnet rules
$currentSubnets = $profile.LocalSubnet -split "," | Where-Object { $_ }
$updatedSubnets = ($currentSubnets + $newSubnets) -join ","

# Apply changes
Set-NetFirewallProfile -Name Domain -LocalSubnet $updatedSubnets

For domain-joined machines, you can configure Network Location Server (NLS) to automatically classify networks:

# NLS configuration example
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" 
-Name "CorporateNetworkPrefix" 
-PropertyType String 
-Value "192.168.0.0/16,10.0.0.0/8"

After making changes, verify with:

Get-NetFirewallProfile -Profile Domain | Select-Object LocalSubnet

For persistent changes across reboots, ensure Group Policy isn't overwriting your settings (check with gpresult /h report.html).