Tuesday, February 10, 2009

How to Configure IPv6 Using Group Policy

By default, Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista enable and use IPv6 as the default protocol. These versions of Windows will normally use IPv6 for all network communication and will step down to IPv4 as necessary.
You may decide to disable Windows IPv6 for several reasons. Perhaps your IPv4 network doesn't support it, and you want to disable unnecessary protocols. You may have also read that IPv6 breaks Outlook Anywhere on Exchange 2007 Client Access servers.

Most people think that you disable IPv6 by simply unchecking the Internet Protocol Version 6 (TCP/IPv6) checkbox, as shown above. This method disables IPv6 on the particular LAN interface and connection. For other network adapters or connections, users have to repeat the steps to disable IPv6. However, disabling IPv6 this way does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface. It also must be done manually and cannot be instrumented or enforced using Group Policy.

In order to truly disable IPv6, you must disable it in the registry in the following key:
Normally, the DisabledComponents value does not exist. If the value does not exist or the value data is 0, IPv6 is enabled on all interfaces.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents


Microsoft wrote KB article 929852 to document how to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista (and later) manually using the registry. At the end of the article, Microsoft helpfully wrote, "Note: Administrators must create an ADMX file in order to expose the settings in step 5 in a Group Policy setting." Nice. So, I decided to do just that.

I wrote the attached ADMX and ADML files to enable the configuration of IPv6 using Group Policy. Copy each file to the computer you will use to configure the policy.
IPv6Configuration.zip - This ZIP file contains both the ADMX and ADML files:
  • IPv6Configuration.admx - Copy this file to %SYSTEMROOT%\PolicyDefinitions
  • IPv6Configuration.adml - Copy this file to %SYSTEMROOT&\PolicyDefinitions\en-US (Replace en-US with your country's language, as necessary)
Now log into the computer and use the Group Policy Management Console (GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6 Configuration, as shown below:


Here, you can configure the following IPv6 settings:
  • Enable all IPv6 components (Windows default)
  • Disable all IPv6 components (the setting you probably want)
  • Disable 6to4
  • Disable ISATAP
  • Disable Teredo
  • Disable Teredo and 6to4
  • Disable all tunnel interfaces
  • Disable all LAN and PPP interfaces
  • Disable all LAN, PPP and tunnel interfaces
  • Prefer IPv4 over IPv6
Note that you must restart the computer for the configuration to go into effect.
Please to enjoy!

3 comments:

Murali said...

Hi,

Thank you Mr. JEFF for your useful article. I am getting the same issue like Mr. Crus said, after applying this policy in my win 2008 DC. How can disable this permanently from all the systems, when i connect the windows systems in domain.

Jeff said...

You must manually clear the checkbox for IPv6 on each network adapter. Unfortunately, there is no way to do this via Group Policy (mainly because each NIC has a unique GUID in the registry).

Jeff said...

As a follow up to my earlier comment, if you don't clear the IPv6 setting in the properties of the NIC, an IPv6 address will be assigned to that NIC.

But if you disable IPv6 using the registry or GPO options listed in this article, the computer won't use IPv6 for communication even though it has an IPv6 address.

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.