Tuesday, February 10, 2009

How to Configure IPv6 Using Group Policy

By default, Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista enable and use IPv6 as the default protocol. These versions of Windows will normally use IPv6 for all network communication and will step down to IPv4 as necessary.
You may decide to disable Windows IPv6 for several reasons. Perhaps your IPv4 network doesn't support it, and you want to disable unnecessary protocols. You may have also read that IPv6 breaks Outlook Anywhere on Exchange 2007 Client Access servers.

Most people think that you disable IPv6 by simply unchecking the Internet Protocol Version 6 (TCP/IPv6) checkbox, as shown above. This method disables IPv6 on the particular LAN interface and connection. For other network adapters or connections, users have to repeat the steps to disable IPv6. However, disabling IPv6 this way does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface. It also must be done manually and cannot be instrumented or enforced using Group Policy.

In order to truly disable IPv6, you must disable it in the registry in the following key:
Normally, the DisabledComponents value does not exist. If the value does not exist or the value data is 0, IPv6 is enabled on all interfaces.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents


Microsoft wrote KB article 929852 to document how to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista (and later) manually using the registry. At the end of the article, Microsoft helpfully wrote, "Note: Administrators must create an ADMX file in order to expose the settings in step 5 in a Group Policy setting." Nice. So, I decided to do just that.

I wrote the attached ADMX and ADML files to enable the configuration of IPv6 using Group Policy. Copy each file to the computer you will use to configure the policy.
IPv6Configuration.zip - This ZIP file contains both the ADMX and ADML files:
  • IPv6Configuration.admx - Copy this file to %SYSTEMROOT%\PolicyDefinitions
  • IPv6Configuration.adml - Copy this file to %SYSTEMROOT&\PolicyDefinitions\en-US (Replace en-US with your country's language, as necessary)
Now log into the computer and use the Group Policy Management Console (GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6 Configuration, as shown below:


Here, you can configure the following IPv6 settings:
  • Enable all IPv6 components (Windows default)
  • Disable all IPv6 components (the setting you probably want)
  • Disable 6to4
  • Disable ISATAP
  • Disable Teredo
  • Disable Teredo and 6to4
  • Disable all tunnel interfaces
  • Disable all LAN and PPP interfaces
  • Disable all LAN, PPP and tunnel interfaces
  • Prefer IPv4 over IPv6
Note that you must restart the computer for the configuration to go into effect.
Please to enjoy! 3:57 PM