Pages

Tuesday, February 10, 2009

How to Configure IPv6 Using Group Policy

Update: I have updated the IPv6Configuration.zip file mentioned below with the new recommendations documented in the article, A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFF.

By default, all modern versions of  Windows and Windows Server enable and use IPv6 as the default networking protocol. These versions of Windows will normally use IPv6 for all network communication and will step down to IPv4 as necessary.

You may decide to disable Windows IPv6 for several reasons. Perhaps your IPv4 network doesn't support it, and you want to disable unnecessary protocols. You may have also read that IPv6 breaks Outlook Anywhere on Exchange 2007 Client Access servers.

Most people think that you disable IPv6 by simply unchecking the Internet Protocol Version 6 (TCP/IPv6) checkbox, as shown above. This method disables IPv6 on the particular LAN interface and connection. For other network adapters or connections, users have to repeat the steps to disable IPv6. However, disabling IPv6 this way does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface. It also must be done manually and cannot be instrumented or enforced using Group Policy.

In order to truly disable IPv6, you must disable it in the registry in the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents
Normally, the DisabledComponents value does not exist. If the value does not exist or the value data is 0, IPv6 is enabled on all interfaces.

Microsoft wrote KB article 929852 to document how to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista (and later) manually using the registry. At the end of the article, Microsoft helpfully wrote, "Note: Administrators must create an ADMX file in order to expose the settings in step 5 in a Group Policy setting." Nice. So, I decided to do just that.

I wrote the attached ADMX and ADML files to enable the configuration of IPv6 using Group Policy. Copy each file to the computer you will use to configure the policy.

IPv6Configuration.zip - This ZIP file contains both the ADMX and ADML files:
  • IPv6Configuration.admx - Copy this file to %SYSTEMROOT%\PolicyDefinitions
  • IPv6Configuration.adml - Copy this file to %SYSTEMROOT&\PolicyDefinitions\en-US (Replace en-US with your country's language, if necessary)
Now log into the computer and use the Group Policy Management Console (GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6 Configuration, as shown below:

Group Policy Management Console
Here, you can configure the following IPv6 settings:
  • Enable all IPv6 components (Windows default)
  • Disable all IPv6 components (the setting you probably want)
  • Disable 6to4
  • Disable ISATAP
  • Disable Teredo
  • Disable Teredo and 6to4
  • Disable all tunnel interfaces
  • Disable all LAN and PPP interfaces
  • Disable all LAN, PPP and tunnel interfaces
  • Prefer IPv4 over IPv6
Note that you must restart the computer for the configuration to go into effect.
Please to enjoy!

29 comments:

  1. Thanks for this. Nice and easy!

    ReplyDelete
  2. Hi,

    thanks for this!

    But I got one question:
    After I had applied this to my domain all my clients got the registry entry successfully, but the IPv6 Protocol on the network interface properties is already checked?

    Have I to disable this manually on each client? Because it seems that it is not enough to only add this registry-key to disable it!

    regards,
    Crus

    ReplyDelete
  3. I'll add my thanks for the posting, and a followup to the question from Crus:

    The references I've found to disabling IPv6 consistently indicate that setting the Registry value above to 0xFF (or 0xFFFFFFFF) is sufficient to block the use of all of the IPv6 components (protocol, Teredo, 6to4 etc.). Are there any exceptions that require additional actions?

    And (even if the Registry change really does block IPv6) is there any scripting mechanism that would allow me to cause the IPv6 components to show as unchecked in the network adapter interface definitions? I support a research organization where some of the project laboratories may have a legitimate need to use IPv6 even if the internal network does not yet support it. While it's not a showstopper to the use of Windows 7 I would like to be able to build a distribution image that at sysprep OOBE time automagically unchecks the various IPv6 components in every network interface to visibly show that IPv6 has been disabled. Any suggestions on how to do this?

    ReplyDelete
  4. Hi,

    I copied the fils in my local folders.
    when I open the Local Group Policy Editor and I navigate to the IPv6 Configuration folder, it is empty.
    I tried on another Vista Computer, same thing. Any Ideas?

    ReplyDelete
  5. Make sure that your GPO filters are turned off when viewing Administrative Templates. Click View > Filter Options. Managed, Configured and Commented should be set to ANY.

    ReplyDelete
  6. Hi,

    Thank you Mr. JEFF for your useful article. I am getting the same issue like Mr. Crus said, after applying this policy in my win 2008 DC. How can disable this permanently from all the systems, when i connect the windows systems in domain.

    ReplyDelete
  7. You must manually clear the checkbox for IPv6 on each network adapter. Unfortunately, there is no way to do this via Group Policy (mainly because each NIC has a unique GUID in the registry).

    ReplyDelete
  8. As a follow up to my earlier comment, if you don't clear the IPv6 setting in the properties of the NIC, an IPv6 address will be assigned to that NIC.

    But if you disable IPv6 using the registry or GPO options listed in this article, the computer won't use IPv6 for communication even though it has an IPv6 address.

    ReplyDelete
  9. This has been an extremely helpful article. I bookmarked it!

    ReplyDelete
  10. Back in days I've published a script

    http://www.curuit.com/disable-ipv6-over-all-interfaces-and-prefer-ipv4-to-ipv6-20090129195/

    that does this, and I've been using this script everywhere, but GPO is much better;). Thanks.

    P.S.
    I've republished this post on my website, and if you want to save a website traffic, everybody welcome to download a .ZIP file from my web site as well.

    ReplyDelete
  11. Hi,
    First, thank you for the effort you put into this settings.
    However, I did as described above, but when I open the GPMC and go to Computer Configuration > Policies > Administrative Templates > Network ... the IPv6 Configuration folder does not show up at all.
    Any idea, and thank you in advance.

    ReplyDelete
  12. Found it.
    Had to move the file directly into the domain folder
    your-domain-controller\SYSVOL\your-domain\Policies\PolicyDefinitions for the ADMX file, and
    your-domain-controller\SYSVOL\your-domain\Policies\PolicyDefinitions\en-US for the ADML file

    ReplyDelete
  13. just for grins, i used group policy preferences couldn't we just write the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents. i had to put in the value ffffffff for it to show up in the registry as 0xffffffff. so the registry shows up that way but i still see IPv6 checked in the local area connection properties and i get an ipv6 address in ipconfig /all.

    ReplyDelete
  14. I don't have a Policies\PolicyDefinitions folder, just several GUID entries in brackets. Can I create those folders (I think not as they're obviously supposed to be autocreated)

    Any suggestions?

    ReplyDelete
  15. Hi David,

    Those folders should be created by default on any Windows 2008 or better domain controller. Ensure that you've configured Windows Explorer to show hidden files and folders and to show protected Windows operating system files.

    ReplyDelete
  16. Hi Jeff,

    I have followed your instruction and show hidden files and folders, and show protected windows operating system files, but still no luck. Is there anyway around it.

    ReplyDelete
  17. yes you can create those folders: http://technet.microsoft.com/en-us/library/cc748955(WS.10).aspx

    ReplyDelete
  18. Great post, one quesiton. How do i disable multiple items. e.g. disable ISATAP, Teredo and also prefer V4 over V6?

    ReplyDelete
  19. If you set the DisabledComponents key to 0xFFFFFFFF, it will achieve what you want because all IPv6 components are disabled.

    See http://support.microsoft.com/kb/929852

    ReplyDelete
  20. Thanks that makes sense however i dont actually want to turn it all off. To start with if I can id like to just disable all the tunneling methods. And then if possible also prefer IPv4 over IPv6, the idea is to jsut have IPv6 stack and none of the extra junk.

    ReplyDelete
  21. thanks a lot Jeff for creating and sharing these custom templates!
    how did you create these custom ADMX and ADML files? is there any tool for that?

    ReplyDelete
  22. I created them using the ADMX Migrator tool. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15058

    ReplyDelete
  23. After MUCH searching, I consider THIS post the authority. There must be NO way to programitacally remove the check in the adapters' properties for IPV6. Thats all there is to it, right? So, the reg edit or the policy will, in fact, disable the protocol but each adapter will still have the check. Is this correct? Thanks again all for a great post here. I appreciate everyones input.

    ReplyDelete
  24. Awesome, thank you very much!!

    When disabling IPV6 via regedit or via the ADMX which is the same the tick will still appear in the IPV6 properties regardless of which setting you apply.

    ReplyDelete
  25. Has anyone discovered a way of turning off that tickbox? We've got an issue on our domain where PC's with this tickbox set are taking anywhere up to 3 hours to log in, but if you untick that box, it works fine. Looks like it's the act of getting an IPv6 address causes it. Would be great if there was a way to untick this via group policy...

    Thanks.

    ReplyDelete
  26. hi
    fantastic gpo. thanks a lot
    one question though regarding windows clustering in server 2008
    as the virtual failover adapter uses/prefers 1pv6 for node-node communication will this policy break that functionality?

    thanks

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.