Department of Defense
High Performance Computing Modernization Program

Enabling Internet Protocol version 6 (IPv6)

IPv6 is enabled by default in all versions of Microsoft Windows 8, 8.1, or 10, and Server 2012, 2012 R2, 2016 or 2019.  No action is required to enable IPv6. Internet Connection Sharing (ICS) is disabled by default, and should be disabled if found to be enabled on any network interface as described hereWi-Fi Sense is enabled by default in Windows 10 and should be disabled as described here for desktop systems and here for corporate environments. Server versions have a DHCPv6 client enabled by default. This may or may not be considered acceptable. Disabling the DHCPv6 client on server versions is described in Part 3: IPv6 Static Addressing and DNSv6 in the Enabling IPv6 in a Microsoft Windows Environment article in the Infrastructure section. Depending on the LAN segment router configuration, clients on that LAN segment may need to be reconfigured to use DHCPv6, as described in Part 4: Setting up DHCPv6 to Dynamically Issue IPv6 Addresses in a Network in the Enabling IPv6 in a Microsoft Windows Environment article in the Infrastructure section.

Running the following cmdlets in PowerShell will disable some vulnerable tunneling interfaces that are enabled by default. Disabling them is not required, but is recommended for better security. The netsh command line interface used to configure and manage TCP/IP configurations still exists, but Microsoft recommends that you transition to Powershell. In future updates of Windows, Microsoft may remove the netsh functionality. It is also possible to disable these vulnerable interfaces using Group Policy Objects (GPO) as described in this article. (The .admx and .adml files available there do not disable IP-HTTPS-based interfaces, but are otherwise current.)

Run PowerShell as an Administrator, and then:

1. Run the cmdlet

Get-NetIPv6Protocol

If the value of RandomizeIdentifiers is anything other than Disabled, run the cmdlet

Set-NetIPv6Protocol –RandomizeIdentifiers Disabled

and if the value of UseTemporaryAddresses is anything other than Disabled, run the cmdlet

Set-NetIPv6Protocol –UseTemporaryAddresses Disabled

2. Run the cmdlet

Get-Net6to4Configuration

This will show the State of 6to4 tunneling. If the State is other than Disabled, run the cmdlet

Set-Net6to4Configuration Disabled

Unless 6to4 tunneling is disabled, any Network Adapter with a public IPv4 address will automatically be assigned a corresponding 6to4 address on the 6to4 tunneling interface, and an attempt will be made to register that 6to4 address in DNS. Use of the 6to4 server (6to4.ipv6.microsoft.com) is not recommended. It is no longer supported by Microsoft.

3. Run the cmdlet

Get-NetIsatapConfiguration

This will show the State of ISATAP tunneling. If the State is other than Disabled, run the cmdlet

Set-NetIsatapConfiguration Disabled

4. Run the cmdlet

Get-NetTeredoConfiguration

This will show the State of Teredo tunneling. If the State is other than Disabled, run the cmdlet

Set-NetTeredoConfiguration Disabled

(It is not recommended that you enable the Teredo protocol, but if for some reason you want to, omit the above cmdlet. You will likely also want to configure your own Teredo server using the cmdlet

Set-NetTeredoConfiguration –ServerName “Teredo.Server.FQDN”

where Teredo.Server.FQDN is the fully qualified domain name of your Teredo server. Use of any default Teredo servers (such as www.ipv6.microsoft.com, teredo.ipv6.microsoft.com, win10.ipv6.microsoft.com, or 1710.ipv6.microsoft.com) supported by Microsoft in the past is not recommended. If the computer you are configuring is also part of a Windows domain, then also run the cmdlet

Set-NetTeredoConfiguration –Type EnterpriseClient

It is generally not recommended to enable Teredo when connected to a Windows domain.)

The cmdlets in 1. delete a temporary randomly-generated global IPv6 address (which is neither useful nor desirable when you have a global IPv6 address assigned by either Stateless Address AutoConfiguration [SLAAC] or Dynamic Host Configuration Protocol version 6 [DHCPv6]). Note that this temporary address won’t be deleted until the next reboot. Whenever a mobile system moves to a different network, or whenever the network the system is connected to is renumbered, the above cmdlets must be rerun.

To verify that the tunneling interfaces were disabled by 2 through 4, run the Get-NetXXXConfiguration cmdlets again, with 6to4, ISATAP, and Teredo substituted for XXX.


Re-enabling IPv6

If you want to re-enable IPv6 after it has been disabled, the following five methods are available. The method used should correspond to the manner in which IPv6 was disabled. It is also strongly recommended to check the status of Internet Connection Sharing (ICS) and (in Windows 10) Wi-Fi Sense. ICS is disabled by default, and should be disabled if found to be enabled on any network interface as described here. Wi-Fi Sense is enabled by default and should be disabled as described here for desktop systems and here for corporate environments.

Method 1. (Traditional method used by previous Windows versions.)  In the Network Connections folder of the Network and Sharing Center, obtain properties on all of your connections and adapters and set the check box next to the Internet Protocol version 6 (TCP/IPv6) component in the list under This connection uses the following items. This method can be used to re-enable IPv6 on each network interface and connection, but does not enable IPv6-tunneling interfaces nor the IPv6 loopback interface.

Method 2. Run PowerShell as an Administrator. Run the cmdlet

Get-NetAdapterBinding

to list all Network Adapters on the computer and the state of the ms_tcpip6 ComponentID for each Network Adapter. For each Network Adapter for which the ComponentID ms_tcpip6 shows Enabled = False, run the cmdlet

Set-NetAdapterBinding -Name “Network Adapter Name” –ComponentID ms_tcpip6 –Enabled $True

Method 3. Use either (a) the wizard or (b) follow the directions for modifying the registry on this web page on the support.microsoft.com website.

Method 4. Search for the regedit app and Run as Administrator (older than but similar to method 3(b) above.

 

Windows8-regedit  Windows10-regedit

Windows 8 “regedit” search                                                                Windows 10 “regedit” search

 

The following registry value (DWORD type) should already exist. If it doesn’t, then create it:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\
Parameters\DisabledComponents

DisabledComponents has a value of 0x0 by default. Set it to 0x8F to re-enable IPv6 on all your network interfaces and connections, while still disabling the IPv6 tunneling interfaces. You must restart the computer for this change to take effect.

When DisabledComponents exists and a DisabledComponents bit is set, it overrides any settings established by method 1 and 2. The DisabledComponents registry value is a bit mask that controls the following series of flags, starting with the low order bit (Bit 0):

  1. Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and Teredo tunnels. Default value is 0.
  2. Bit 1 Set to 1 to disable all 6to4-based interfaces. Default value is 0.
  3. Bit 2 Set to 1 to disable all ISATAP-based interfaces. Default value is 0.
  4. Bit 3 Set to 1 to disable all Teredo-based interfaces. Default value is 0.
  5. Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and Point-to-Point Protocol (PPP)-based interfaces. Default value is 0.
  6. Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections. Default value is 0.
  7. Bit 6 This bit was reserved for future use up until Windows Server 2019. Set to 1 to disable all CP-based interfaces. Default value is 0.
  8. Bit 7 Set to 1 to disable all IP-TPS-based interfaces. Default value is 0.

To determine the value of DisabledComponents for a specific set of bits, construct a binary number consisting of the bits and their values in their correct position and convert the resulting number to hexadecimal. For example, if you want to disable 6to4 interfaces, disable Teredo interfaces, and prefer IPv4 to IPv6, you would construct the following binary number: 00101010. When converted to hexadecimal, the value of DisabledComponents is 0×2A.

Method 5. Issue the following command line as an Administrator:

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t
REG_DWORD /d 0x8F

The above registry entry should already exist. If it doesn’t, create it.


Top