Department of Defense
High Performance Computing Modernization Program

It seems so easy to enable IPv6 in Microsoft Windows, and it is, if you don’t mind having vulnerable interfaces installed by default. If you do mind, read on.

These seven topics describe enabling IPv6 in legacy versions of Microsoft Windows:

  1. Enabling IPv6 in Windows 7 and Server 2008 R2
  2. Re-enabling IPv6 in Windows 7 and Server 2008 R2
  3. Enabling IPv6 in Windows Vista and Server 2008
  4. Re-enabling IPv6 in Windows Vista and Server 2008
  5. Enabling IPv6 in Windows XP with SP2 or SP3 and Server 2003
  6. Enabling IPv6 in Windows XP with SP1 or no Service Pack installed (not recommended)
  7. Enabling IPv6 in Windows 2000 (not recommended)

1. Enabling IPv6 in Windows 7 and Server 2008 R2

Windows 7 and Server 2008 R2 had IPv6 enabled by default. No action is required to enable IPv6. Internet Connection Sharing (ICS) is disabled by default, and should be disabled if found to be enabled on any network interface as described here. They also had a DHCPv6 client enabled by default. This may or may not be considered acceptable. Disabling the DHCPv6 client on server versions is described in Part 3: IPv6 Static Addressing and DNSv6 in the Enabling IPv6 in a Microsoft Windows Environment article in the Infrastructure section.

The following command lines will disable some vulnerable IPv6 interfaces that are enabled by default. Their use is not required, but is recommended for better security. It is also possible to disable these vulnerable interfaces using Group Policy Objects (GPO) as described in this article. (The .admx and .adml files available there do not disable IP-HTTPS-based interfaces, but are otherwise current.)

netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface 6to4 set state state=disabled undoonstop=disabled
netsh interface isatap set state disabled
netsh interface teredo set state type=disabled

(It is not recommended that you leave the Teredo protocol enabled, but if for some reason you want to, omit that last line. You will likely also want to configure your own Teredo server since the old default Teredo servers configured with a command such as

netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com

are no  longer supported by Microsoft. If the computer you are configuring is part of a Windows domain, the command

netsh interface ipv6 set teredo enterpriseclient

is also necessary. It is not recommended to enable Teredo when connected to a Windows domain.)

The first two command lines delete a temporary randomly-generated global IPv6 address Windows creates (but which is neither useful nor desirable when you have a real global IPv6 address). Note that this address won’t be deleted until the next reboot. Whenever a mobile system moves to a different network, or whenever the network the system is connected to is renumbered, these commands must be reentered.

The disabled interfaces will still be displayed by the “ipconfig /all” command line, but their status is disabled. To verify this, run the commands

netsh interface ipv6 show global
netsh interface ipv6 show privacy
netsh interface ipv6 6to4 show state
netsh interface ipv6 isatap show state
netsh interface ipv6 show teredo

2. Re-Enabling IPv6 in Windows 7 and Server 2008 R2

If you want to re-enable IPv6 in Windows 7 or Server 2008 R2, the following two methods were provided by Microsoft. These are also documented on the Microsoft web site (look at the Microsoft knowledge base article KB 929852 article for more details). It is also strongly recommended to check the status of ICS and disable it wherever it is enabled, following the guidance provided by the University of Delaware here.

It is possible to re-enable IPv6 after it has been disabled using either of the following two methods (depending on how it was disabled):

  1. In the Network Connections folder, obtain properties on all of your connections and adapters and set the check box next to the Internet Protocol version 6 (TCP/IPv6) component in the list under This connection uses the following items. This method enables IPv6 on your LAN interfaces and connections, but does not enable IPv6 on tunnel interfaces or the IPv6 loopback interface. Run the netsh commands shown at the end of the 1. Enabling IPv6 in Windows 7 and Server 2008 R2 topic to verify that the vulnerable interfaces are disabled.
  2. Set the following registry value (DWORD type) to 0×8F:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\
    Parameters\DisabledComponents

    This method enables IPv6 on all your LAN interfaces, connections, while still disabling the IPv6 tunneling interfaces. You must restart the computer for this registry value to take effect. DisabledComponents is set to 0 by default. Method 1 above may be used to selectively enable/disable IPv6 on individual connections and adapters.

The DisabledComponents registry value is a bit mask that controls the following series of flags, starting with the low order bit (Bit 0):

  1. Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and Teredo tunnels. Default value is 0.
  2. Bit 1 Set to 1 to disable all 6to4-based interfaces. Default value is 0.
  3. Bit 2 Set to 1 to disable all ISATAP-based interfaces. Default value is 0.
  4. Bit 3 Set to 1 to disable all Teredo-based interfaces. Default value is 0.
  5. Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and Point-to-Point Protocol (PPP)-based interfaces. Default value is 0.
  6. Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections. Default value is 0.
  7. Bit 6 This bit is reserved for future use in Windows Server 2019 and later. Default value is 0.
  8. Bit 7 Set to 1 to disable all IP-HTTPS-based interfaces. Default value is 0.

To determine the value of DisabledComponents for a specific set of bits, construct a binary number consisting of the bits and their values in their correct position and convert the resulting number to hexadecimal. For example, if you want to disable 6to4 interfaces, disable Teredo interfaces, and prefer IPv4 to IPv6, you would construct the following binary number: 00101010. When converted to hexadecimal, the value of DisabledComponents is 0x2A.


3. Enabling IPv6 in Windows Vista and Server 2008

Windows Vista and Server 2008 had IPv6 enabled by default. No action is required to enable IPv6. They also had DHCPv6 on by default. This may or may not be considered acceptable. The recommendations given in the 1. Enabling IPv6 in Windows 7 and Server 2008 R2 topic apply.


4. Re-Enabling IPv6 in Windows Vista and Server 2008

The methods to re-enable IPv6 are the same as those shown in the 2. Re-enabling IPv6 in Windows 7 and Server 2008 R2 topic above.

Note: When using method 2 in the 2. Re-enabling IPv6 in Windows 7 and Server 2008 R2 topic, bits 7 and 8 are both reserved for future use. Default value is 0.


5. Enabling IPv6 in Windows XP SP2 or SP3 and Server 2003

In XP SP2 or SP3, IPv4 must be installed for IPv6 to work.

In Windows.NET Server 2003 Enterprise, Enterprise x64, Datacenter, Datacenter x64, Standard, Standard x64, Web edition, Compute Cluster Edition R1/R2: all versions. The ipv6 install line shown below is not required but if used will enable IPv6 on all installed network interfaces. The command line

dnscmd /config /EnableIPv6 1

will fully support IPv6 in DNS. NOTE: Although IPv6 is installed by default in Server 2003, it must be explicitly enabled on each network interface. This creates the potential for unintended vulnerabilities at sites that are not IPv6-enabled.

The command lines shown below will enable IPv6, and disable some vulnerable IPv6 interfaces that are enabled by the default install. Before entering these command lines, execute the ipv6 uninstall command line and then reboot to be sure you have a known good initial configuration. It is also strongly recommended to check the status of ICS and disable it wherever it is enabled, following the guidance provided by the University of Delaware here. NOTE: The Microsoft XP help files are mostly left over from XP SP1 and are not a great deal of help for netsh (the preferred way of making network configuration changes in SP2 and SP3) and still talk about the ipv6 command (NOT preferred with SP2 or SP3).

ipv6 install
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state disabled
netsh interface ipv6 set state 6over4=disabled v4compat=disabled
netsh interface ipv6 set teredo disabled

(It is not recommended that you leave the Teredo protocol enabled, but if for some reason you want to, omit that last line. You will likely also want to configure your own Teredo server since the old default Teredo server configured with the command

netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com

is no longer supported by Microsoft. If the computer you are configuring is part of a Windows domain, the command

netsh interface ipv6 set teredo enterpriseclient

is also necessary. It is not recommended to enable Teredo when connected to a Windows domain.)

The second command line deletes a temporary randomly-generated global IPv6 address Windows XP creates (but which is neither useful nor desirable when you have a real global IPv6 address). Note that this address won’t be deleted until the next reboot. Whenever a mobile system moves to a different network, or whenever the network the system is connected to is renumbered, this command must be reentered.

The disabled interfaces will still be displayed by the “ipconfig /all” command line, but their status is disabled. To verify this, run the commands

 netsh interface ipv6 show privacy
netsh interface ipv6 6to4 show state
netsh interface ipv6 isatap show state
netsh interface ipv6 show state
netsh interface ipv6 show teredo

6. Enabling IPv6 in Windows XP SP1 or no Service Pack installed

The use of IPv6 is not recommended. IPv6 almost worked in Windows XP with SP1, but the Internet Connection Firewall (ICF) that came with SP1 did not protect IPv6, without a lot of work and even then protection had holes. It almost worked in Windows XP with no Service Pack installed.


7. Enabling IPv6 in Windows 2000

The use of IPv6 is not recommended. Windows 2000 with SP4 had a technology preview that could be installed, but it was incomplete and hard to install. 


Top