How to disable IPv6 using GPOs

Why disable IPv6 via Group Policy?

If a host has multiple addresses in DNS, Windows prefers IPv6 over IPv4 by default. In environments where IPv6 is not configured correctly, this preference can lead to slow name resolution, intermittent failures in finding domain controllers (DCs), and odd connectivity behavior that looks like an IPv4 problem on the surface.

Disabling IPv6 on each endpoint by clearing the protocol bind in the adapter settings does not scale. A Group Policy that writes the DisabledComponents registry value to every machine in the scope applies the same configuration to thousands of endpoints in a single refresh cycle and includes new computers that join the OU later.

A note before you start: Microsoft does not recommend disabling IPv6 entirely. IPv6 is a mandatory part of Windows Server and is used internally for several TCP/IP tasks, so fully disabling it can affect Windows components in unpredictable ways. In most cases, the right setting is 32 (prefer IPv4 over IPv6) rather than 255 (disable IPv6).

Prerequisites

You need:

• A domain account with permission to create and link GPOs at the target OU (Group Policy Creator Owners membership or an equivalent delegation).
• The Group Policy Management Console (GPMC) installed on a domain-joined workstation or the DC.
• An OU containing the computer accounts you want to change. Computer Configuration policies apply to computer objects, not user objects, so the OU structure matters.

Understanding the DisabledComponents value

DisabledComponents is a single REG_DWORD value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters that Windows reads upon a boot to decide which parts of the IPv6 stack to disable. Different values switch off different components.

How to verify that the policy applied correctly

After waiting for replication and running a manual refresh, confirm that the change reached the target machine.

1. On the target machine, open Command Prompt and run gpresult /r /scope computer. The new GPO should appear in the Applied Group Policy Objects list.
2. For methods 1 and 2, check the registry directly with reg query "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents. The value returned should match what the GPO sets.
3. For method 3, check the policy registry path with reg query "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition". Each disabled tunnel state (6to4, ISATAP, Teredo, and IP-HTTPS) should have its own entry. You can also run netsh interface 6to4 show state, netsh interface isatap show state, and netsh interface teredo show state to confirm each tunnel reports as disabled.
4. If you set the value to 32, confirm the IPv4 preference with ping <hostname>. The response should return an IPv4 address rather than an IPv6 address.
5. To check the prefix policy directly, run netsh interface ipv6 show prefixpolicies. The ::ffff:0:0/96 entry (IPv4-mapped addresses) should have a higher precedence than ::/0 (native IPv6).

If gpresult shows the GPO was applied but the registry value did not change, look for another GPO higher in the precedence order that writes the same value, or check whether the target machine is in an OU where inheritance is blocked.

Troubleshooting

1. Settings revert after a reboot

   Another GPO in the link order is overwriting the value, or the setting was deployed as a Group Policy Preferences Replace action that is being undone. Use the Resultant Set of Policy results to find the conflicting source.

2. There is a boot delay of 5 seconds

   This is almost always caused by setting DisabledComponents to 0xFFFFFFFF instead of 0xFF. Correct the value in the GPO and run gpupdate /force.

3. The adapter check box is still selected

   This is expected. The DisabledComponents registry setting does not control the adapter properties UI. The setting is still in effect.

4. DCs lose communication after IPv6 is disabled

   Microsoft tests Windows Server with IPv6 enabled. A value of 255 on a DC can produce unsupported behavior. If a DC needs IPv4 preference, use 32 instead and exclude DC OUs from the policy unless you have a documented reason.

5. Method 3 tunnels remain active after a policy refresh

   The policy was almost certainly set to Disabled (which turns the policy off and lets the local default apply) instead of Enabled with Disabled State selected from the drop-down. Open each tunnel state policy and confirm the radio button is on Enabled with Disabled State selected from the drop-down.

Frequently asked questions

1. How do I fully disable IPv6?

Set DisabledComponents to 255 at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters.

Use this only when you really need to fully disable IPv6. Microsoft's safer recommendation is 32, which prefers IPv4 over IPv6 instead of disabling IPv6 completely.

2. How do I change IPv6 to IPv4 in CMD?

To prefer IPv4 over IPv6, set DisabledComponents to 32 using Command Prompt (cmd.exe):

Reboot, then test with ping <hostname>. This should return an IPv4 address.

3. How do I disable IPv6 in a Windows client?

For one client, configure the DisabledComponents registry value. Use 32 to prefer IPv4, or use 255 to fully disable IPv6 except for the loopback. A reboot is required for the network stack to apply the change.

4. How do I turn off IPv6 in PowerShell?

Run PowerShell as an administrator and configure DisabledComponents as follows:

Reboot after running it. For the safer IPv4-preferred setup, use 32 instead of 255.

Force an update on, link, and report on GPOs with ADManager Plus

ADManager Plus provides a centralized, web-based GPO management console that complements the work you do in the Group Policy Management Editor. Once your IPv6 GPO is created with the DisabledComponents registry value configured, ADManager Plus helps you operationalize it across the domain without giving every admin direct GPMC access.

• Bulk GPO linking: Link the IPv6 GPO to multiple OUs, sites, or domains in a single action instead of right-clicking and linking each container individually when the policy needs to cover several scopes.
• Link order management: Adjust GPO precedence directly from the web UI when a conflicting GPO is overwriting the DisabledComponents value, ensuring the right configuration wins.
• On-demand policy refreshes: Trigger an immediate GPO update on selected computers without waiting for the default 90-minute refresh interval or running gpupdate /force machine by machine when verifying the policy on a test endpoint.
• GPO replication: Copy the IPv6 GPO to another domain or environment to roll out the same settings without rebuilding the registry item from scratch, keeping configurations consistent across environments.
• Application visibility: Use the GPO Settings report to confirm the DisabledComponents value actually made it into the policy. Use the Resultant set of policy report to see the effective policy on a specific user or computer.
• Policy modeling and comparison: Simulate what would apply under hypothetical OU placement with GPO Modeling before pushing the policy out. Use Comparison of GPOs to spot the differences between two GPOs when you suspect one is overwriting another.
• Delegation oversight: Scope GPO updates and GPO reporting tasks to help desk technicians through role-based delegation so that a Tier 1 technician troubleshooting a workstation network issue can push and verify the policy without holding Domain Admin rights or installing the GPMC locally.