DisabledComponents regkey

DirectAccess – Using the DisabledComponents regkey to your advantage


I have witnessed the fact for many years that when DirectAccess client computers receive native IPv6 addresses on the internet, those addresses stand a good potential to break your DirectAccess connection:
https://www.ivonetworks.com/2017/01/native-ipv6-addresses-can-break-directaccess/

I continue to run across these symptoms at least once a month at various customers and forum posts, and this fix is always a bit of a hard-sell, because who wants to have to log into every one of their laptops and uncheck the TCP/IPv6 box from the NIC properties? Not me. Additionally, I was just told by a reliable source inside Microsoft that they officially do not support you unchecking the TCP/IPv6 setting inside your NIC properties. What?? While that still doesn’t make any sense to me, it is what it is.

Thankfully, there is a better way! We have the ability to create a simple registry key on those client computers which will block them from receiving native IPv6 addresses, while continuing to allow them to use the transition tunneling adapter IPv6 addresses (Teredo and IP-HTTPS), and therefore continue to function via DirectAccess. The best part about this registry key? It is very easy to roll this change around to all of your DirectAccess client computers with a simple GPO!

The key I am talking about is the “dreaded” DisabledComponents key. I say dreaded because historically the only time we run across this key in DirectAccess deployments is when a company has made use of this key (setting it to 0x20) in order to totally squash IPv6, which also breaks DirectAccess. So all of my previous blog posts and conversations regarding DisabledComponents go something like this — “GET RID OF THAT REGKEY!”

While getting rid of the DisabledComponents regkey does allow DA to connect, it also then allows the client to pull a native IPv6 address from their home router, mifi hotspot, or whatever ISP connection they are using at the time, if that router/ISP hands out IPv6. And this is becoming more and more common around the world. I regularly work with customers who suddenly have a whole region of people struggling to keep solid DA connections, and we often discover that a major ISP in that geographical area has recently flipped the switch to start handing out IPv6 addresses, and these addresses are now beating up on the DA connections.

Back to the point – I said we can now make use of DisabledComponents in order to make everything magically wonderful again, right? How do I do that? Clearly not by setting DisabledComponents to the traditional 0x20, as that is a TKO for DirectAccess. However, if we set it to…

0x10

This will stop native IPv6, and continue to allow DirectAccess to function. I have now tested this out myself as well as rolling this regkey around to all client computers at a handful of customer locations, and it all went swimmingly. Here are the details on what that registry key needs to look like, and you can simply roll this around via Group Policy, SCCM, or whatever remote registry editor and administration tool you are most comfortable with.

Remember, this key only goes on the CLIENT machines – NOT THE DIRECTACCESS SERVER:
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters
Create a new DWORD-32bit that is called DisabledComponents
Set the value to Hexadecimal = 10
(it should look just like this screenshot)

DisabledComponents regkey

That’s it! Once DisabledComponents is in place on your client computer, reboot it and upon next start of the operating system that pesky native IPv6 address that you had before will now have disappeared once and for all!

Jordan Krause
Security Engineer