Forum Discussion
Disabling Netbios name service via new ADMX / GPO does not work as expected (bug?)
Disabling Netbios Name service via GPO, new in Windows 11, does not seeem to work as expected / advertised.
Using the latest Windows 11 build (22H2, 1702 as of June 2023), all patches updates and drivers installed.
This seems to be a bug
As mentioned also here [1], the Windows 11 ADMX features a new setting to disable Netbios name resolution.
The option "Configure NetBIOS settings" can be found under Computer Configuration > Policies > Administrative Templates > Network > DNS Client
This option can be set to "Disable Netbios Name Resultion", if activated.
Setting it however does not have the desired effect.
Tried locally as well as via the domain controller.
Evidence:
ipconfig [2] still shows NetBIOS enabled.
Also nbtstat shows names on an interface [3].
The fact that this GPO does not work as advertised might be a security relevant topic as people setting this directive will expect Netbios to be disabled, which it seems is not the case. So they will also refrain from taking any other actions to enahance Netbios related security.
Cheers
[1]
[2] excerpt from "ipconfig /all"
..[cut]
NetBIOS over Tcpip. . . . . . . . : Enabled
[3] "nbtstat -n"
..cut..
WLAN:
Node IpAddress: [192.168.xx.yy] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
xxxx <20> UNIQUE Registered
5 Replies
same issue here. looks like the GPO DnsClient.admx sets the regkey in this location:
key="Software\Policies\Microsoft\Windows NT\DNSClient"this does not match the official microsoft documentation.
https://techcommunity.microsoft.com/blog/networkingblog/aligning-on-mdns-ramping-down-netbios-name-resolution-and-llmnr/3290816
For many Microsoft-provided ADMX templates, a GPO will actually set a key in "Software\Policies\etc." instead of the "expected" location that is documented as the "add a key here." So, it's not surprising that the GPO doesn't touch the "expected" registry key (“Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters”) but instead on Windows 2022/11 now has a key in the "Software\Policies" location that presumably gets read by the DNS client and overrides the other key.
Also, to clarify - this setting (either the registry key or the new GPO) does not turn off "NetBIOS over TCP/IP" but only turns off NetBIOS Name Resolution (which is a fallback for the DNS client if mDNS and LLMNR both fail). NetBIOS name resolution is just one feature in the NetBIOS suite.
As far as I can tell, the only way to disable NetBIOS over TCP/IP is with the DHCP option *https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-netbios-tcp-ip-using-dhcp or scripting it, since the setting is per NIC and not system-wide.
Replying to myself with further info.
Also, the Registry Key as mentioned here [4] is not created setting the GPO
[4]
- KiPe01, I've noticed the same behavior. I am using a script as a workaround but I would have been nice for the GPO to actually work...
