Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Disabling Netbios name service via new ADMX / GPO does not work as expected (bug?)

Copper Contributor

Disabling Netbios Name service via GPO, new in Windows 11, does not seeem to work as expected / advertised.

Using the latest Windows 11 build (22H2, 1702 as of June 2023), all patches updates and drivers installed.
This seems to be a bug

 

As mentioned also here [1], the Windows 11 ADMX features a new setting to disable Netbios name resolution.

The option "Configure NetBIOS settings" can be found under Computer Configuration > Policies > Administrative Templates > Network > DNS Client

This option can be set to "Disable Netbios Name Resultion", if activated.

 

Setting it however does not have the desired effect.

Tried locally as well as via the domain controller.

 

Evidence:

 

ipconfig [2] still shows NetBIOS enabled.


Also nbtstat shows names on an interface [3].

 

The fact that this GPO does not work as advertised might be a security relevant topic as people setting this directive will expect Netbios to be disabled, which it seems is not the case. So they will also refrain from taking any other actions to enahance Netbios related security.

 

Cheers

 

[1]

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-or-windows-11-gpo...

 

[2] excerpt from "ipconfig /all"

..[cut]

NetBIOS over Tcpip. . . . . . . . : Enabled

 

[3] "nbtstat -n"

..cut..

WLAN:
Node IpAddress: [192.168.xx.yy] Scope Id: []

 

                NetBIOS Local Name Table

 

       Name               Type         Status
    ---------------------------------------------
    xxxx           <20>  UNIQUE      Registered

 

 

3 Replies

@KiPe01 

 

Replying to myself with further info.

 

Also, the Registry Key as mentioned here [4] is not created setting the GPO

 

[4]

https://techcommunity.microsoft.com/t5/networking-blog/aligning-on-mdns-ramping-down-netbios-name-re...

@KiPe01, I've noticed the same behavior. I am using a script as a workaround but I would have been nice for the GPO to actually work...
Hi,
what script are you using?Mind sharing it?