Example – configuring Teredo

Let's look at an example of a setting that has these three options. Teredo is an IPv6 transition tunneling protocol, and oftentimes I have to touch Teredo via Group Policy when working with a customer to get their client-side tunneling behaviors to line up with best practices. We create a new GPO, link and filter it to the appropriate places so that this GPO applies to the client workstations, and then configure Teredo in one of a couple of different ways. Usually, we are setting it either to a specific status that we want to enforce, or we are setting it to Disabled because we want to make sure the Teredo adapter on those workstations is always disabled.

No need to walk through this one in your own lab, because I doubt you have a pressing need to change your Teredo behavior at present. But follow along with the following screenshots for a helpful example on not configured versus enabled versus disabled.

Navigate to the following location to view the Group Policy settings associated with Teredo: Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies. You can see here that there are a number of different settings related to Teredo, as well as settings regarding other IPv6 transition tunneling adapters:

We want to manipulate the Teredo State, so we double-click on Set Teredo State. When changing a policy setting, you always want to think about this setting as if you were coming from the recipient's point of view: "On my desktop computer, I want to Set Teredo State to (insert your setting here)". Inside Set Teredo State, you can see we have radio buttons for Not Configured, Enabled, and Disabled. You can also see that there is a Help field that explains these settings and how each one will affect the behavior of Teredo upon the devices on which the setting is applied.

In the following screenshot, I have chosen Enabled, and that has presented me with a new drop-down menu of choices to choose from. You can see those selections as well as the Help pane previously mentioned:

If you are intending to make use of Teredo, it is often a best practice to set this to Enterprise Client. You can select that choice, click OK, and be done. However, the real reason I chose this particular setting for our example is that it also portrays one of those strange ways for doing a disable. In the case of Teredo, you can see in the Help pane that it says if you set the policy setting to either Not Configured or Disabled radio buttons, that this policy would do nothing and that the localhost settings would be used. That's not what we want at all; that would mean that Teredo would remain enabled it if were already enabled, which it is by default in Windows. Instead, if we wanted to actively set Teredo to the Disabled state, we would have to select the Enabled radio button, and choose Disabled State from the drop-down list. Many times, Group Policy is used to disable functionality that is not needed on corporate workstations in order to heighten security on those devices, so the likelihood that you will have to take this same procedure with your own settings is actually quite high.