In the past, I encountered an issue where I needed to disable IPv6 on several workstations in our local network, which had over 1000 devices. Manually disabling IPv6 for each device was impractical, so I sought a way to
automate the process and make remote changes efficiently.
Thankfully, Microsoft provides an extensive Network library in PowerShell that can help solve this type of problem. Now, let’s open the Integrated Scripting Environment (ISE) and get started with the script. The goal is
to disable IPv6 on LAN adapters while keeping WAN or wireless adapters unchanged.
To focus only on LAN adapters, I utilized a variable called $adapter that allows you to specify a keyword for filtering purposes. Here’s the result of my efforts, and comments are included throughout the script to explain
each step.
I hope this script proves useful in your own network management tasks. Enjoy!
$adapter="*"
# you can specify what type of adapter you want to make changes to like Wireless or Wired
# depending on adapter name or use * for all
$adapters = Get-NetAdapter -name $adapter
Write-Host "Found $($adapters.Length) adapters"
foreach ($adapter in $adapters){
$adName = $adapter.Name
Write-Host "Working on: $adName"
$adBindings = Get-NetAdapterBinding -name $adName
foreach ($adbind in $adBindings){
Write-Host $adbind.ComponentID
if ($adbind.ComponentID -eq "ms_tcpip6" -and $adbind.Enabled -eq $true){
Write-Host "Disabling IPv6 on $adName"
Set-NetAdapterBinding -Name $adName -ComponentID ms_tcpip6 -Enabled $false
}
}
}
As you can see, this is a basic script to disable IPv6 on specified network adapters within the local machine. The script utilizes two primary functions: Get-NetAdapter and Get-NetAdapterBinding.
1. `Get-NetAdapter -name $adapter`: This command retrieves a list of active network adapters based on the specified name or keyword ($adapter). If you don’t specify any name, it will return all adapters (as indicated by
the use of the wildcard character “*”).
2. `Get-NetAdapterBinding -name $adName`: This command retrieves information about the bound components for the specified adapter (indicated by $adName). It returns a list containing various details, including the component ID and enabled status of each bound component.
The script then iterates through each adapter found, checks if it has IPv6 binding enabled, and if so, disables it using `Set-NetAdapterBinding`. The filtering for specific adapters is done using the variable $adapter, which can
be set to a specific name (like “Wireless” or “Ethernet”) or “*” for all adapters.
Overall, this script simplifies the process of disabling IPv6 on network adapters in bulk, saving time and effort compared to doing it manually for each device.
The other day I ran into something that happens from time to time…
Windows randomly decides to switch your network adapters from private to public network…
Here is a quick PowerShell solution for that issue:
# List all network profiles Get-NetConnectionProfile # Change category to Private Set-NetConnectionProfile -InterfaceIndex -NetworkCategory Private # Force Domain category (only if joined to AD) Set-NetConnectionProfile -InterfaceIndex -NetworkCategory DomainAuthenticated
Operational Impact of Network Categories
Public
- Inbound rules: Windows Firewall defaults to the most restrictive. Inbound connections are blocked unless explicitly allowed.
- Outbound rules: Generally allowed, but monitored more tightly.
- Discovery: Network discovery, file/printer sharing, and device visibility are disabled.
- Trust posture: Treated as hostile terrain (coffee shops, airports). No assumptions of safety.
- Doctrine note: Best for untrusted networks—your NIC is locked down, surface area minimized.
Private
- Inbound rules: More permissive than Public. Allows inbound traffic for trusted apps/services (file sharing, media streaming).
- Outbound rules: Similar to Public, but with fewer restrictions.
- Discovery: Enabled—devices can see each other, share files, printers, and services.
- Trust posture: Treated as a friendly LAN. Assumes you control the environment.
- Doctrine note: Best for home or small office networks where collaboration matters.
DomainAuthenticated
- Inbound rules: Controlled by Group Policy. Domain admins centrally manage firewall rules.
- Outbound rules: Same—policies dictate what’s allowed.
- Discovery: Enabled, but governed by domain trust. Devices authenticate against Active Directory.
- Trust posture: Treated as sovereign terrain—secured by organizational doctrine.
- Doctrine note: Best for enterprise environments. Domain controllers, not local choice, enforce trust.
Why This Matters
- Security posture shifts depending on the category. Public = maximum lockdown, Private = collaborative, Domain = centralized control.
- Operational consequences: If you mis‑categorize a NIC, you can either expose services on hostile terrain (Private on public Wi‑Fi) or block collaboration in trusted LANs (Public at home).
- Doctrine echo: Switching categories is as critical as disabling IPv6—it defines how Windows interprets trust boundaries and applies firewall rules.
Note:
To find more options for Set-NetAdapterBinding, you can use the Get-NetAdapterBinding PowerShell command.
If you like this article, feel free to check out some others, like How to pause a PowerShell script