Let’s discuss Step-by-Step Intune Guide to Disable LLMNR Multicast Name Resolution for Zero Trust Baseline. Multicast name resolution policy controls the state of Link Local Multicast Name Resolution (LLMNR) on client computers.
This policy determines whether LLMNR is enabled or disabled on all network adapters of the client computer. As you know, LLMNR is a secondary name resolution protocol designed by Microsoft. Its purpose is to provide host name resolution for devices on the same local network subnet when conventional Domain Name System (DNS) resolution is unavailable or not configured.
For several reasons, you can configure this policy for your organization. The primary reason to disable LLMNR is security, as the protocol is vulnerable to a type of attack called LLMNR Poisoning. Since LLMNR queries are sent via multicast and are unauthenticated, any malicious device on the same local subnet can listen for these queries.
The primary benefit of this policy is by preventing the theft of user credentials, the policy indirectly protects sensitive organizational data (customer records, financial data, intellectual property) from being accessed by a compromised account.
Table of Contents
Step-by-Step Intune Guide to Disable LLMNR Multicast Name Resolution for Zero Trust Baseline
If a network breach is prevented by this policy, the user avoids the disruptive experience of a security investigation, forced password resets, loss of access, and potential device quarantine. By Protecting the user’s personal credentials (password hash) from being captured and cracked by an attacker who gains a foothold on the local network.
- How to Disable Wireless Display Multicast DNS Advertisement Using Intune Policy
- 11 Most Common DNS Attacks and Preventions
- Eliminate Security Blind Spots Control Cloud Endpoints with Intune Network Isolation
Configure Policy
First, you need to configure this policy. Start by signing in to the Microsoft Intune Admin Center. Then, click on Devices. Under the Devices section, go to the Configuration tab, where you will find a + Create option. Click on it, and you will see 2 options, such as the new policy and the Import policy.
Profile Creation for Policy
The next step is Profile Creation for Policy that allows admins to choose specific platform and profile type. This is very essential to apply the policy to appropriate Platform and Profile Type. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Basics
The first step is Basics, in this section, you need to enter the basic details of the policy. First, provide an appropriate name for the policy. In this example, I named it Configure LLMNR Multicast Name Resolution Policy. You should also enter a description for better clarity. Then, set the Platform as Windows and click Next.
Configuration Settings
After completing the Basics tab, you will move to the Configuration settings. Here, click on the blue + Add settings button. This will open a Settings picker window. In this window, expand Administrative Templates\Network\DNS Client.
- Select Turn off multicast name resolution Policy
- Click on the Next button
Enable Turn off Multicast Name Resolution
If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as “www.example.com” in addition to single-label names. Click on the Next button.
Disable Turn off Multicast Name Resolution
If you disable this policy setting, or if you don’t configure this policy setting, NetBT queries will only be issued for single-label names such as “example” and not for multi-label and fully qualified domain names. Click on the Next button.
Scope Tags
The next step is the Scope tag. While adding a scope tag to your policy is useful for the organization, it is not a required step. If you choose not to use a scope tag, you can skip this step and proceed by clicking Next to move forward with the policy deployment process.
Assignments
The next step is Assignments. In this section, you can specify which group the policy should be applied to. Our aim is to deploy this policy to a specific group; this step is essential. Look for the Add Groups option under the Include Groups section and click on it.
- After selecting the group, click Next to proceed to the next step.
- A list of available groups will appear and select the group you want to target.
Review + Create in Policy Creation
After the Assignments step, you’ll reach the final tab called Review + Create. In this section, you can see a summary of everything you enter in the previous steps such as details configuration assignment details etc. If you don’t need to change anything, just click on the Review + Create.
Device and User Check in Status
After creating a policy, we have to monitor that whether the policy was created successfully or not. To check this, you can either wait for up to 8 hours for the policy to apply automatically, or you can reduce the waiting time by manually syncing the policy through the Company Portal.
- It will show is this error successfully deployed or not.
- After syncing, you can check the policy’s status through the Intune Portal.
- To do this, go to Devices > Configuration Profiles.
- In the Configuration policy section, search for the name of the policy you created.
- Then you can get the details below from that Policy
Client-Side Verification
To confirm the policy is successful or not, you can use the Event Viewer. First, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Device Management > Enterprise Diagnostic Provider > Admin. Look for Event IDs 813 or 814, as these typically contain policy-related information
| Event Details |
|---|
| MDM PolicyManager: Set policy string, Policy: (Turn_Off_Multicast), Area: (ADMX_DnsClient), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from Multicast Name Resolution Policy Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Multicast Name Resolution Policy
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
This policy Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. This policy is applicable for Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later, Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later, Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later, Windows 11, version 21H2 [10.0.22000] and later.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc