Key Takeaways:
- ICMP Redirects can influence routing decisions by overriding OSPF routes
- Configuration is delivered centrally via Intune, ensuring consistency across managed devices
- Hardening this setting is a standard requirement for high-security frameworks
- Allows the network to dynamically “self-correct” using ICMP messages, but it opens a door for potential traffic redirection.
Let’s discuss Allow ICMP Redirects to Override OSPF Generated Routes Policy using Intune. Allow ICMP redirects to override OSPF generated routes is a legacy security configuration that dates back to the “MSS” (Microsoft Solutions for Security) era. It is primarily found in environments where high-security standards (like STIG or CIS benchmarks) are applied to Windows endpoints.
Table of Contents
Table of Contents
What is OSPF?
Open Shortest Path First (OSPF) is a sophisticated routing protocol used to find the best path for data across a network. It is “trustworthy” because it is configured by network administrators.
Allow ICMP Redirects to Override OSPF Generated Routes Policy using Intune
Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is Disabled.
When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing
paths.
- How to Prevent Mapping of Client Printers in Remote Desktop Services Sessions using Intune
- Control Least Privilege App Container Sandbox for Printing Services in Edge Browser using Intune
- Enable Restrict Background Graphics Printing Mode for MS Edge using Intune Policy
How to Start Policy Creation
As an Admin, you can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.
Profile Creation
Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Adding the Basic Details
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Allow ICMP Redirects to Override OSPF Generated Routes
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes.
Disable ICMP Redirects to Override OSPF Generated Routes
By disabling this, you tell Windows: “Do not listen to ICMP redirect messages if they try to change a route already established by OSPF.” This prevents a potentially rogue device from tricking your computer into sending traffic through a different (malicious) gateway.
Enable ICMP Redirects to Override OSPF Generated Routes
If enabled, the computer will update its routing table based on ICMP redirect messages, even if it contradicts the OSPF-learned path. Here i would like to enable this policy.
Scope Tags
With scope tags, you create a restriction to the visibility of the ICMP Redirects to Override OSPF Generated Routes. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Removing the Assigned Group from How to ICMP Redirects to Override OSPF Generated Routes
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete How to Delete ICMP Redirects to Override OSPF Generated Routes
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
Allow ICMP redirects to override OSPF generated routes. This policy is applicable for Windows 10, version 1803 [10.0.17134] and later devices. The below table shows the Description framework properties.
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the WhatsApp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair is a Workplace Technology solution architect with 25+ years of experience. Microsoft Certified Trainer. Microsoft MVP from 2015 onwards for consecutive 11+ years! He is a blogger, Speaker, and Founder of HTMD Community and HTMD Conference. His main focus is on Device Management technologies like Intune, Windows, and Cloud PC. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, and Microsoft Security.