Effortless LLMNR Configuration for IT Pros: PowerShell Script Guide

Key takeaways

  • LLMNR importance: LLMNR is crucial for name resolution, especially in small networks without DNS.
  • Security risks: LLMNR can pose security threats in larger networks, necessitating its management.
  • PowerShell efficiency: The script offers an efficient way to enable/disable LLMNR via group policy.
  • Administrative rights needed: Running the script requires administrative privileges for proper execution.
  • Automated vs manual: This automated approach is more efficient and less error-prone compared to manual configurations.
  • Environmental suitability: The script is compatible with Windows 10 and Windows Server 2016 onwards.
  • Testing is crucial: Always test the script in a controlled environment before wide-scale deployment.
  • NinjaOne integration: Integrating such scripts with tools like NinjaOne can streamline network management tasks.

In the world of information technology, efficient management of network protocols is crucial for ensuring secure and smooth network operations. Among these protocols, Link-Local Multicast Name Resolution (LLMNR) plays a significant role, especially in environments where Domain Name System (DNS) configurations are either not feasible or not fully operational. However, managing LLMNR settings, particularly in larger networks, can be a challenging task. This is where PowerShell scripts come in, offering a powerful way to configure LLMNR across systems.

Background

LLMNR is a protocol used by Windows operating systems for name resolution in scenarios where DNS might not be available. It’s particularly useful in small networks, like home or small office networks, where a full-fledged DNS server may not be present. However, in larger, more secure environments, LLMNR can pose security risks, as it can be exploited for malicious purposes like man-in-the-middle attacks. This PowerShell script provides a convenient method for IT professionals and Managed Service Providers (MSPs) to enable or disable LLMNR via local group policy, aiding in tightening network security.

The script:

#Requires -Version 5.1

<#
.SYNOPSIS
    Enable or Disable LLMNR(DNS MultiCast) via local group policy.
.DESCRIPTION
    Enable or Disable LLMNR(DNS MultiCast) via local group policy.

.EXAMPLE
    (No Parameters)
    ## EXAMPLE OUTPUT WITHOUT PARAMS ##

PARAMETER: (No Parameters)
    Disables LLMNR
.EXAMPLE
    -Enable
    ## EXAMPLE OUTPUT WITH Enable ##
    Enables LLMNR
.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Release Notes: Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param (
    [Parameter()]
    [switch]$Enable
)

begin {
    if ($env:action -and $env:action -notlike "null") {
        switch ($env:action) {
            "Enable LLMNR" { $Enable = $True }
            "Disable LLMNR" { $Enable = $False }
        }
    }
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }
    function Set-RegKey {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        if (-not $(Test-Path -Path $Path -ErrorAction SilentlyContinue)) {
            # Check if path does not exist and create the path
            New-Item -Path $Path -Force | Out-Null
        }
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {
            # Update property and print out what it was changed from and changed to
            $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name
            try {
                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "$Path\$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
        }
        else {
            # Create property with value
            try {
                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "Set $Path\$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
        }
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    
    try {
        Set-RegKey -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMultiCast -Value $(if ($Enable) { 1 }else { 0 }) -PropertyType DWord
    }
    catch {
        Write-Error $_
        Write-Host "Failed to set LLMNR."
        exit 1
    }
    Write-Host "LLMNR(DNS MultiCast) was set to $(if ($Enable) { 1 }else { 0 })"
    exit 0
}
end {

 

Access 300+ scripts in the NinjaOne Dojo

Get Access

Detailed breakdown

The script starts with a CmdletBinding attribute, indicating it’s designed to function like a PowerShell cmdlet. Parameters are defined, with the $Enable switch determining whether to enable or disable LLMNR.

  • The begin block checks for environmental variables and defines two functions: Test-IsElevated to verify if the script is run with administrator privileges, and Set-RegKey to create or modify registry keys necessary for configuring LLMNR.
  • In the process block, the script first checks if it is run with elevated privileges. It then calls Set-RegKey, targeting the registry path associated with LLMNR settings in Windows, specifically the EnableMultiCast registry key.
  • The script concludes by setting the LLMNR status and exiting with a status code.

A visual aid could be a flowchart showing the script’s execution path, from parameter intake to final execution.

Potential use cases

Imagine an IT administrator in a large corporation who needs to disable LLMNR across all computers to prevent potential security breaches. Using this script, they can quickly deploy this setting via group policy, ensuring a consistent configuration across the network.

Comparisons

Traditionally, LLMNR settings are managed manually through the Windows GUI or via group policy editor, which can be time-consuming and prone to human error. This script automates the process, offering a more efficient and less error-prone solution.

FAQs

  • Can this script be used on any Windows version?
    • It’s designed for Windows 10 and Windows Server 2016 onwards.
  • Do I need administrative rights to run this script?
    • Yes, administrative privileges are required.

Implications

Disabling LLMNR can significantly enhance network security, preventing specific types of network attacks. However, it may affect name resolution in small networks without a DNS server.

Recommendations

  • Always run the script in a test environment before deploying it in production.
  • Ensure you have administrative privileges to avoid execution errors.
  • Understand the network environment to assess the impact of enabling/disabling LLMNR.

Final thoughts

In the context of managing network settings like LLMNR, a tool like NinjaOne can provide a centralized platform for deploying such scripts across a network, simplifying the task for IT professionals and MSPs. Its ability to manage and automate tasks across a wide range of devices and systems makes it a valuable asset in any IT environment.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Remote Script Deployment, check out a live tour, or start your free trial of the NinjaOne platform.

Categories:

You might also like

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).