Microsoft has quietly aligned Windows with a newer internet standard that slashes the lifetime of temporary IPv6 addresses from one week to just two days. The shift, driven by RFC 8981, means your devices will cycle through more short-lived network identities by default—strengthening privacy but also surfacing new considerations for IT admins, developers, and anyone who relies on stable IPv6 addressing.
A Two-Day Clock on Your IPv6 Privacy Address
The change lands in the guts of how Windows assigns temporary IPv6 addresses through Stateless Address Autoconfiguration (SLAAC). These ephemeral addresses, often called privacy extensions, were first standardized in 2007 under RFC 4941. They give your PC a second, randomized IPv6 address used for outbound connections—leaving your permanent, MAC-derived address hidden. The original specification set a valid lifetime of one week and a preferred lifetime of one day. After a day, the old address was deprecated and a new one generated, but the deprecated address remained valid for incoming connections for the rest of the week.
RFC 8981, published by the Internet Engineering Task Force in February 2021, cuts that valid lifetime to just two days while keeping the preferred lifetime at one day. In practice, your temporary address now becomes invalid after 48 hours, forcing a faster rotation. The change also tweaks the regeneration algorithm to spread out new address creation and reduce the chance that multiple devices on a network all rotate at once. Microsoft has incorporated these new defaults into recent versions of Windows 10 and Windows 11, though the exact build numbers can vary depending on your update channel. If you’re on a fully patched system from late 2022 onward, you’re likely already living in the two-day world.
The faster cadence reduces the window during which an observer can correlate your device’s network activity across sessions. Instead of leaving a breadcrumb that lasts a week, your trail goes stale in two days. For home users, this happens automatically with no manual intervention—a quiet but meaningful privacy bump.
What RFC 8981 Means for Everyday Users
For most people, this change is invisible. If you stream video, browse the web, or use cloud apps over IPv6, your device will simply rotate its outbound address more often. You won’t see pop-ups or performance hits. The adjustment is purely about reducing the persistence of your device’s identity on the network.
But there are edge cases where the faster rotation can break assumptions. Some older home routers or ISP configurations that expect stable IPv6 source addresses might get confused when the address changes mid-session, though this is rare. More commonly, if you use whitelisting on your own server or firewall that relies on a temporary address (which is not recommended), you’ll need to update the rule every two days instead of weekly.
For power users who run services like remote desktop, SSH, or gaming servers from a Windows machine, note that temporary addresses are only used for client connections. Inbound services typically bind to the stable public address derived from your router’s prefix and your device’s interface identifier (which on modern Windows systems is randomized as well, thanks to another privacy feature introduced in Windows 10). But if you’ve manually configured applications to listen on a temporary address, the two-day limit will force constant reconfiguration.
IT Administrators: Auditing and Adjusting
If you manage a fleet of Windows devices, the two-day cycle can affect your network monitoring and security event correlation. Temporary addresses show up in logs, and with faster rotation, correlating a single device’s activity over time becomes harder if you’re relying on the temporary address as a stable identifier. This is by design for privacy, but it can complicate forensic investigations. Many enterprise environments already disable IPv6 privacy extensions on domain-joined machines to maintain stricter tracking, but for devices that roam outside the corporate network, the privacy gain may be worth the logging trade-off.
You can verify the setting on a machine by opening PowerShell and running:
Get-NetIPv6Protocol | Select-Object -Property UseTemporaryAddresses, MaxTemporaryValidLifetime, MaxTemporaryPreferredLifetime
A value of UseTemporaryAddresses set to Enabled and a MaxTemporaryValidLifetime of 2.00:00:00 confirms the new default. If your organization needs longer lifetimes for compliance or operational reasons, you can override them with:
Set-NetIPv6Protocol -MaxTemporaryValidLifetime 7.00:00:00 -MaxTemporaryPreferredLifetime 1.00:00:00
Keep in mind that such changes should be carefully documented, as they weaken the privacy benefit. Group Policy can distribute these adjustments across your environment if needed.
Developers and IPv6 Socket Behavior
If you’re writing network applications on Windows, the two-day limit is a reminder to bind servers to the stable address or to ::0 and not to a temporary address. For client connections, the OS will pick the correct source address based on the routing table; you generally shouldn’t need to override it. However, applications that cache or display the local client’s own address for user configuration (like some VPNs or monitoring tools) will need to refresh that value at least every two days.
RFC 8981 also deprecates the old method of generating temporary addresses that relied on the interface’s Stable Privacy Address as a seed, though Windows’ implementation had already moved away from that. The result is a cleaner, more robust privacy model that developers can rely on across modern operating systems.
The Road from EUI-64 to Ephemeral Addresses
To understand why this change matters, a bit of history helps. In the early days of IPv6, devices would auto-configure their address by combining the network prefix with an interface identifier derived from the MAC address—a scheme called EUI-64. That meant your device’s hardware address was baked right into its public IP, making it trivial to track across networks. Even home users with dynamic prefixes often kept the same host portion for months, turning a laptop into a persistent beacon.
RFC 4941 introduced temporary addresses as a fix: a randomly generated suffix that changes over time. But the one-week valid lifetime still left a long window for correlation. Meanwhile, ISPs began handing out more stable prefixes, and mobile devices roamed across Wi‑Fi and cellular networks with the same MAC-derived identifiers. Researchers demonstrated that even with temporary addresses, the stable address was often used alongside them, and the whole setup leaked privacy.
The IETF’s 6man working group drove RFC 8981 to tighten the timers and make other improvements. The two-day valid lifetime and algorithmic tweaks represent a consensus that faster rotation is essential for realistic privacy. Apple’s macOS and iOS adopted the new defaults earlier, and Android followed soon after. Windows’ move aligns the platform with the broader industry.
Taking Control of IPv6 Privacy on Your Windows Machine
First, check whether temporary addresses are enabled at all. On a home Windows machine, they should be on by default, but it’s worth confirming. In PowerShell:
Get-NetIPv6Protocol | Select-Object UseTemporaryAddresses
If the result is Disabled, you can turn them on with:
Set-NetIPv6Protocol -UseTemporaryAddresses Enable
This is generally a good idea unless you have a specific reason to keep them off, such as hosting a server that must be reachable via a single stable address.
Second, if you’re concerned about the faster rotation causing connection drops—say, for long-running downloads or VoIP calls—know that connections established with a temporary address are not torn down when the address becomes invalid. The address simply stops being used for new connections. Existing sessions continue until they naturally end. So, you shouldn’t experience sudden disconnects.
Third, for VPN users, privacy addresses can both help and confuse the picture. A VPN that forces all traffic over a single IPv4 tunnel largely bypasses IPv6 privacy extensions. But if your VPN supports IPv6, the temporary address on the physical interface might leak your actual location if IPv6 isn’t properly blocked. Windows’ IPv6 leak protection has improved, but it’s not foolproof. Always test your configuration at sites like ipleak.net after connecting.
Fourth, if you use a home firewall or router that logs outbound IPv6 traffic, be aware that your device may appear to have multiple addresses over time. The stable address is the one to whitelist or monitor for inbound connections, not the temporary one.
The Future of IPv6 Privacy Beyond the Two-Day Limit
RFC 8981 is an incremental step, not a final solution. Ongoing work in the IETF explores even shorter lifetimes, automatic address rotation based on traffic patterns, and integration with MAC address randomization at the link layer—something modern Windows and mobile devices already do. Microsoft’s commitment to these privacy defaults signals that the old model of a fixed IP address as a reliable identifier is fading.
For users, the lesson is simple: if you haven’t checked your Windows IPv6 privacy settings in a while, now is a good time. The defaults are more protective than they were a few years ago, but they’re not magic. Understanding when and how your device changes its face to the network gives you back a measure of control in a connected world.