InformationInternet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes.
The recommended state for this setting is: Disabled.
This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network.
When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing paths.
SolutionTo establish the recommended configuration, set the following Device Configuration Policy to Disabled:
To access the Device Configuration Policy from the Intune Home page:
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Enter a Name
Configure the following Setting
Path: Computer Configuration/MSS (Legacy)
Setting Name: MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Enabled. (ICMP redirects can override OSPF-generated routes.)