How to Configure DHCP Policies on Windows Server 2019

March 22, 2026
Tutorials
Comment off

Introduction to DHCP Policies on Windows Server 2019

DHCP Policies allow the Windows Server 2019 DHCP server to assign different configuration options — including IP address ranges, lease durations, default gateways, DNS servers, and custom options — to clients based on attributes of the DHCP request itself. Without policies, all clients in a scope receive the same settings. With policies, you can assign a different DNS server to VOIP phones, a shorter lease to wireless clients, a dedicated address range to a specific vendor’s equipment, or custom option 43 values to printers — all within the same DHCP scope, without requiring VLANs or separate scopes.

Understanding Policy Criteria (Conditions)

DHCP policies match against attributes present in the client’s DHCP Discover or Request packet:

Vendor Class – The vendor class identifier sent by the client (option 60). Common values: “MSFT 5.0” for Windows clients, “Cisco Systems” for Cisco devices, “HP JetDirect” for HP printers.

User Class – A user-defined class the client can include (option 77).

MAC Address – The client’s hardware address (can use wildcards with prefix matching).

Client Identifier – Option 61 sent by the client.

Fully Qualified Domain Name (FQDN) – Option 81, client-supplied hostname.

Relay Agent Information – Option 82 sub-options (circuit ID, remote ID) from DHCP relay agents — useful for assigning options based on physical switch port.

Prerequisites

# Verify DHCP Server role
Get-WindowsFeature -Name DHCP
# Ensure a scope exists
Get-DhcpServerv4Scope | Select-Object ScopeId, Name, StartRange, EndRange | Format-Table

Create a Policy Based on Vendor Class

Assign different DNS servers and a shorter lease to VOIP phones (which typically identify themselves with a vendor class string):

# Create a DHCP policy for VoIP phones (vendor class "Polycom")
Add-DhcpServerv4Policy `
    -Name "VoIPPhones" `
    -ScopeId "192.168.100.0" `
    -Description "Policy for Polycom VOIP Phones" `
    -Condition Or `
    -VendorClass EQ,"Polycom*" `
    -ProcessingOrder 1

# Assign shorter lease duration via policy (4 hours for VoIP)
Set-DhcpServerv4PolicyOptionValue `
    -ScopeId "192.168.100.0" `
    -PolicyName "VoIPPhones" `
    -OptionId 51 `
    -Value 14400

# Assign specific DNS servers to VoIP policy
Set-DhcpServerv4PolicyOptionValue `
    -ScopeId "192.168.100.0" `
    -PolicyName "VoIPPhones" `
    -DnsServer "192.168.1.20","192.168.1.21"

Create a Policy Based on MAC Address Prefix

Assign a dedicated address range and specific gateway to all Cisco switches (which share the first 3 octets of their MAC address — the OUI):

# Cisco's OUI prefix example: 00-1A-A1 (use your actual OUI)
Add-DhcpServerv4Policy `
    -Name "CiscoSwitches" `
    -ScopeId "192.168.100.0" `
    -Description "Cisco network equipment" `
    -Condition Or `
    -MacAddress EQ,"001AA1*" `
    -ProcessingOrder 2

# Assign an IP range (must be an exclusion range in the scope, then added to policy)
# First, create an exclusion for the range you want to assign to this policy
Add-DhcpServerv4ExclusionRange `
    -ScopeId "192.168.100.0" `
    -StartRange "192.168.100.200" `
    -EndRange "192.168.100.240"

# Add that range specifically to the policy
Set-DhcpServerv4Policy `
    -Name "CiscoSwitches" `
    -ScopeId "192.168.100.0" `
    -StartRange "192.168.100.200" `
    -EndRange "192.168.100.240"

# Assign different default gateway to Cisco switches
Set-DhcpServerv4PolicyOptionValue `
    -ScopeId "192.168.100.0" `
    -PolicyName "CiscoSwitches" `
    -Router "192.168.100.1"

Create a Policy Based on User Class

User classes allow you to group clients that have been manually configured with a specific user class string. This is useful for laptops assigned to a “Mobile” class that should receive shorter leases:

# First define the user class (must match what clients send in option 77)
Add-DhcpServerv4Class `
    -Name "MobileDevices" `
    -Type User `
    -Data "Mobile" `
    -Description "Mobile laptops and devices"

# Create policy targeting this user class
Add-DhcpServerv4Policy `
    -Name "MobilePolicy" `
    -ScopeId "192.168.100.0" `
    -Description "Shorter lease for mobile devices" `
    -Condition Or `
    -UserClass EQ,"MobileDevices" `
    -ProcessingOrder 3

# 2 hour lease for mobile devices
Set-DhcpServerv4PolicyOptionValue `
    -ScopeId "192.168.100.0" `
    -PolicyName "MobilePolicy" `
    -OptionId 51 `
    -Value 7200

On Windows client machines, set the user class with: ipconfig /setclassid "Ethernet" Mobile

Create a Policy Based on FQDN

Assign specific options to clients that provide a specific hostname in their DHCP request:

# Policy for print servers (hostname starts with "PRINT")
Add-DhcpServerv4Policy `
    -Name "PrinterPolicy" `
    -ScopeId "192.168.100.0" `
    -Condition Or `
    -Fqdn EQ,"PRINT*" `
    -ProcessingOrder 4

# Assign no default gateway to printers (they don't need internet access)
Set-DhcpServerv4PolicyOptionValue `
    -ScopeId "192.168.100.0" `
    -PolicyName "PrinterPolicy" `
    -Router ""   # Empty router = no default gateway

Create a Policy Based on Relay Agent Circuit ID

When clients reach the DHCP server through a relay agent, the relay agent can insert option 82 with sub-option 1 (circuit ID) identifying the physical port. This allows per-port IP assignment:

# Policy for clients arriving from switch port "gi0/0/1" (relay sends circuit ID)
Add-DhcpServerv4Policy `
    -Name "ServerVLANPolicy" `
    -ScopeId "192.168.100.0" `
    -Condition Or `
    -RelayAgent EQ,"01:gi0/0/1" `
    -ProcessingOrder 5

View, Modify, and Remove Policies

# List all policies for a scope
Get-DhcpServerv4Policy -ScopeId "192.168.100.0" | 
    Select-Object Name, ProcessingOrder, Enabled, Description | Format-Table

# View policy option values
Get-DhcpServerv4PolicyOptionValue -ScopeId "192.168.100.0" -PolicyName "VoIPPhones"

# Disable a policy
Set-DhcpServerv4Policy -ScopeId "192.168.100.0" -Name "VoIPPhones" -Enabled $false

# Change processing order
Set-DhcpServerv4Policy -ScopeId "192.168.100.0" -Name "PrinterPolicy" -ProcessingOrder 1

# Remove a policy
Remove-DhcpServerv4Policy -ScopeId "192.168.100.0" -Name "MobilePolicy" -Force

Combine Multiple Conditions with AND/OR Logic

# Create a policy that matches clients that are BOTH Cisco AND from a specific circuit ID
Add-DhcpServerv4Policy `
    -Name "CiscoOnPort5" `
    -ScopeId "192.168.100.0" `
    -Condition And `
    -MacAddress EQ,"001AA1*" `
    -RelayAgent EQ,"01:gi0/0/5" `
    -ProcessingOrder 1

Summary

DHCP Policies on Windows Server 2019 eliminate the need for multiple scopes or complex network segmentation just to assign different options to different device types. By matching on vendor class, user class, MAC address OUI, FQDN, or relay agent circuit ID, you can deliver precise, per-device-type configuration from a single DHCP scope. Policies are evaluated in processing order, and the first matching policy wins, so ordering is important in environments with overlapping criteria.