locked
Remote PS Commands RRS feed

  • Question

  • Hi all,

    PS newbie here so apologies if I've missed something super simple.

    In light of the recent WannaCry attack, I'm trying to remotely disable SMBv1 on a number of our 2012/2012R2 servers using a PS script. I have the following but it isn't working.

    foreach ($server in (Get-Content c:\test.txt)) {

    write-host "Server Name is: $server"

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

    }

    What have I missed?

    Thanks

    Dan

    Tuesday, May 16, 2017 10:10 AM

All replies

  • Well according to the documentation

    https://technet.microsoft.com/itpro/powershell/windows/smbshare/set-smbserverconfiguration?f=255&MSPPError=-2147217396

    There is no Computer parameter so I do not think this command works on remote computers. You will need to use Invoke-Command and then pass that command in the scriptblock of Invoke-Command, but for this to work you need PSRemoting enabled and configured on each machine.

    All your script is doing is looping through your text file writing each line to the command window and then running the command on the computer the script is running from each time.

    Something like this:

    $scriptBlock = {
      Set-SmbServerConfiguration -EnableSMB1Protocol $false
    }

    Get-Content C:\test.txt | ForEach { Write-Host "Server name is: $_" Invoke-Command -ComputerName $_ -ScriptBlock $scriptBlock }




    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. (99,108,97,121,109,97,110,50,64,110,121,99,97,112,46,114,114,46,99,111,109|%{[char]$_})-join''




    • Edited by clayman2 Tuesday, May 16, 2017 1:03 PM fixed script
    Tuesday, May 16, 2017 11:29 AM
  • Here is something you can use to create the disable SMB1 registry key on your machines remotely; good for a quick fix until you're able to patch properly ex. -  .\Script.ps1 (Get-Content .\Computers.txt)   This fix is mainly for your Win7 and Server2008:
    Param(
    
        [parameter(Mandatory=$true)]
        [String[]]$ComputerName
    )
    
    function Crypto-Fix {
    
    #Add desired registry key values to array
    $Keys = @(
    
        "HKLM:\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters"       
    )
    
        ForEach ($Computer in $Computername) {
    
            if(!([string]::IsNullOrWhiteSpace($Computer))) {
    
                if(Test-Connection -Quiet -Count 1 $Computer) {
    
                    Invoke-Command -ComputerName $Computer {
                    param($Computername, $Computer, $Keys)
    
                        New-PSDrive -PSProvider Registry -Root HKEY_CLASSES_ROOT -Name HKCR | Out-Null
    
                        foreach ($Key in $Keys) {        
    
                            Try {
    
                                New-ItemProperty -Path $Key -Name "SMB1" -Value "0" -PropertyType DWORD -Force | Out-Null
                                Write-Host -ForegroundColor Green "Successful key injection on $Computer."
                            }
    
                            Catch {
    
                                Write-Host -ForegroundColor Yellow "Notice: Unable to add key to $Computer."
                            }
                        }
                    } -AsJob -JobName "Crypto Fix (RansomWare Mitigation)" -ArgumentList $Computername, $Computer, $Keys
                }
    
                else {
    
                    Write-Host -ForegroundColor Cyan "Error: Unable to ping $Computer."
                }
            }
        }
    }
    
    #Call main function; Wait on job completion and retrieve results
    Crypto-Fix | Receive-Job -Wait -AutoRemoveJob
    You can exchange the (Get-Content) portion for any other method of generating an array of machines you want to push this to.
    Tuesday, May 16, 2017 11:56 PM
  • Well according to the documentation

    https://technet.microsoft.com/itpro/powershell/windows/smbshare/set-smbserverconfiguration?f=255&MSPPError=-2147217396

    There is no Computer parameter so I do not think this command works on remote computers. You will need to use Invoke-Command and then pass that command in the scriptblock of Invoke-Command, but for this to work you need PSRemoting enabled and configured on each machine.

    All your script is doing is looping through your text file writing each line to the command window and then running the command on the computer the script is running from each time.

    Something like this:

    $scriptBlock = {
      Set-SmbServerConfiguration -EnableSMB1Protocol $false
    }

    Get-Content C:\test.txt | ForEach { Write-Host "Server name is: $_" Invoke-Command -ComputerName $_ -ScriptBlock $scriptBlock }

    You may also run this in parallel (asynchronously) by using PowerShell Jobs; referencing clayman2's suggestion; I know the Set-SmbServerConfiguration cmdlet can be a lengthy process sometimes, which will be sped up immensely with jobs:

    $scriptBlock = {
      Set-SmbServerConfiguration -EnableSMB1Protocol $false
    }
    
    Get-Content C:\test.txt | ForEach {
      Write-Host "Server name is: $_"
      Invoke-Command -ComputerName $_ -ScriptBlock $scriptBlock -AsJob
    }
    You may use Get-Job to check the status of each job and Get-Job | Receive-Job to pull the information.


    Wednesday, May 17, 2017 1:40 AM
  • Hi Dan,

    Using bat plus GPO to do this job:

    ============
    @echo off
    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled
    PowerShell.exe "Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force"
    ============
    

    save it as .bat file then using a dedicated GPO for it,e.g. logon/startup.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Hello_2018 Monday, June 5, 2017 3:03 AM
    Wednesday, May 17, 2017 3:08 AM
  • GPO has a security policy that will do that with no BAT and no script. Use it.

    \_(ツ)_/

    • Proposed as answer by Leoš Marek Friday, May 26, 2017 6:10 PM
    Wednesday, May 17, 2017 3:15 AM
  • Hi,
    Was your issue resolved? 
    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,
    Andy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 5, 2017 3:03 AM