none
Is There a Way to Disable SMB1 in WinPE?

    Question

  • I'd like to disable or remove SMB1 in WinPE. Is there a way to do that? When booted into WInPE, if I run Get-SMBServerConfiguration, EnableSMB1Protocol is set to True. I'm using ADK 1703. If any more information is needed, let met know.

    Thanks.

    Tuesday, September 26, 2017 12:42 PM

Answers

  • Try this. As I am on the road I do not have the opportunity to verify the reg add command, but the general idea is to use UpdateExit.vbs script.

    Use the code below to create UpdateExit.vbs file and then copy the file into the “C:\Program Files\Microsoft Deployment Toolkit\Samples” folder, replacing the version that is already there.  (If you’ve made any other changes to this, you’ll need to merge your changes into the version below.)  This script will be called during the deployment share update process to inject the reg value into the boot images, which is what is needed to disable SMB1:

    ' // ***************************************************************************
    ' // 
    ' // Copyright (c) Microsoft Corporation.  All rights reserved.
    ' // 
    ' // Microsoft Deployment Toolkit Solution Accelerator
    ' //
    ' // File:      UpdateExit.vbs
    ' // 
    ' // Version:   1.0
    ' // 
    ' // Purpose:   Disable SMB1
    ' // 
    ' // ***************************************************************************
    
    
    Option Explicit
    
    Dim oShell, oEnv
    
    ' Write out each of the passed-in environment variable values
    
    Set oShell = CreateObject("WScript.Shell")
    Set oEnv = oShell.Environment("PROCESS")
    
    WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
    WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
    WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
    WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
    WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
    WScript.Echo "STAGE = " & oEnv("STAGE")
    WScript.Echo "CONTENT = " & oEnv("CONTENT")
    
    
    ' Do any desired WIM customizations (right before the WIM changes are committed)
    
    If oEnv("STAGE") = "WIM" then
    
    	' CONTENT environment variable contains the path to the mounted WIM
    	
    	
    	' // ***************************************************************************
    	' // 
    	' // Author:    Anton Romanyuk
    	' // 
    	' // Version:   1.0
    	' // 
    	' // Purpose:   Apply registry entries to Windows PE boot images.
    	' // 
    	' //  ------------- DISCLAIMER -------------------------------------------------
    	' //  This script code is provided as is with no guarantee or waranty concerning
    	' //  the usability or impact on systems.
    	' //  ------------- DISCLAIMER -------------------------------------------------
    	' //
    	' // ***************************************************************************
    	
    	' // Extra variables
    	Dim sCmd, rc, strLog, fso, iErrors 
    	
    	' The script output will be captured if the return code is greater than zero.  Change this line
    	' to say "iErrors = 0" if you don't want to see output in the case of success.  (This means 
    	' that return code 1 means success.  MDT doesn't take any action based on the return code, other
    	' than logging.)
    
    	iErrors = 1
    
    	Set fso = CreateObject("Scripting.FileSystemObject")
    
    		WScript.Echo "---- Beginning UpdateExit.vbs WIM section ----"
    		WScript.Echo "Adding Registry keys to WinPE (UpdateExit.vbs)..."
    
    		'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
    		sCmd = "REG.EXE load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
    		WScript.Echo "About to run command: " & sCmd
    		rc = oShell.Run(sCmd, 0, True)
    		
    		WScript.Echo "Return code from command = " & rc
    		If RC > 0 then 
    			iErrors = iErrors + 1
    		End if
    		
    		' This value disables SMB1 protocol
    		
    		sCmd = "Reg add " & Chr(34) & "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" & Chr(34) & " /v SMB1 /t REG_DWORD /d 0 /f"
    		WScript.Echo "About to run command: " & sCmd
    		rc = oShell.Run(sCmd, 0, True)
    		
    		WScript.Echo "Return code from command = " & rc
    			
    		If RC > 0 then 
    			iErrors = iErrors + 1
    		End if
    		
    		sCmd = "Reg unload HKLM\winpe"
    		WScript.Echo "About to run command: " & sCmd
    		rc = oShell.Run(sCmd, 0, True)
    		
    		WScript.Echo "Return code from command = " & rc
    		If RC > 0 then 
    			iErrors = iErrors + 1
    		End if
    
    		filetxt.Write(strLog)
    		filetxt.Close
    		
    	WScript.Quit iErrors
    	
    End if

    Lemme know if this works for you.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by GeorgeAM Wednesday, September 27, 2017 12:15 PM
    Tuesday, September 26, 2017 7:57 PM

All replies

  • I am on my phone right now, so i can't look into this directly. Will setting the appropriate reg entry suffice to disable SMB1 in WinPE (I am assuming Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force)? If so, I can walk you through incorporating this adjustment into your boot image generation process.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Tuesday, September 26, 2017 2:28 PM
  • Anton,

    I'd like to disable it permanently. I was thinking of making whatever change in the wim in "Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us" as this is the source of the boot wims in MDT, correct? To use Set-ItemProperty, would I just mount the wim and run the command?

    Tuesday, September 26, 2017 2:48 PM
  • If you could verify that setting the reg key is sufficient, I could whip out a vb script file which mdt uses to set the reg key directly in WIM as it is being built.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Tuesday, September 26, 2017 3:15 PM
  • This approach worked, mounting the WIM then reg load HKLM\Temp E:\Mnt\Windows\System32\config\System, Creating SMB1 = 0 in the Parameters key, Reg Unload, committing the wim and Updating the Deployment Share. Now when I boot into WInPE and run Get-SMBServerConfiguration, ENableSMB1Protocol is 'False.'

    I also found this approach: https://github.com/mtniehaus/PSD/blob/master/Templates/Unattend_PE_x86.xml

    Tuesday, September 26, 2017 6:07 PM
  • There is also another way, I'll post the details once I have access to my laptop again.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Tuesday, September 26, 2017 6:12 PM
  • Try this. As I am on the road I do not have the opportunity to verify the reg add command, but the general idea is to use UpdateExit.vbs script.

    Use the code below to create UpdateExit.vbs file and then copy the file into the “C:\Program Files\Microsoft Deployment Toolkit\Samples” folder, replacing the version that is already there.  (If you’ve made any other changes to this, you’ll need to merge your changes into the version below.)  This script will be called during the deployment share update process to inject the reg value into the boot images, which is what is needed to disable SMB1:

    ' // ***************************************************************************
    ' // 
    ' // Copyright (c) Microsoft Corporation.  All rights reserved.
    ' // 
    ' // Microsoft Deployment Toolkit Solution Accelerator
    ' //
    ' // File:      UpdateExit.vbs
    ' // 
    ' // Version:   1.0
    ' // 
    ' // Purpose:   Disable SMB1
    ' // 
    ' // ***************************************************************************
    
    
    Option Explicit
    
    Dim oShell, oEnv
    
    ' Write out each of the passed-in environment variable values
    
    Set oShell = CreateObject("WScript.Shell")
    Set oEnv = oShell.Environment("PROCESS")
    
    WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
    WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
    WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
    WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
    WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
    WScript.Echo "STAGE = " & oEnv("STAGE")
    WScript.Echo "CONTENT = " & oEnv("CONTENT")
    
    
    ' Do any desired WIM customizations (right before the WIM changes are committed)
    
    If oEnv("STAGE") = "WIM" then
    
    	' CONTENT environment variable contains the path to the mounted WIM
    	
    	
    	' // ***************************************************************************
    	' // 
    	' // Author:    Anton Romanyuk
    	' // 
    	' // Version:   1.0
    	' // 
    	' // Purpose:   Apply registry entries to Windows PE boot images.
    	' // 
    	' //  ------------- DISCLAIMER -------------------------------------------------
    	' //  This script code is provided as is with no guarantee or waranty concerning
    	' //  the usability or impact on systems.
    	' //  ------------- DISCLAIMER -------------------------------------------------
    	' //
    	' // ***************************************************************************
    	
    	' // Extra variables
    	Dim sCmd, rc, strLog, fso, iErrors 
    	
    	' The script output will be captured if the return code is greater than zero.  Change this line
    	' to say "iErrors = 0" if you don't want to see output in the case of success.  (This means 
    	' that return code 1 means success.  MDT doesn't take any action based on the return code, other
    	' than logging.)
    
    	iErrors = 1
    
    	Set fso = CreateObject("Scripting.FileSystemObject")
    
    		WScript.Echo "---- Beginning UpdateExit.vbs WIM section ----"
    		WScript.Echo "Adding Registry keys to WinPE (UpdateExit.vbs)..."
    
    		'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
    		sCmd = "REG.EXE load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
    		WScript.Echo "About to run command: " & sCmd
    		rc = oShell.Run(sCmd, 0, True)
    		
    		WScript.Echo "Return code from command = " & rc
    		If RC > 0 then 
    			iErrors = iErrors + 1
    		End if
    		
    		' This value disables SMB1 protocol
    		
    		sCmd = "Reg add " & Chr(34) & "HKLM\winpe\ControlSet001\Services\LanmanServer\Parameters" & Chr(34) & " /v SMB1 /t REG_DWORD /d 0 /f"
    		WScript.Echo "About to run command: " & sCmd
    		rc = oShell.Run(sCmd, 0, True)
    		
    		WScript.Echo "Return code from command = " & rc
    			
    		If RC > 0 then 
    			iErrors = iErrors + 1
    		End if
    		
    		sCmd = "Reg unload HKLM\winpe"
    		WScript.Echo "About to run command: " & sCmd
    		rc = oShell.Run(sCmd, 0, True)
    		
    		WScript.Echo "Return code from command = " & rc
    		If RC > 0 then 
    			iErrors = iErrors + 1
    		End if
    
    		filetxt.Write(strLog)
    		filetxt.Close
    		
    	WScript.Quit iErrors
    	
    End if

    Lemme know if this works for you.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by GeorgeAM Wednesday, September 27, 2017 12:15 PM
    Tuesday, September 26, 2017 7:57 PM
  • Thanks, Anton. I will try it tomorrow and let you know.
    Tuesday, September 26, 2017 8:23 PM
  • Thanks, Anton! EnableSMB1Protocol is disabled in both x86 and x64. Thanks for your help.
    Wednesday, September 27, 2017 12:16 PM
  • You gave me an idea for a blog post: www.vacuumbreather.com/index.php/blog/item/46-disabling-smbv1-in-winpe-through-mdt - consider us even:)

    Btw - based on my tests using current Insider Preview of Windows 10 RS3 (Fall Creators Update) ADK - going forward SMB1 protocol will be disabled by default in Windows PE.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, September 28, 2017 7:36 AM