Disabling SMB1 On DC's RRS feed

  • Question

  • We have multiple domains, and some domains already have Windows Server 2019 domain controllers, where SMB1 is disabled.

    Noticed that SMB1 was still enabled in a certain domain which has Windows Server 2012R2 DC's. I enabled SMB logging, and see that Windows 10 machines are using SMB1 to connect to these DC's. The majority of our systems are Windows 10 1909 and some are already at 2004. Checked the SMB Configuration on those clients and saw that SMB1 is disabled (Get-SMBServerConfiguration | fl EnableSMB1Protocol = False). I guessed that the Windows 10 machines used SMB1 as the DC is still ofereing SMB1 as an option, so whent ahead and disabled SMB1 on the DC's

    Get-ADDomainController -Filter * -Server AVC | % {Invoke-Command -ComputerName $_.Hostname -Scriptblock {Set-SMBServerConfiguration -EnableSMB1Protocol $False -Confirm:$False}}

    About an hour later, complaints came rushing as people started to lose access to their shares. Re-enabled SMB1 again, and everything returned to normal.

    Have checked a number of articles, but none provide the info I am looking for.

    Why are Windows 10 still using SMB1, even though it looks disabled? How should we disable SMB1 because https://docs.microsoft.com/en-us/archive/blogs/staysafe/disable-smb-v1-in-managed-environments-with-ad-group-policy does not seem to hold the answers. The registry settings discussed here do not exist or have totally different settings.

    Example LanManWorkstation -> DependOnService has rdbss WINQUIC 

    Answers provided are coming from personal experience, and come with no warranty of success. I as everybody else do make mistakes.

    Thursday, June 18, 2020 12:51 PM

All replies