none
Windows Clients - Disable SMBv1 via GPO

    Question

  • Background:

    Need to disable SMBv1 across all workstations (happen to all be Windows 10).

    I don't have SCCM.

    Since a fresh build of Win10 enables SMBv1 by default, I can't rely upon humans to disable it 100% so I want a scripted solution to check if enabled and disable if so.

    I was thinking of either a GPO logon script or a GPO scheduled task.

    However, I am unsuccessful thus far getting it to work. This command works interactively, but not at logon script because DISM needs services that are not running at logon time.

    Disable-WindowsOptionalFeature -online -FeatureName SMB1Protocol

    So, who here has solved this?

    It's rather unbelievable that MS enables a feature by default that they explicitly recommend never using and provide no tool to globally remove it.

    Wednesday, March 22, 2017 9:12 PM

All replies

  • Hello,

    See this article, should apply to Windows 10 as well.

    How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, March 22, 2017 9:19 PM
  • Hi ,

    We could disable SMB protocols using “Set-SMBServerConfiguration” command in PowerShell. Setup a GPO logon script or a GPO scheduled task using the following PowerShell command, check if it works.
    To disable SMBv1, run the following cmdlet:
    Set-SmbServerConfiguration -EnableSMB1Protocol $false

    Or we could disable SMB protocols by modifying registry key. Create a GPO to deploy the following registry key to have a check too. 
    Configure the following registry key to disable SMBv1:
    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
    REG_DWORD: 0 = Disabled

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 3:12 AM
    Moderator
  • I believe that command is not valid for Windows 10.

    As for the registry, this article (https://support.microsoft.com/en-sg/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012) does not say that would work on Windows 10.

    Thursday, March 23, 2017 12:39 PM
  • Seen that article. Nothing in it helps with my stated goal, which is to run a script via GPO.
    Thursday, March 23, 2017 12:40 PM
  • I believe that command is not valid for Windows 10.

    As for the registry, this article (https://support.microsoft.com/en-sg/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012) does not say that would work on Windows 10.

    Hi ,

    Have you tested on Windows 10 machine?

    As far as I know, it should apply to Windows 10 as well. I have seen some users deal with network access issue on Windows 10 machine following this article and it worked. We would appreciate it if you would test it and post back the test result.

    Best regard


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 2:53 PM
    Moderator
  • So set-smbserverconfiguration will run on Windows 10 and I can verify that Get-SMBServerConfiguration value EnableSMB1Protocol is False after running it. 

    However, when you go to "Turn on Windows Features on or off", SMB 1.0/CIFS File Sharing Support is still checked.

    Since the official MS link above only lists Set-SMBServerConfiguration as an option for Windows 8 and 2012 and specifically only mentions Disable-WindowsOptionalFeature for Windows 10 (which cannot be run at logon script), I do not believe this change is actually affecting the change that is desired.



    Friday, March 24, 2017 1:41 PM
  • Hello,

    The KB lists Windows 10 as supported as well, not just Windows 8 and Windows Server 2012.

    https://support.microsoft.com/en-sg/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

    Just not in the title

    <label class="ng-binding" for="applies-to">Applies to</label>        
                Windows 10 Pro, released in July 2015, Windows 10 Enterprise, released in July 2015, Windows Vista Enterprise, Windows Vista Business, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Ultimate, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows 8, Windows 8 Enterprise, Windows 8 Pro, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2016


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Friday, March 24, 2017 5:35 PM
  • Just found the best summary yet posted today (May 17, 2017) by Troy Arwine on Microsoft StaySafe blog (Disable SMB v1 in Managed Environments with Group Policy) regarding deployment of SMBv1 disable policy (GPO or otherwise).  Definitely a MUST READ if you've dug this deep already.  I'm hopefully that the "registry changes only via GPO" approach is solid.   

    Regarding this thread, Windows 10 is certainly covered by KB2696547 article on disabling SMBv1, but I have to agree with OP that the specific recommendations that Rick mentioned (registry value for LanmanServer\Parameters\SMB1 and Set-SmbServerConfiguration cmdlet) are currently (per Feb 28, 2017 - Revision: 23) described in the KB as the recommended method(s) for older Windows Versions, not Windows 10.  

    If folks are confident that the multiple registry changes are sufficient for Windows 10 and Server 2012 R2, which also seems to be implied on Tony's new Microsoft StaySafe blog post today, then someone please take the initiative at Microsoft to fully validate that assertion with Ned's team and others and then clarify the KB article, to make all our lives easier.  Below are some of Ned's reply to comments on his own blog regarding which methods should be applied to later OSes including Windows 10 (which I hear is the last Windows ever...) ,  

    "You are partially correct – in the end, disabling and enabling is controlled by registry values; however, the recommendation on later OSes is to remove the feature, not disable, so those registry examples are not optimal. The real recommendation is to use the *one* step of removing SMB1 as a feature, starting in Win8.1/2012 R2. That is better than disabling services.

    "More procedurally though: using registry edits is not our preference – using the actual SMB PowerShell is our preference. We document all of the methods based on OS, and some OSes simply didn’t allow a clean experience. "  (from NedPyle [MSFT], comment on his blog - Stop Using SMB1 -  )

    Wednesday, May 17, 2017 11:43 PM
  • Hello,

    from my experience, i found that there are two elements you can disable: SMBv1 Client and SMBv1 Server, and they are independant from each other !

    On Windows 10, if you execute the Powershell command "Set-SmbServerConfiguration -EnableSMB1Protocol $False ", you disable only the server part of the SMBv1. So your computer won't be able to receive SMB connections from a Windows 2003 server (for example). But as the SMBv1 Client side is still active, your computer will still be able to connect that same old Win 2003 !

    On the other hand, if you only disable the SMBv1 client of your Windows 10, it won't disable the server side (as described above). Thus, you will still be able to be connected by SMBv1 Windows 2003 or so !

    Disabling (only) the client side is made by turning Windows Features "SMB 1.0/CIFS" off, or by using this powershell command: "Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol"

    NB: disabling server side doesn't need a reboot. Disabling client side needs a reboot of the computer.

    This explain what GoBlue Luke sees. He disables the server side and after, looks in the "add/remove Windows feature", he stills found SMBv1 support to be checked : that's normal: it's the client side !

    Hope it helps

    Best regards

    Thursday, May 18, 2017 1:49 PM
  • After studying the SMBv1 articles for far too long, I agree LordBill is correct that there are both SMB client and SMB server components in all Windows versions, and that the answer that Rick_Li originally provided using cmdlet Set-SMBServerConfiguration will only disable SMBv1 on the server component and is not sufficient to disable the Windows 10 SMB client component from using SMBv1.  

    But my understanding for later Windows OSs is that uninstalling the “SMB1.0/CIFS File Sharing Support” (FS-SMB1) will disable BOTH the SMB client side and SMB server side v1 protocol (feature on Windows 8.1 and later and Server 2012 R2 and later).  To keep things confusing, there two are different recommendations on the method to remove this feature, depending on Windows Server OSes vs. Windows Workstation OSes (like Windows 10), but they essentially remove the same feature (FS-SMB1) Unfortunately, verifying the results after the feature has been removed is also confusing, because there is an implementation oversight in (bug) in that the return value of Get-SMBServerConfiguration for EnableSMB1Protocol still reports true even after the Windows feature is uninstalled (see NedPyle's comments from ~April 2017 starting with "David, you just found a nice and extremely dumb bug" in his blog - Stop Using SMB1 - .  Also look at my comments on that same blog regarding confusion about which recommendations apply (or are required) for which windows versions.  

    MY SUMMARY is below of which KB2696547 methods are needed to disable all SMB ver 1.0 protocol  use, but please support continue to reference the original KB article for the command details in case they change.

    For the earlier/older Win OSes (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012), there are two independent actions needed to restrict SMB protocols used:
    1. disable the SMB client component from using SBMv1 protocol.
    • On Win 7, Vista, Server 2008 / 2008 R2, Win 8, and Server 2012 reconfigure the LanmanWorkstation and mrxsmb10 services using sc.exe

    2. disable the SMB server component (File and Printer Sharing) from using SMBv1 protocol.
    • On Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 modify registry …\LanmanServer\Parameters\SMB1 value
    • On Windows 8 and Windows Server 2012 modify SMB Server Configuration using Set-SMBServerConfiguration cmdlet using PowerShell.

    For later Window OSes (Windows 8.1 and later, Server 2012 R2 and later), a single action can be used to remove all SMBv1 protocol use by uninstalling “SMB1.0/CIFS File Sharing Support” (FS-SMB1) Windows feature.  Windows Server OSes (Server 2012 R2 and later) should use the Server Manager cmdlet "Uninstall-WindowsFeature FS-SMB1", but Windows Workstation/Client (non-Server) OSs (Windows 8.1 and later) should use the DISM cmdlet "Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol" to accomplish same.   I also recommend executing "Set-SmbServerConfiguration -EnableSMB1Protocol $false" cmdlet  BEFORE removing the FS-SMB1 feature to avoid inconsistent status read-back where the Get-SmbServerConfiguration may indicate that SMBv1 protocol is still enabled even after SMBv1 support has been uninstalled (idea from NedPyles comments).  

    I'm disappointed that Microsoft has not provided a comprehensive PowerShell script to quickly disable SMBv1 across all supported OS versions and another script to re-enable.  Given Ned's dire warnings in this blog post and the recent widespread SMBv1 RCE incidents, why is large-scale removal of SMBv1 support being left as a tedious, complicated exercise for the readers ??


    • Edited by BK303 Sunday, May 21, 2017 11:29 AM typo fixed
    • Proposed as answer by XR219 Wednesday, June 28, 2017 9:39 PM
    Sunday, May 21, 2017 11:27 AM
  • I completely agree. Having read:-

    https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/#comment-19445

    Which is for the Windows 10 1703 security baseline... and implemented it, it stops SMB functioning on Windows 10 machines. There is so little information available to manage this on a domain joined Windows 10 client. Thanks for your post above. Its been a great help!


    Ben

    Wednesday, June 28, 2017 9:39 PM