Are you trying to Enable/Disable SMB v 1.0 in Windows?
This guide will help you out.
By default, the Server Message Block 1.0 (SMBv1) network protocol is disabled in Windows Server 2016/2019 and Windows 10.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform software installations tasks.
In this context, we will look into how to Enable/Disable SMB v 1.0 in Windows.
The Server Message Block 1.0 (SMBv1) network protocol is disabled by default in Windows Server 2016/2019 and Windows 10.
i. If there are no SMB 1.x clients left, we completely disable SMBv1 on all Windows devices.
ii. By disabling SMB 1.0, we protect Windows computers from a wide range of vulnerabilities in this legacy protocol.
iii. As a result, the devices will use new, more efficient, secure and functional versions of the SMB protocol when accessing network shares.
On the other hand, old client versions can access network shared folders only by using SMB v1.0 protocol. If there are no such clients in the network, we can completely disable SMB 1.0 on the side of file servers and client desktops.
Before enabling or disabling the SMB 1.0 driver, we make sure that there are no legacy clients that uses it in the network.
Auditing Shared Folder Access via SMB v1.0
To do this, we enable the audit of file server access over SMB v1.0 using the following PowerShell command:
Set-SmbServerConfiguration –AuditSmb1Access $true
Also, after a couple of days, we open the Event Viewer on the server and check the log in "Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit".
Check if any clients has access to the file server over SMB1.
To display the list of events from this event log we use the command:
Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
Here, an event with EventID 3000 from the SMBServer source is seen in the log. The event indicates that the client 192.168.1.10 is trying to access the server using the SMB1 protocol;
SMB1 access
Client Address: (IP address)
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.
We have to find this computer or device on the network and update the OS or firmware to a version that supports newer SMB protocol versions.
To enable support for the SMBv1 client protocol in newer versions of Windows Server, we install separate SMB 1.0/CIFS File Sharing Support feature.
It is possible either by using Server Manager or through PowerShell.
Check if SMBv1 is enabled using the PowerShell command:
Get-WindowsFeature | Where-Object {$_.name -eq “FS-SMB1”} | ft Name,Installstate
To install the FS-SMB1 feature, run:
Install-WindowsFeature FS-SMB1
Similarly, to uninstall the SMBv1 client feature (requires a reboot), run:
Uninstall-WindowsFeature –Name FS-SMB1 –Remove
Another PowerShell command that removes the SMB1Protocol feature is:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove
For the server to handle SMBv1.0 client access, enable SMBv1 support at the SMB file server level in addition to the FS-SMB1 component.
Furthermore, to check, run:
Get-SmbServerConfiguration
“EnableSMB1Protocol: True” means we have access to shared folders on this server using the SMBv1 protocol.
To disable SMBv1 server support in Windows Server, we run the PowerShell command:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
We make sure using,
Get-SmbServerConfiguration cmdlet
In the same way, to enable SMBv1 support on the server, we run the command:
Set-SmbServerConfiguration -EnableSMB1Protocol $True -Force
On Windows 7/8 and Windows Server 2008 R2/2012, in order to disable the SMB 1.0 client, we need to disable the service and the SMBv1 access driver with the commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
In an Active Directory domain environment, we can disable SMBv1 on all servers and computers using Group Policies (GPOs).
Since there is no separate SMB configuration policy in the standard Windows Group Policies, we have to disable it through the registry policy.
1. Open the Group Policy Management console (gpmc.msc), create a new GPO (disableSMBv1) and link it to the OU containing the computers on which we want to disable SMB1
2. Switch to the policy editing mode. Expand the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry.
3. Create a new Registry Item with the following setting:
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value name: SMB1 Value type: REG_DWORD Value data: 0
This policy will disable support for the SMBv1 server component through the registry on all computers.
Also, to disable the SMB client on domain computers via GPO, create two additional registry parameters:
i. The Start parameter (REG_DWORD type) with value 4 in the registry key HKLM\SYSTEM\CurrentControlSet\services\mrxsmb10
ii. The DependOnService parameter (REG_MULTI_SZ type) with the value Bowser, MRxSmb20, NSI (each value on a new line) in the reg key HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation.
It remains to update the Group Policy settings on the clients (gpupdate /force). After the reboot make sure that the SMBv1 components are completely disabled.
The Security Baseline GPOs from the Microsoft Security Compliance Toolkit have a separate administrative template MS Security Guide (SecGuide.adml and SecGuide.admx files) that have separate options for disabling the SMB server and client:
i. Configure SMB v1 server
ii. Configure SMB v1 client driver
This article will guide you on how to Enable/Disable SMB v 1.0 in Windows, enable or disable SMB using Powershell.