Forum Discussion
Disable SMBv1
Hello, I'm in the process of disabling SMBv1 for large scale servers. I made a script for this, and this results that SMBv1 on registry and feature level is almost disabled or does not exist everywh...
Hello,
It would depends on what you did through your script. Did you disable SMB1 server side first then uninstall the feature after that ? Something else ? Did you restart target computers ?
On a brand new WS 2019/2022, EnableSMB1Protocol is set to "$false" and Windows Optional feature is set to "Disabled".
It would depends on what you did through your script. Did you disable SMB1 server side first then uninstall the feature after that ? Something else ? Did you restart target computers ?
On a brand new WS 2019/2022, EnableSMB1Protocol is set to "$false" and Windows Optional feature is set to "Disabled".
Thanks for your reply.
No, I haven't done anything yet. I have been asked to investigate where SMBv1 is still enabled.
And my script only checked where SMBv1 is still enabled on server level.
The check actually does 3 steps:
1. Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
2. Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
3. Get-SmbServerConfiguration | Select EnableSMB1Protocol
This showed that based on the last step, SMBv1 is still set to True.
Based on the first 2 steps, SMBv1 is disabled.
So my question is, are the first 2 steps sufficient to disable SMBv1, apart from the fact that I can disable it with the command below. Or should the latter also be set to false, and is SMBv1 still in use if the first 2 steps are off except for the last 1?
Set-SmbServerConfiguration -EnableSMB1Protocol $false
I don't understand what the difference is between the first 2 steps and the last step?
No, I haven't done anything yet. I have been asked to investigate where SMBv1 is still enabled.
And my script only checked where SMBv1 is still enabled on server level.
The check actually does 3 steps:
1. Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
2. Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
3. Get-SmbServerConfiguration | Select EnableSMB1Protocol
This showed that based on the last step, SMBv1 is still set to True.
Based on the first 2 steps, SMBv1 is disabled.
So my question is, are the first 2 steps sufficient to disable SMBv1, apart from the fact that I can disable it with the command below. Or should the latter also be set to false, and is SMBv1 still in use if the first 2 steps are off except for the last 1?
Set-SmbServerConfiguration -EnableSMB1Protocol $false
I don't understand what the difference is between the first 2 steps and the last step?
- If I'm right the last step disable SMB1 protocol on the server side - without uninstalling the feature entirely (checked by the first step).
Unless I'm mistalen uninstalling the feature should be enough in theory. However, you should keep such critical security settings consistent between servers as much as possible. Thus I recommend to both configure "EnableSMB1Protocol" to "$false" AND uninstall the feature.- Yes, exactly what you say, that's what I thought too.
The first 2 steps in my believing should be enough, but I'm going to do the last step anyway.
The only reason I'm asking this is because I want to make sure I can do the last step so (Set-SmbServerConfiguration -EnableSMB1Protocol $false) without any risk.
So assuming that the first 2 steps have been performed and so the feature is disabled, this should mean that SMBv1 is no longer used.
So when I perform the last step, I actually want to be sure (provided that the feature is disabled) whether this has no consequences that SMB1 is used in one way or another or something like that if you understand what I mean.- In that case, I would only disable SMB1 protocol (third step) first - a rollback will only require to turn it on again.
Uninstalling the Windows feature means uninstall binaries - a rollback will require more work.
You may wish to audit your server for SMB1 usage before any change. A Powershell one-liner is enough to do that : Set-SmbServerConfiguration -AuditSmb1Access $true
Check this for more info : https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
