Exchange Server and SMBv1
Published Feb 12 2020 07:00 AM 97.2K Views

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server.

There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. If you want to learn more about SMBv1 and why you should stop using it, I’d recommend reading this blog post published and updated by Ned Pyle.

Microsoft publicly deprecated the SMBv1 protocol in 2014 and so we stopped installing it by default when using Windows Server 2016 1709 (RS3). Please see this KB for more information.

What about Exchange 2010?

As announced earlier here, Exchange Server 2010 end of support is coming soon.

We did not nor will validate if Exchange 2010 server works properly with SMBv1 disabled. Please follow our recommendation and migrate from Exchange 2010 to Office 365 or newer version of Exchange Server if you want to stay on-premises.

What about DAG witness server?

Before disabling SMBv1 you should make sure that you use a correctly configured and supported DAG witness server which supports at least SMBv2.

You should make sure that the witness server is running a supported version of Windows Server which is Windows Server 2012/2012R2/2016 or 2019.

Please find more information about Exchange and DAG witness server here.

How can I check if SMBv1 is in use on my server?

It depends on your operating system!

The required steps for the mostly used operating systems with SMBv1 enabled are:

  • Windows Server 2008 R2:

 

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

 

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned. If query returns a value of 1, SMBv1 is enabled. A value of 0 means SMBv1 is disabled

  • Windows Server 2012:

 

Get-SmbServerConfiguration | Select EnableSMB1Protocol

 

If you get a return of True it means SMBv1 is enabled and False means SMBv1 is not enabled.

  • Windows Server 2012 R2 or higher:

 

(Get-WindowsFeature FS-SMB1).Installed
Get-SmbServerConfiguration | Select EnableSMB1Protocol

 

If you get a return of True it means SMBv1 is enabled and False means SMBv1 is not enabled

The latest version 2.39.1 of Exchange HealthChecker script may help you to detect if SMBv1 is enabled on your Exchange servers, so you can easily use it to just figure out what's going on.

How can I disable SMBv1 on my Exchange Server?

This will also differ based on the OS version in use:

  • Windows Server 2008 R2:

 

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Type DWORD -Value 0 –Force

 

  • Windows Server 2012:

 

Set-SmbServerConfiguration -EnableSMB1Protocol $false -force

 

  • Windows Server 2012 R2 or higher:

 

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false

 

It is also possible to disable SMBv1 on the server via Group Policy. You can find more information about this topic in the article How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows. Please check that document, because server restart needs might vary depending on the OS in question (SMB settings are OS settings, not Exchange).

Thanks for reading and stay safe!

Lukas Sassl

6 Comments
Copper Contributor

.

The only way to deal with this, IMNSHO, is the following:

 

Remove-WindowsFeature FS-SMB1 -Restart

Remove it don't disable it.

Copper Contributor

Hi Guys, When this advisory is released by Ms..is it on last Wednesday???

Brass Contributor
I'd love for Microsoft to back-port to Windows Server 2012 the ability to remove SMBv1. That was introduced in 2012 R2.
Microsoft

@Philip Elder Disable-WindowsOptionalFeature should do the same as Remove-WindowsFeature. The difference is that Remove-WindowsFeature only exists on machines with Server Manager RSAT installed. Disable-WindowsOptionalFeature exists everywhere.  

The idea of running Set-SmbServerConfiguration -EnableSMB1Protocol $false on Windows Server 2012 R2 and higher is to have a failsafe. It should stay disabled even if Install-WindowsFeature -Name FS-SMB1 is executed to add SMB1 protocol support again.

 

@1990 The article was released on 02/12/2020

Copper Contributor

Hi Guys, I am upgrading Exchange from 2013 to 2019 but I have a problem:

  Exchange 2013 is still available in the windows server 2019 environment active directory even though it says it doesn't support it?why

 
Version history
Last update:
‎Feb 12 2020 08:47 AM
Updated by: