In Windows Server 2016/2019 and Windows 10 (starting with build 1709), the Server Message Block 1.0 (SMBv1) network protocol used to access shared folders is disabled by default. In most cases, this protocol is required to access shared folders hosted on legacy systems, such as no longer supported Windows XP, Windows Server 2003 and older OSs. In this post, we’ll look on how to enable or disable SMBv1 client and server support on Windows 10 and Windows Server 2016/2019. If there are no SMB 1.x clients left on your network, you should completely disable SMBv1 on all Windows devices. By disabling SMB 1.0, you can protect Windows computers from a wide range of vulnerabilities in this legacy protocol (the most famous public exploit for SMBv1 is EternalBlue). As a result, your devices will use new, more efficient, secure and functional versions of the SMB protocol when accessing network shares.
In Windows 10 and Windows Server 2016, the SMBv1 protocol is split into two separate components – SMB client and SMB server, which can be enabled/disabled independently.
Auditing Shared Folder Access via SMB v1.0
Before disabling or completely removing SMB 1.0 driver on the side of the SMB file server, it’s worth making sure that there are no legacy clients that use it in your network. To do this, enable the audit of file server access over SMB v1.0 using the following PowerShell command:
Set-SmbServerConfiguration –AuditSmb1Access $true
After a couple of days, open the Event Viewer on the server, check the log Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit and see if any clients accessed the file server over SMB1. You can display the list of events from this event log using the following PowerShell command:Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
In our example, an event with EventID 3000 from the SMBServer source was found in the log. The event indicates that the client 192.168.1.10 is trying to access the server using the SMB1 protocol.
SMB1 access Client Address: 192.168.1.10 Guidance: This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.
You need to find this computer or device on the network and update the OS or firmware to a version that supports newer SMB protocol versions: SMBv2 or SMBv3.
In our case we’ll ignore this information, but you should bear in mind that later this client won’t be able to access shared folders on this SMB server.
Enable/Disable SMB 1.0 on Windows Server 2016/2019
In Windows Server 2016 starting with build 1709 and Windows Server 2019, SMBv1 is disabled by default. To enable support for the SMBv1 client protocol in newer versions of Windows Server, you need to install the separate SMB 1.0/CIFS File Sharing Support feature.
You can install the SMBv1 feature using Server Manager, or through PowerShell.
You can check that SMBv1 is enabled with the PowerShell command:
Get-WindowsFeature | Where-Object {$_.name -eq "FS-SMB1"} | ft Name,Installstate
To install the FS-SMB1 feature, run:
Install-WindowsFeature FS-SMB1
To uninstall the SMBv1 client feature (requires a reboot), run the command:
Uninstall-WindowsFeature –Name FS-SMB1 –RemoveAnother PowerShell command that also removes the SMB1Protocol feature:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove
In order for your server to handle SMBv1.0 client access, you need to enable SMBv1 support at the SMB file server level in addition to the FS-SMB1 component. To check if SMBv1 access is enabled for network shares on your server, run:
Get-SmbServerConfiguration
The line “EnableSMB1Protocol: True” means that you are allowed to access shared folders on this server using the SMBv1 protocol. To disable SMBv1 server support in Windows Server, run the PowerShell command:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Now use the Get-SmbServerConfiguration cmdlet to make sure SMB1 server is disabled.
To enable SMBv1 support on the server, run the command:
Set-SmbServerConfiguration -EnableSMB1Protocol $True -Force On Windows 7/8 and Windows Server 2008 R2/2012, in order to disable the SMB 1.0 client, you need to disable the service and the SMBv1 access driver with the commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
How to Enable/Disable SMBv1 on Windows 10?
As we already said, in all new builds of Windows10 (starting from 1709) support for the SMB1 protocol is disabled (guest access via the SMBv2 protocol is also disabled).
In Windows 10, you can check the status of the SMBv1 protocol components with the DISM command:
Dism /online /Get-Features /format:table | find "SMB1Protocol"
In our example, you can see that all SMBv1 features are disabled:
SMB1Protocol | Disabled SMB1Protocol-Client | Disabled SMB1Protocol-Server | Disabled SMB1Protocol-Deprecation | Disabled
In Windows 10, you can also manage SMB 1 features from the Control Panel (optionalfeatures.exe). Expand the SMB 1.0 /CIFS File Sharing Support option. As you can see, 3 SMBv1 components are also available here:
- SMB 1.0/CIFS Automatic Removal
- SMB 1.0/CIFS Client
- SMB 1.0/CIFS Server
You can enable SMBv1 client and server on Windows 10 from the feature management window or using the commands:
Dism /online /Enable-Feature /FeatureName:"SMB1Protocol"You can also enable SMBv1 server and client in
Dism /online /Enable-Feature /FeatureName:"SMB1Protocol-Client"
Dism /online /Enable-Feature /FeatureName:"SMB1Protocol-Server"
Windows 10 using PowerShell:
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Server
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client
If after enabling SMBv1 client, it is not used for more than 15 days, it is automatically disabled. Automatic removal of SMBv1 client is a one-time operation. If the administrator manually enables SMBv1 again, it won’t be disabled automatically.
To disable SMB1 client and server support in Windows 10, run the following DISM commands:
Dism /online /Disable-Feature /FeatureName:"SMB1Protocol"
Dism /online /Disable-Feature /FeatureName:"SMB1Protocol-Client"
Dism /online /Disable-Feature /FeatureName:"SMB1Protocol-Server"
If you disabled the SMBv1 client in Windows 10, then when you access a snared folder on a file server that only supports SMBv1 (the SMBv2 and v3 protocols are disabled or not supported), you may receive the following errors:
- 0x80070035 The network path was not found;
- Unable to connect to file shares because it is not secure. This share requires the obsolete SMB1 protocol, which is not secure and could expose your system to attacks;
- You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher. Read more about it in the post Unable to access shared folder on Windows 10 .
Additionally, if you disable the SMBv1 client, the Computer Browser service, which is used by the legacy NetBIOS protocol to discover devices on the network, stops working on the computer. To correctly display neighboring computers on the Windows 10 network, you must configure the Feature Discovery Provider Host service.
Disabling SMBv1 Client and Server via Group Policy
In an Active Directory domain environment, you can disable SMBv1 on all servers and computers using Group Policies (GPOs). Since there is no separate SMB configuration policy in the standard Windows Group Policies, you will have to disable it through the registry policy.
- Open the Group Policy Management console (
gpmc.msc), create a new GPO (disableSMBv1) and link it to the OU containing the computers on which you want to disable SMB1; - Switch to the policy editing mode. Expand the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry;
- Create a new Registry Item with the following setting:
Action:Update
Hive:HKEY_LOCAL_MACHINE
Key Path:SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name:SMB1
Value type:REG_DWORD
Value data:0
This policy will disable support for the SMBv1 server component through the registry on all computers. You can exclude some version of Windows from this policy using the WMI filter.
If you want to disable the SMB client on domain computers via GPO, create two additional registry parameters:
- The Start parameter (REG_DWORD type) with value 4 in the registry key HKLM\SYSTEM\CurrentControlSet\services\mrxsmb10;
- The DependOnService parameter (REG_MULTI_SZ type) with the value Bowser, MRxSmb20, NSI (each value on a new line) in the reg key HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation.
It remains to update the Group Policy settings on the clients (gpupdate /force) after the reboot make sure that the SMBv1 components are completely disabled. The Security Baseline GPOs from the Microsoft Security Compliance Toolkit have a separate administrative template MS Security Guide (SecGuide.adml and SecGuide.admx files) that have separate options for disabling the SMB server and client:
- Configure SMB v1 server;
- Configure SMB v1 client driver.
