Please set the record straight on correctly disabling SMBv1


  1. Posts : 73
    Windows 10
       #1

    Please set the record straight on correctly disabling SMBv1


    Over the past 6 months - I have been making efforts to ensure that SMBv1 is not on our network machines in any capacity - and for the most part it has worked ok.

    I use Windows 10 ENT on the workstations and Windows 2016 on the servers.

    But I remain confused on the actual correct way to disable this ugly protocol.

    If one believes what we see on the Internet - the most common advice is to roll over to:

    Control Panel->Programs and Features->Turn Windows Features on or off - and uncheck the box indicated below.

    Please set the record straight on correctly disabling SMBv1-windows-features-smb.png

    This does in fact disable SMBv1 but also takes the Computer Browser service with it - which will begin to show it's weaknesses depending on your network devices (like routers) and even some apps - that still need the Computer Browser service to be available.

    Then there is the PowerShell method. In my testing - I see that I can leave ALL the SMBv1 stuff enabled in Windows 10 (checkbox in the graphic above left on) and then run this command in an admin PS window:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

    Then run this to confirm

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

    This does in fact kill the protocal - while seemingly leaving the Network Browsing capability - unbroken.

    So - which is the right method?

    Even more crazy - why when I run the Powershell command - does the WIndows SMBv1 feature set remain on? Clearly there is no connection between this command and the Add/Remove Features UI - but if the protocol is in fact off - this seems like a decent compromise - Network browsing still works and the nasty SMBv1 protocol is disabled (I hope).

    Thoughts?

    Sonic.
      My Computer

  2. Brink's Avatar
    Posts : 56,426
    64-bit Windows 10 Pro for Workstations build 21359
       #2

    Hello Sonic,

    That PowerShell command is for Windows 8, and could be why it still allows Network Browsing for it in Windows 10.

    Windows Features (Option 3) is the correct method for Windows. You can also use Options 4 and 5 below.

    As a test, how does it behave when disabling using Option 5 instead.

    Enable or Disable SMB1 File Sharing Protocol in Windows | Tutorials
      My Computers


  3. Posts : 73
    Windows 10
    Thread Starter
       #3

    Brink said:
    That PowerShell command is for Windows 8, and could be why it still allows Network Browsing for it in Windows 10.
    Not quite sure I agree with this since most (3, 4 and 5) of these options focus specifically on only dealing with the concept of Add/Remove Windows Features - which is a brute force method to remove everything (UI bits, Services etc). Only Options 1 and 2 deal with the actual protocol itself (From a networking services (LanMan) standpoint)

    So what if I do not want to remove "everything" - what if I just want to ensure the protocol itself is just disabled?

    If I run this PowerShell command on Windows 10 ENT: (With the SMB options checked on in Add/Remove Win Features)

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

    Followed by this command:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

    I get the following display.

    Please set the record straight on correctly disabling SMBv1-powershell-smb-commands.png

    Telling me that the SMBv1 protocol (AND just the protocol) is now disabled. While the "features" remain untouched over in Windows Add/Remove Features.

    I believe what Powershell is telling me is correct. And just because this command "appears" to be Windows 8 centric (actually many reputable sites out there indicate that this is THE true way to check if the SMB protocol is enabled OR disabled on Windows 8 and up) - does not necessarily mean the command does not work on Win 10.

    Even more curious is that after I run that PS command on Windows 10 - the registry key discussed in your Option 1 (Seemingly for Win 7 only) - is now in fact set to DWORD 0.

    Since Windows 10 ENT is not complaining about any of these changes - I am convinced the protocol is actually disabled BUT the feature bits AND the Computer Browser service remain untouched and functioning.

    It is this "combo" state that needs some real investigation. While I certainly do not want to promote any sort of SMB attack vector on my network - I also do not want to lose Network Browsing and all the other stuff that comes with having the SMB "features" left on within Windows Add/Remove Features

    Sonic.
      My Computer

  4. Brink's Avatar
    Posts : 56,426
    64-bit Windows 10 Pro for Workstations build 21359
       #4

    I agree, it is pretty conflicting and confusing. The tutorial references what Microsoft posted about it below.

    https://support.microsoft.com/en-in/...in-windows-and

    I would think that as long as all your devices support SMB v2/v3, Network Browsing should still work with "SMB Direct" enabled in Windows Features.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 18:22.
Find Us




Windows 10 Forums