Disable Server Message Block (SMBv1)

What the SMBv1 disabler does

This Automox Worklet™ disables the Server Message Block version 1 (SMBv1) protocol on Windows endpoints. Supported releases include Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, and later Windows Server builds. SMBv1 is the original 1980s-era file-sharing protocol that Microsoft has deprecated. Windows 10 1709 and later no longer install it by default. The Worklet finishes the job on every host that pre-dates that default or that had SMBv1 re-enabled by an admin, a build image, or a legacy application.

The Worklet picks a remediation path based on the Windows version. On Windows 10, Windows 8, Windows 8.1, and modern Windows Server, it removes the SMB1Protocol Windows optional feature. The Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart call uninstalls the SMBv1 client and server components without forcing a reboot. On Windows 7 and Windows Server 2008 R2, SMB1Protocol is not surfaced as an optional feature. The Worklet uses Set-ItemProperty to write 0 to HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1, the registry control the legacy LanmanServer service reads at startup.

After the Worklet completes, the endpoint can no longer answer or initiate SMB1 negotiations. Inbound SMBv1 sessions are refused at the LanmanServer layer, and outbound mounts to legacy file servers must fall back to SMBv2 or SMBv3 or fail. The remediation is durable across reboots and survives Windows updates, because the optional feature is fully uninstalled and the registry value persists.

Why disable SMBv1 across the Windows estate

SMBv1 is the carrier protocol behind CVE-2017-0144, the Windows SMB remote code execution flaw weaponized by the EternalBlue exploit. Shadow Brokers leaked EternalBlue to the public in 2017. The exploit then powered the WannaCry ransomware campaign that took down hospitals, transit systems, and manufacturing lines worldwide. NotPetya reused the same vector months later to wipe data across global logistics, pharmaceutical, and shipping operators. The protocol has no message signing by default and lacks pre-authentication integrity. It accepts the kind of malformed transaction packets that allow unauthenticated remote code execution against a vulnerable LanmanServer. Microsoft, US-CERT, NSA, and CISA have all published advisories telling administrators to remove SMBv1 from every Windows endpoint. The CIS Microsoft Windows Benchmarks list SMB1 disablement as a required control on both workstation and server profiles.

This Worklet runs Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol on Windows 8.x, Windows 10, and modern Windows Server endpoints, and writes SMB1=0 to HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters on Windows 7 and Windows Server 2008 R2. The CVE-2017-0144 (EternalBlue) attack chain that WannaCry, NotPetya, and TrickBot relied on is unreachable on an endpoint where the protocol is uninstalled, and the Automox activity log records each remediation per host.

How SMBv1 removal works

1. Evaluation phase: The Worklet reads [System.Environment]::OSVersion.Version to branch on the host. On Windows 10 and Windows 8.x (major 10, or major 6 with minor 2 or 3), it runs Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol and inspects the State property. If the feature is already Disabled, the script exits 0 and remediation is skipped; any other State exits 1. On Windows 7 and Windows Server 2008 R2 (major 6, minor 0 or 1), it reads HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 via Get-ItemProperty. A value of 1 flags the endpoint non-compliant (exit 1); a value of 0 or a missing key marks the endpoint compliant (exit 0). Unsupported OS releases return exit 1 with a Write-Error message so the failure surfaces in Automox activity logs.

2. Remediation phase: On Windows 10 and Windows 8.x endpoints, the Worklet runs Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart. The -NoRestart switch lets the change apply at the next scheduled reboot rather than forcing one inside the policy window, which keeps end user impact predictable. On Windows 7 and Windows Server 2008 R2, the Worklet runs Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' SMB1 -Value 0 -Force. That command writes the registry value LanmanServer reads when the service initializes. The next service restart or reboot brings the endpoint to the disabled state, and the evaluation phase confirms compliance on the following policy run.

SMBv1 disablement requirements

• Windows 7 SP1, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012 / R2, Windows Server 2016, Windows Server 2019, or Windows Server 2022

• Local administrator privileges on the target endpoint (the Automox agent context already meets this on a default install)

• PowerShell 3.0 or later with the DISM module available, which ships with every supported Windows release

• Confirmation that no production workflow still depends on SMBv1 (legacy multifunction printers, MS-DOS or Windows NT/2000 hosts, third-party scanners that never moved past SMB1) before the policy reaches those endpoints

• A planned reboot window for hosts where SMBv1 was actively loaded; the -NoRestart switch defers, but does not skip, the reboot the optional-feature removal expects

• Network monitoring or SMB auditing in place to spot any client that attempts an SMB1 negotiation after the policy lands (Get-SmbServerConfiguration AuditSmb1Access on supported releases)

Expected security posture after SMBv1 removal

On Windows 10, Windows 8.x, and Windows Server 2012 R2 and later, Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol reports State : Disabled, and Get-SmbServerConfiguration returns EnableSMB1Protocol : False. The SMB1Protocol-Client, SMB1Protocol-Server, and SMB1Protocol-Deprecation sub-features are removed from the running image, and a netstat -an scan no longer shows the LanmanServer listening on the SMB1 dialect. Vulnerability scanners that flagged the host for CVE-2017-0144 clear the finding on the next run. Microsoft Defender for Endpoint stops surfacing the host on the SMBv1 exposure score.

On Windows 7 and Windows Server 2008 R2, the registry value HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 reads 0. A restart of the LanmanServer service (or the endpoint itself) takes the change live. Re-running the evaluation script returns exit code 0, which lets the Automox policy mark the host compliant. Clients that previously mounted shares with SMBv1 negotiate up to SMBv2 or SMBv3. Those dialects bring pre-authentication integrity, AES-128-GCM encryption (SMB 3.1.1), and required signing, which block the malformed transaction packets EternalBlue depends on. The endpoint stays in this state across reboots, Windows updates, and feature upgrades. Keep the policy on a recurring schedule to catch any host where an image refresh or admin error re-enables the protocol.