Disable Server Message Block (SMBv1)

What the SMBv1 disabler does

This Automox Worklet™ disables the Server Message Block version 1 (SMBv1) protocol on Windows endpoints running Windows 7 and above. SMBv1 is a legacy network communication protocol that was designed over thirty years ago and is no longer adequate for protecting modern network infrastructure.

The Worklet uses different approaches depending on the Windows version. On Windows 10, Windows 8, and Windows 8.1, it disables the SMB1Protocol Windows optional feature. On Windows 7 endpoints, it modifies the registry value at HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters to disable SMB1 at the protocol level.

After the Worklet runs, the SMBv1 protocol is completely unavailable on the endpoint, preventing any network communication attempts using this outdated protocol version.

Why disable SMBv1 on your network

SMBv1 vulnerabilities have been exploited in major ransomware outbreaks, including EternalBlue (used in WannaCry and NotPetya) and other significant security breaches. Disabling this protocol eliminates entire classes of network-based attacks that target SMBv1 specifically.

Modern systems use SMBv2 and SMBv3, which include significantly improved security, performance, and reliability features. Removing SMBv1 reduces your attack surface without impacting legitimate business operations. Organizations subject to PCI-DSS, CIS Benchmarks, or NIST 800-53 requirements often mandate SMBv1 disablement.

By automating SMBv1 disablement across your endpoints, you maintain consistent security posture and prevent endpoints from accidentally re-enabling this protocol through administrative actions or updates.

How SMBv1 removal works

1. Evaluation phase: The Worklet checks the Windows version and verifies SMBv1 status. On Windows 10, 8, or 8.1, it queries the SMB1Protocol Windows optional feature state. On Windows 7, it reads the SMB1 registry value from HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. If SMBv1 is already disabled, the evaluation exits successfully with no action needed.

2. Remediation phase: For Windows 10, 8, or 8.1, the Worklet runs Disable-WindowsOptionalFeature to remove the SMB1Protocol feature without requiring a system restart. For Windows 7, it uses Set-ItemProperty to set the SMB1 registry value to zero, effectively disabling the protocol at the system level.

SMBv1 disablement requirements

• Windows 7, Windows 8, Windows 8.1, Windows 10, or Windows Server 2008 R2 and above

• Local administrative privileges required to modify Windows optional features or registry settings

• PowerShell execution with appropriate permissions (typically Run as Administrator)

• No services need to be stopped; SMBv1 disablement does not require an endpoint restart

• Verify that no legacy applications depend on SMBv1 before deployment (modern applications use SMBv2 or SMBv3)

Expected security posture after SMBv1 removal

After the Worklet completes, the SMBv1 protocol is completely disabled on the endpoint. Any attempt to access file shares or printers using SMBv1 will fail, forcing clients to negotiate using SMBv2 or SMBv3 if available. On Windows 10 and above, you can verify disablement by checking the Windows Features control panel or running Get-WindowsOptionalFeature to confirm SMB1Protocol shows a Disabled state.

On Windows 7, verify the registry key HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and confirm the SMB1 value is set to zero. The endpoint is now protected against SMBv1-based exploits while maintaining full compatibility with current SMB implementations.

How to validate disable server message block (smbv1) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable server message block (smbv1).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-WindowsOptionalFeature, ForEach-Object, Get-ItemProperty.

4. Validate remediation effects from script operations such as Disable-WindowsOptionalFeature, Set-ItemProperty, Write-Error, then rerun evaluation for compliance.