Windows - Security - Disable SMB 1.0

What the SMB 1.0 disabler does

This Automox Worklet™ disables Server Message Block version 1.0 (SMBv1) on Windows endpoints, both as a client and as a server. SMB 1.0, also known as CIFS (Common Internet File System), is the original file sharing protocol that Microsoft deprecated in 2014 and recommends removing from every production endpoint.

The Worklet inspects two surfaces on every evaluation. It runs Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol to read the client-side feature state, and Get-SmbServerConfiguration | Select-Object -ExpandProperty EnableSMB1Protocol to read the server-side flag. If either surface still allows SMB 1.0, remediation runs Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol and Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false.

The Worklet only touches SMB 1.0. SMB 2.0 and SMB 3.0 are left enabled, so file shares, mapped network drives, Group Policy SYSVOL replication, and printer queues continue to operate. Evaluation exits 0 when both surfaces are already disabled and exits 1 when either surface still allows SMB 1.0. Remediation exits 0 once both cmdlets complete without populating the $Error collection, and exits 1 with Write-Error output if any error surfaces, so failed runs are visible in the Automox activity log instead of going silent.

Why disable SMB 1.0 on Windows endpoints

SMB 1.0 is the attack surface behind some of the most damaging ransomware events on record. EternalBlue (CVE-2017-0144) targets a buffer overflow in the SMBv1 server and was the exploit chain weaponized by WannaCry in May 2017 and NotPetya in June 2017, between them causing more than $10B in losses across shipping, pharmaceuticals, manufacturing, and public-sector networks. SMBv1 also lacks per-message signing by default, pre-authentication integrity, and AES-128 encryption, all of which SMB 3.x provides. CIS Microsoft Windows Benchmarks call out SMBv1 removal directly under control 18.3.3, and the Microsoft Security Response Center has recommended uninstalling the protocol on every supported Windows build since 2016.

Modern Windows builds ship with SMB 1.0 off by default, but workstations upgraded from Windows 7 or 8.1, file servers built from older images, and lab endpoints brought online from legacy media all reintroduce the protocol. This Worklet removes the client-side optional feature with Disable-WindowsOptionalFeature and clears the server-side flag with Set-SmbServerConfiguration, which writes SMB1=0 under HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. The CVE-2017-0144 attack chain that WannaCry and NotPetya weaponized is unreachable on an endpoint where the protocol is uninstalled.

How SMB 1.0 removal works

1. Evaluation phase: The Worklet reads two values. $clientSupportsSMB1 is set from (Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).State -ne 'Disabled', which detects the client-side optional feature. $serverSupportsSMB1 is set from (Get-SmbServerConfiguration | Select-Object -ExpandProperty EnableSMB1Protocol) -eq $true, which reads the registry-backed server configuration under HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1. If either value is true, the script writes a remediation-required message to stdout and exits 1. If both are false, it writes a no-action-needed message and exits 0.

2. Remediation phase: When the client feature is still enabled, remediation calls Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol, which clears the DISM feature state and stages removal that completes on the next reboot. When the server flag is still true, remediation calls Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false, which writes SMB1=0 into HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and stops the LanmanServer service from accepting SMBv1 negotiations without disturbing SMB 2.x or 3.x. The script then checks $Error.Count: zero errors exits 0 with the message SMB1 successfully disabled, any errors exit 1 and emit the captured $Error stream through Write-Error so the activity log captures both the cmdlet failure and the agent-side stack.

SMB 1.0 removal requirements

• Windows 8.1 or later for workstations, Windows Server 2012 R2 or later for servers (earlier OS versions do not expose the SMB1Protocol optional feature)

• Administrative privileges on the endpoint (the default Automox agent context already meets this)

• No legacy clients on the network that depend on SMB 1.0, including Windows XP, Windows Server 2003, older NAS appliances, scan-to-folder MFPs from the 2010-2014 generation, and certain ESXi versions before 6.5

• A reboot to complete removal of the client-side Windows optional feature; the server-side change takes effect immediately without a restart

• Inventory check for SMBv1 dependencies recommended before fleet-wide deployment, using Set-SmbServerConfiguration -AuditSmb1Access $true on a representative server for one to two weeks and reviewing Event ID 3000 in Microsoft-Windows-SMBServer/Audit

Expected SMB 1.0 state after remediation

After a successful run and the next reboot, the endpoint no longer initiates or accepts SMB 1.0 connections. Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol returns State: Disabled. Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol returns False. The registry value HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 is set to 0. File sharing and printer access continue to operate over SMB 2.0 and SMB 3.0, which Windows clients and servers select automatically when both ends support a newer dialect.

Validate from any management workstation by running Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol and confirming State is Disabled, then running Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol and confirming the value is False. For a packet-level check, capture SMB negotiation on port 445 with Wireshark or pktmon and confirm the Negotiate Protocol Response advertises only SMB 2.x or 3.x dialects. Legacy clients that depend on SMB 1.0 will fail to mount shares on this endpoint with STATUS_NOT_SUPPORTED, which is the expected outcome – migrate or retire those clients rather than re-enabling the protocol. Subsequent Automox policy runs report this endpoint as compliant without applying remediation again, because the evaluation phase finds both surfaces already disabled.