Windows - Security - Disable SMB 1.0

What the SMB 1.0 Disabler does

This Automox Worklet™ disables Server Message Block version 1.0 (SMBv1) on Windows endpoints. SMB 1.0, also known as CIFS (Common Internet File System), is a legacy file sharing protocol that Microsoft officially deprecated due to its significant security vulnerabilities.

The Worklet targets both client-side and server-side SMB 1.0 functionality. It uses the Get-WindowsOptionalFeature cmdlet to check the SMB1Protocol feature state and the Get-SmbServerConfiguration cmdlet to verify server-side settings. When remediation runs, it disables the Windows optional feature for SMB1 client support and sets EnableSMB1Protocol to false in the SMB server configuration.

This approach provides complete SMB 1.0 removal without affecting SMB 2.0 or SMB 3.0 functionality, which modern Windows systems use for file sharing, printer access, and inter-process communication.

Why disable SMB 1.0 on your network

SMB 1.0 contains fundamental security weaknesses that attackers actively exploit. The protocol lacks modern authentication mechanisms, uses weak encryption, and contains vulnerabilities that enable remote code execution. Notable exploits like EternalBlue (CVE-2017-0144) target SMBv1 and powered the WannaCry and NotPetya ransomware attacks that caused billions of dollars in damages globally.

Microsoft recommends disabling SMB 1.0 on all production systems. Many compliance frameworks including CIS Benchmarks, NIST 800-53, and PCI-DSS require organizations to disable deprecated protocols. Removing SMB 1.0 reduces your attack surface and eliminates a common vector for lateral movement within networks.

Modern Windows versions (Windows 10 1709 and later, Windows Server 2019) ship with SMB 1.0 disabled by default. Older systems or systems upgraded from previous Windows versions may still have SMB 1.0 enabled and require explicit remediation.

How SMB 1.0 removal works

1. Evaluation phase: The Worklet checks two conditions: whether the SMB1Protocol Windows optional feature is enabled (state not equal to 'Disabled') and whether the SMB server configuration has EnableSMB1Protocol set to true. If either condition is true, the endpoint requires remediation.

2. Remediation phase: The Worklet runs Disable-WindowsOptionalFeature to disable the SMB1Protocol feature and Set-SmbServerConfiguration to set EnableSMB1Protocol to false. Both operations run with confirmation suppressed for unattended execution. The Worklet verifies successful completion and reports any errors encountered during the process.

SMB 1.0 removal requirements

• Windows 8.1 or later, Windows Server 2012 R2 or later

• Administrative privileges on the endpoint

• No legacy applications or endpoints that require SMB 1.0 connectivity

• A reboot may be required to complete the SMB1Protocol feature removal

Expected network security state after remediation

After successful remediation, the endpoint no longer accepts or initiates SMB 1.0 connections. The SMB1Protocol Windows feature shows as Disabled, and Get-SmbServerConfiguration returns EnableSMB1Protocol as False. File sharing and network drive mapping continue to function using SMB 2.0 and SMB 3.0 protocols. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

You can verify the remediation by running Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol and confirming the state is Disabled. For server-side verification, run Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol and confirm the value is False. Legacy endpoints or applications that only support SMB 1.0 will no longer connect to this endpoint.

How to validate disable smb 1.0 changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable smb 1.0.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-WindowsOptionalFeature, Get-SmbServerConfiguration, Select-Object.

4. Validate remediation effects from script operations such as Get-WindowsOptionalFeature, Disable-WindowsOptionalFeature, Write-Output, then rerun evaluation for compliance.