Windows: Remove and disable SMBv1

Due to the inherent security risks exposed by the nearly 30-year old SMBv1 protocol, it is advised that it be disabled on the network to migigate security risks from malware and targeted attacks.

As the SMBv1 vulnerabilities are publicly exploited, I recommend to uninstall and disable it completely from all Windows 2012 R2 servers and newer. I have not seen anything break, so it is quite safe to disable and uninstall.

The easiest is to do this with PowerShell (Windows 2012 R2 and newer):

Check if SMBv1 is installed and enabled:

(Get-WindowsFeature FS-SMB1).Installed
Get-SmbServerConfiguration | Select EnableSMB1Protocol

Uninstall and disable SMBv1:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Set-SmbServerConfiguration -EnableSMB1Protocol $false

The first command asks for a restart, which you can prevent by typing N. You can do the restart manually after the second command.

Leave a Reply

Your email address will not be published. Required fields are marked *