Hi folks, Ned here again. This blog post contains all products requiring SMB1, where the vendor explicitly states this in their own documentation or communications, or where a customer has reported it and shown some degree of proof without vendor refutation. This list is not complete and you should never treat it as complete; check back often.
All products arranged in alphabetical order, by vendor, by product, with a URL to their documentation stating SMB1 requirements.
Vendor – Product – Documentation
- Aerohive – HiveManager not affected, it does not use SMB. HiveOS 8.2r1 and later no longer requires SMB1 (available 28th December 2017). HiveOS versions prior to 8.2r1 are affected. All info here provided directly by Aerohive to MS.
- Alfresco – Alfresco (when not using WebDAV) – https://community.alfresco.com/thread/231880-smb2-smb3-server-support#comment-816590
- Applied Systems – TAM – Customer reported after contacting TAM Support – Vendor does not publicly document their requirement for SMB1
- Aruba – Clearpass older than 6.6.7 (Aruba has resolved with patch; this entry will stay for a short while just to inform their customers to patch) – http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873
- ASUS – Wireless Routers with USB storage connection – Customer reported after contacting ASUS Support – Vendor does not publicly document their requirement for SMB1
- AVM – Fritz!Box – https://avm.de/service/fritzbox/fritzbox-7490/wissensdatenbank/publication/show/3327_Von-der-FRITZ-Box-unterstuetzte-SMB-Versionen/
- Axis Communications – Various security & surveillance cameras, using firmware older than 5.8x. Axis’ firmware list shows around half of all devices do not support at least firmware 5.8+: https://www.axis.com/global/en/support/firmware – Customer reported after contacting Axis Support – Vendor does not publicly document their requirement for SMB1
- Barracuda – Load Balancer, perhaps other products that support backups (backups to SMB, using at least 6.0 firmware) – Customer reported after contacting Barracuda Support – Vendor does not publicly document their requirement for SMB1
- Barracuda – SSL VPN – https://campus.barracuda.com/product/sslvpn/article/SSLVPN/CreateNetworkPlace/
- Barracuda – Web Security Gateway backups – https://community.barracudanetworks.com/forums.php?url=/topic/29561-backup-via-smb/
- Bitdefender – Gravity Zone (Antivirus) – Customer reported after contacting Bitdefender Support – Vendor does not publicly document their requirement for SMB1
- Boxen – Boxen – https://www.opena.tv/allgemeine-image-informationen/37127-e2-boxen-und-das-windows-10-fall-creators-update.html?highlight=samba
- Buffalo – TeraStation current generation supports SMB2+, various LinkStation models may not allow SMB2 configuration through UI, but do through Samba CONF modification – http://forums.buffalotech.com/index.php?topic=24628.msg88050#msg88050, http://forums.buffalotech.com/index.php?topic=24630.msg88052#msg88052
- Carestream Health – SoftDent – Customer reported after contacting Carestream Support – Vendor does not publicly document their requirement for SMB1
- Canon (& Océ) – Printers via “print to share” – https://support.usa.canon.com/kb/index?page=content&id=ART143573 & https://files.lfpp.csa.canon.com/media/Assets/PDFs/TSS/external/WF_PrintDrivers/Documentation/Oce_LF_Systems_Connectivity_information_for_Windows_environment_Administration_guide_en.GB.pdf
- Cisco – Web Security Appliance/WSAv – https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir & https://supportforums.cisco.com/discussion/13295496/wsav-supports-smbv1-only
- Cisco – Wide Area Application Services/WAAS 5.0 & older – http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v501/release/notes/ws501xrn.html
- Cisco – Firesight IDS (formerly Sourcefire), RSA Authentication Manager, Firepower Management Center – https://community.rsa.com/docs/DOC-79194, https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd10403/?referring_site=bugquickviewredir
- Citrix – ELM with DFS Namespaces – https://support.citrix.com/article/CTX227613
- ClearSwift – Secure Web Gateway 4.6 (domain join) – Customer reported after contacting ClearSwift Support – Vendor does not publicly document their requirement for SMB1
- DataAccess – legacy Dataflex embedded DB (vendor also offers many alternative ways to not need SMB1) – http://www.dataaccess.com/KBasePublic/Files/2476.Tuning%20Microsoft%20Networks%20for%20the%20Legacy%20Embedded%20Database_PDF_FMT.PDF
- DellEMC – All VNX2 Systems older than 18.104.22.168 (domain join) – https://support.emc.com/kb/500036
- DellEMC – Versions older than iDRAC 9. iDRAC9 and later support SMB 2 through SMB 3.1.1 – http://en.community.dell.com/techcenter/extras/m/white_papers/20444575/download
- Egnyte – Storage Connect – https://helpdesk.egnyte.com/hc/en-us/articles/201639514-Storage-Connect-Overview
- Epicor – At least Epicor ERP 10.2.1 and older – Customer reported after contacting Epicor & showing management UI screenshot to MS – Vendor does not publicly document their requirement for SMB1.
- F5 – RDP client gateway, Microsoft Exchange Proxy – https://support.f5.com/csp/article/K55889450
- FAST – LTA Silent Cubes – Customer reported after contacting FAST Support – Vendor does not publicly document their requirement for SMB1
- FreeBSD – smbfs – https://people.freebsd.org/~bp/smben.html
- Forcepoint (Raytheon) – “some Forcepoint products”, Content Gateway proxy authentication, ForcePoint DLP (version 8.3 or lower; DLP version 8.4 or later no longer needs SMB1) – https://support.forcepoint.com/KBArticle?id=000012832
- Fujitsu – FX devices DMP-X and below (Herakles) do not support SMB2. DMP-XI-1a (Seito, Herakles2) and later support SMB2. Customer reported after contacting Fujitsu Support – Vendor does not publicly document their requirement for SMB1
- HP – Various printers (many do support SMB2) – http://h10032.www1.hp.com/ctg/Manual/c05547920
- HPE – ArcSight (Legacy Unified Connector, not latest version) – https://community.saas.hpe.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Windows-Event-Log-Native/ta-p/1585123?attachment-id=59177
- HPE – StoreOnce Software supports SMB2+, however not clear which version added SMB2+ support (under investigation); For completeness only, 3.14.x + makes SMB2 default setting https://blogs.technet.microsoft.com/filecab/bb897-91004_3-16-3_rpm_rn/
- IBM – NetServer V7R2 or below – http://www-01.ibm.com/support/docview.wss?uid=nas8N1011878
- IBM – QRadar Vulnerability Manager 7.2.x or below (7.3 has been updated) – http://www-01.ibm.com/support/docview.wss?uid=swg22004178
- Infoblox – NIOS versions older than 8.2.0 (8.2.0 support SMB2+) – https://community.infoblox.com/t5/DNS-DHCP-IPAM/Infoblox-Integration-with-Microsoft-Windows-DNS/m-p/10900/highlight/true#M2222
- Infusion Business Software – Infusion (requires disabling SMB2) – https://www.infusionsoftware.co.nz/support/download-documentation/manuals-support-notes/infusion-software-upgrade-notes/streamFile
- Kodi – Kodi V17 and older (at least) – https://forum.kodi.tv/showthread.php?tid=314269&highlight=smb1
- Konica Minolta – Bizhub, C284e series, C3350 series, likely others still for sale – Customer reported after contacting Konica Minolta Support – Vendor does not publicly document their requirement for SMB1.
- Kyocera – Some models do support SMb2+ when running latest firmware; others require SMb1. Vendor maintains a complete list available to their customers. Contact vendor via http://www.kyoceradocumentsolutions.com/support/. Vendor does not make list public
- Lexmark – Firmware eSF 2.x & eSF 3.x MFPs (scan to network) – http://support.lexmark.com/index?page=content&id=FA716&locale=en&userlocale=EN_US
- Linksys – Various routers (due to use of discontinued Samba version 3.0.28a) – http://community.linksys.com/t5/Wireless-Routers/CIFS-or-NFS/td-p/924535 & http://downloads.linksys.com/downloads/license/FW_LICENSE_WRT1900ACS_v22.214.171.124461.pdf
- Linux Kernel – CIFS client 2.5.42 to 3.5.x (3.7 added first SMB2 client implementation) – https://wiki.samba.org/index.php/LinuxCIFSKernel
Manage Engine – ServiceDesk Plus in versions older than 9.3.11 (build 9311) (single sign on feature) – https://www.manageengine.com/products/service-desk/readme-9.3.html & https://forums.manageengine.com/topic/smb-v1
- McAfee – Web Gateway – https://kc.mcafee.com/corporate/index?page=content&id=KB89350
- McKesson/Change Healthcare – Portico Provider Manager (7.1 and older at least) – Customer reported after contacting McKesson Support –Vendor does not publicly document their requirement for SMB1, but stated that upgrading to latest version would remove need for SMB1. Version not stated.
- Microsoft – Windows XP, Windows Server 2003 (and older), Windows Embedded Standard 2009
- Mobotix – various products – https://www.mobotix.com/eng_GB/Support/User-Forum/Installation-Network/Windows-servers-%253E-SMB1-end-of-life-%253E-THIS-BEAKS-MOBOTIX-FUNCTIONALITY
- Multi-Tech Systems – Faxfinder – Customer reported after contacting Multi-Tech Support –Vendor does not publicly document their requirement for SMB1
- MYOB – Accountants Office & Accountants Enterprise (states requirement for disabling opportunistic locking, i.e. SMB1 behavior option)– https://www.myob.com/au/accountants-and-partners/support/minimum-system-requirements
- NetApp – Versions of ONTAP prior to 8.3.2P5, 9.0P1 & 9.1 require SMB1 for domain join (not client connections). ONTAP 8.3.2P5, 9.0P1, 9.1 can instead utilize SMB2 for domain join as well as client connections via SMB2 & 3, and ONTAP 9.2 allows for complete disabling of any SMB1 connections – http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=786189 & https://averageguyx.blogspot.com/2017/06/does-ontap-need-smb1-no.html?m=1
- NetGear – ReadyNAS running less than OS6, RAIDiator – https://community.netgear.com/t5/Using-your-ReadyNAS/SMB-1-0-Given-Wanna-Cry/m-p/1283738#M129977 & https://kb.netgear.com/24923/ReadyNAS-OS-6-SMB-Plus-App
- Nimble (HPE) – Nimble OS 3.1 (and older) domain join – https://connect.nimblestorage.com/people/rdm/blog/2016/03/01/nimble-os-30-active-directory-integration?commentID=2479#comment-2479
- NVIDIA – Shield line of products – https://forums.geforce.com/default/topic/1020382/?comment=5194685
- Oki – Various multifunction printers that support print to share – http://my.okidata.com/idocs2.nsf/2a6b07dbf414dda9852572b100580bbe/1f6b01dcdfd8294885257325006d62ee/$FILE/C3530-CIFS.pdf & https://okidata-ja.custhelp.com/euf/assets/images/answers/4074/MC361%20&%20MC561%20Scan%20to%20Shared%20Folder%20-%20Config%20Tool.pdf
- Open GI – ICP – Customer reported after contacting Open GI Support – Vendor does not publicly document their requirement for SMB1.
- Oracle – Solaris 11.3 and older – http://docs.oracle.com/cd/E86824_01/html/E54775/smb-4.html
- Pulse Secure – PCS devices running 8.1R9 / 8.2R4 and below or PPS devices running 5.1R9 / 5.3R4 and below – https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40602/?q=smb&l=en_US&fs=Search&pn=1&atype=
- QNAP – all storage devices using firmware lower than 4.1 – https://www.qnap.com/en-us/support/con_show.php?cid=11
- Rapid7 – Various products within suite (some components under some circumstances – the forums do not mention SMB1 at all, but developers and customers confirm some SMB1 usage) – https://github.com/rapid7/ruby_smb & https://twitter.com/thelightcosine/status/895682178713100289
- RedHat – RHEL 5, RHEL 6 domain join; earliest SMB2+ CIFS client documented is in RedHat 7.2 (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/file_systems.html); RedHat server provide by Samba, see Samba note below – https://access.redhat.com/solutions/3037961
- Ricoh (Ricoh/Savin/Gestetner/Lanier) – all MFP printers (supporting Scan to Folder, Fax Transmission backup to Folder, Fax Forwarding) except SP C220S / C222SF, SP C231SF / C232SF, SP C240SF / C242SF, SP C250SF / C252SF, SP 3400SF / 3410SF, SP 3000SF / 3510SF – Announce-19-05-17-WannaCry-Ransomware-and-SMB-v1.0-exploit
- RSA – Authentication Manager Server – https://community.rsa.com/thread/191171
- Samba – versions older than 3.5.0 (note: all supported versions of Samba support SMB2+, see https://wiki.samba.org/index.php/Samba_Release_Planning#Discontinued) – https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#SMB2_support & https://wiki.samba.org/index.php/Samba_3.5_Features_added/changed#Protocol_changes
- Samba – JCIFS SMB client – https://lists.samba.org/archive/jcifs/2013-December/010123.html & https://jcifs.samba.org/ . Note: there are several open source and commercial alternatives for developers to call upon – for instance, JCIF/NG – https://github.com/AgNO3/jcifs-ng/, hierynomus/smbj – https://github.com/hierynomus/smbj, Visuality – https://visualitynq.com/products/jnq-java-smb-client
- Sharp – Subset of MFP printers (many do support SMB2 and 3) – https://msdnshared.blob.core.windows.net/media/2017/06/sharp2017.pdf
- ShoreTel – ShoreTel Server – Customer reported after contacting ShoreTel Support – Vendor does not publicly document their requirement for SMB1.
- Sonos – Wireless speakers – https://en.community.sonos.com/setting-up-sonos-228990/sonos-support-for-smb-20-protocol-6739642/index1.html
- Sophos – Sophos has now updated all products to no longer require SMB1, as long as you update to Sophos XG Firewall 16.05 MR6 (16.05.6.266), Sophos UTM 9.5 MR2 (9.502), Sophos Web Appliance 4.3.3, Sophos Anti-Virus for Linux 9.13.2, Sophos Anti-Virus for vShield 2.1.10, Sophos for Virtual Environments 1.0.1 – https://community.sophos.com/kb/en-us/126757
- SUSE – SUSE Linux Enterprise Server 11 and older (note: 10 and older versions are unsupported, regardless) – https://www.suse.com/support/kb/doc/?id=7019892
- Synology – Should support SMB3 and/or SMB2 (but ensure not set to SMB1 maximum via https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/file_winmacnfs_win)
- Thomson Reuters – Some portions of CS Professional Suite might need oplocks disabled for troubleshooting purposes only, which requires SMB1 until RS3 provided the new leasing mode option; there is no pure requirement for SMB1 (note: Payroll CS, Trial Balance CS, and Write-Up CS no longer supported as of March 1, 2017. Replaced by Accounting CS and MyPay, see http://cs.thomsonreuters.com/ua/acct_pr/csa/cs_us_en/kb/transitioning-from-csa-to-acs.htm?product=csa) – http://cs.thomsonreuters.com/ua/acct_pr/csa/cs_us_en/kb/how-to-disable-opportunistic-locking-or-file-caching.htm
- Tintri – Tintri OS, Tintri Global Center – https://knowledge.tintri.com/Internal/KB_Drafts/FAQ_-Technical_Service_Bulletin_Document_No._TSB-05242017-01_–_Reduced_Severity
- Toshiba – E-Studio MFP line, 6508a – Customer reported after contacting Toshiba Support – Vendor does not publicly document their requirement for SMB1.
- TP-Link – Archer routers (at least; possibly all storage-supporting routers) – Support for SMB2 appears to be coming for some models, but no ETA: http://forum.tp-link.com/showthread.php?97723-Archer-C9-SMBv2-Support&highlight=smbv1 & http://forum.tp-link.com/showthread.php?102166-AC1900-(Archer-C9)-V1-USB-File-Share-and-Windows-10-1703&highlight=smbv1 & http://forum.tp-link.com/showthread.php?102443-SMBv2-support
- Unitrends – Variety of products, see link – https://support.unitrends.com/UnitrendsBackup/s/article/ka840000000blnfAAA/000005618?t=1505917588676
- VMware Vcenter VMware vCenter Server Appliance, VMware vRealize Automation Identity Appliance – https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2134063&sliceId=1&docTypeID=DT_KB_1_1&dialogID=479220377&stateId=0 (note: steps to configure SMB2 for VCenter, at least on latest versions, until VMware updates their KB – https://virtualizationnation.com/2017/04/17/enabling-vcenter-server-appliance-vcsa-to-use-smb2/)
- VMware – Older than ESXI 6.0, older than VCenter 6.0 Update 3c – https://communities.vmware.com/message/2663902#2663902 & https://communities.vmware.com/message/2668266#2668266 & https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3c-release-notes.html
- Western Digital – WD Live TV – Customer reported after contacting WD Support – Vendor does not publicly document their requirement for SMB1
- Worldox – Worldox GX3 DMS (SMB1 recommended but supports SMB2 under some circumstances; note that GX3 is end of life, per vendor) – https://knowledgebase.worldox.com/wp-content/uploads/2015/09/Worldox-and-SMB-White-Paper.pdf
- Xerox – SMB Workflow Scanning on printers not running ConnectKey Firmware, such as WC75XX models. Certain multifunction models – http://forum.support.xerox.com/t5/Copying-Faxing-Scanning/Xerox-Machines-and-SMBv2-V3-Scanning-Support/td-p/204802/highlight/true/page/2 & https://www.xerox.com/download/security/white-paper/1bcfc-55251eec62dd0/Xerox-Product-SMB-Supported-Versions.pdf
- Zebra – Zebra Label Printers, ZPL formats, & Eltron/EPL formats – Customer reported after contacting Zebra Support – Vendor does not publicly document their requirement for SMB1.
Adding a product to this list ideally requires direct quote or documentation from the vendor of that product, including their website, knowledgebase, support forums, or other vendor channels; third party forums are not enough to qualify. Alternatively, if your vendor has responded to you in a support case that SMB1 is required but does not provide public documentation, products will be added case-by-case. Consult your vendor for updates and newer product versions that support at least SMB 2.02. If you are a vendor and wish to report requirements for SMB1 or if information above has changed, email StillNeedsSMB1@microsoft.com.
There are vendors who are not publishing their SMB1 requirements. It is up to you, their customer, to have them publish this information – Microsoft cannot make them do so. If a vendor does not state if they require SMB1 but you believe they do, please contact that vendor directly. If you need assistance getting a vendor response, email StillNeedsSMB1@microsoft.com and we will try our best to assist. Politeness works best; the person you are speaking to at a vendor is extremely unlikely to have put SMB1 into the product & probably isn’t any happier about it than you are!
For more information on why using SMB1 is unsafe, see StopUsingSMB1. SMB1 has been deprecated for years and will be removed by default from many editions and SKUs of Windows 10 and Windows Server 2016 in the RS3 release.
Important: if your vendor requires disabling SMB2 in order to force SMB1, they will also often require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, often due to using legacy database technology. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround now for these scenarios – see https://twitter.com/NerdPyle/status/876880390866190336. This is only a workaround – just like SMB1 oplock disable is only a workaround – and your vendor should update to not require it.
Be safe out there,
Ned Pyle, Principal Program Manager of the SMB protocol family at Microsoft