Hi folks, Ned here again. This blog post contains all products requiring SMB1, where the vendor explicitly states this in their own documentation or communications, or where a customer has reported it and shown some degree of proof without vendor refutation. This list is not complete and you should never treat it as complete; check back often.
All products arranged in alphabetical order, by vendor, by product, with a URL to their documentation stating SMB1 requirements.
Vendor – Product – Documentation
- Aerohive – HiveManager, HiveOS (domain join) – https://community.aerohive.com/aerohive/topics/unable-to-join-activedirectory-with-smbv1-disabled-on-domain-controller
- Alfresco – Alfresco (when not using WebDAV) – https://community.alfresco.com/thread/231880-smb2-smb3-server-support#comment-816590
- Applied Systems – TAM – Customer reported after contacting TAM Support – Vendor does not publicly document their requirement for SMB1
- Aruba – Clearpass older than 6.6.7 (Aruba has resolved with patch; this entry will stay for a short while just to inform their customers to patch) – http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873
- ASUS – Wireless Routers with USB storage connection – Customer reported after contacting ASUS Support – Vendor does not publicly document their requirement for SMB1
- AVM – Fritz!Box – https://avm.de/service/fritzbox/fritzbox-7490/wissensdatenbank/publication/show/3327_Von-der-FRITZ-Box-unterstuetzte-SMB-Versionen/
- Barracuda – Load Balancer, perhaps other products that support backups (backups to SMB, using at least 6.0 firmware) – Customer reported after contacting Barracuda Support – Vendor does not publicly document their requirement for SMB1
- Barracuda – SSL VPN – https://campus.barracuda.com/product/sslvpn/article/SSLVPN/CreateNetworkPlace/
- Barracuda – Web Security Gateway backups – https://community.barracudanetworks.com/forums.php?url=/topic/29561-backup-via-smb/
- Bitdefender – Gravity Zone (Antivirus) – Customer reported after contacting Bitdefender Support – Vendor does not publicly document their requirement for SMB1
- Carestream Health – SoftDent – Customer reported after contacting Carestream Support – Vendor does not publicly document their requirement for SMB1
- Canon (& Océ) – Printers via “print to share” – https://support.usa.canon.com/kb/index?page=content&id=ART143573 & https://files.lfpp.csa.canon.com/media/Assets/PDFs/TSS/external/WF_PrintDrivers/Documentation/Oce_LF_Systems_Connectivity_information_for_Windows_environment_Administration_guide_en.GB.pdf
- Cisco – Web Security Appliance/WSAv – https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir & https://supportforums.cisco.com/discussion/13295496/wsav-supports-smbv1-only
- Cisco – Wide Area Application Services/WAAS 5.0 & older – http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v501/release/notes/ws501xrn.html
- Citrix – ELM with DFS Namespaces – https://support.citrix.com/article/CTX227613
- ClearSwift – Secure Web Gateway 4.6 (domain join) – Customer reported after contacting ClearSwift Support – Vendor does not publicly document their requirement for SMB1
- DataAccess – legacy Dataflex embedded DB (vendor also offers many alternative ways to not need SMB1) – http://www.dataaccess.com/KBasePublic/Files/2476.Tuning%20Microsoft%20Networks%20for%20the%20Legacy%20Embedded%20Database_PDF_FMT.PDF
- DellEMC – All VNX2 Systems older than 22.214.171.124 (domain join) – https://support.emc.com/kb/500036
- Egnyte – Storage Connect – https://helpdesk.egnyte.com/hc/en-us/articles/201639514-Storage-Connect-Overview
- F5 – RDP client gateway, Microsoft Exchange Proxy – https://support.f5.com/csp/article/K55889450
- FAST – LTA Silent Cubes – Customer reported after contacting FAST Support – Vendor does not publicly document their requirement for SMB1
- FreeBSD – smbfs – https://people.freebsd.org/~bp/smben.html
- Forcepoint (Raytheon) – “some Forcepoint products”, Content Gateway proxy authentication – https://support.forcepoint.com/KBArticle?id=000012832
- HP – Various printers (many do support SMB2) – http://h10032.www1.hp.com/ctg/Manual/c05547920
- HPE – ArcSight (Legacy Unified Connector, not latest version) – https://community.saas.hpe.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Windows-Event-Log-Native/ta-p/1585123?attachment-id=59177
- HPE – StoreOnce Software supports SMB2+, however not clear which version added SMB2+ support (under investigation); For completeness only, 3.14.x + makes SMB2 default setting https://blogs.technet.microsoft.com/filecab/bb897-91004_3-16-3_rpm_rn/
- IBM – NetServer V7R2 or below – http://www-01.ibm.com/support/docview.wss?uid=nas8N1011878
- IBM – QRadar Vulnerability Manager 7.2.x or below (7.3 has been updated) – http://www-01.ibm.com/support/docview.wss?uid=swg22004178
- Infusion Business Software – Infusion (requires disabling SMB2) – https://www.infusionsoftware.co.nz/support/download-documentation/manuals-support-notes/infusion-software-upgrade-notes/streamFile
- Kodi – Kodi V17 and older (at least) – https://forum.kodi.tv/showthread.php?tid=314269&highlight=smb1
- Konica Minolta – Bizhub, C284e series, C3350 series, likely others still for sale – Customer reported after contacting Konica Minolta Support – Vendor does not publicly document their requirement for SMB1.
- Kyocera – Various printers inclusing Bizhub 654/754/c454/501/364e- Customer reported after contacting Kyocera Support – Vendor does not publicly document their requirement for SMB1.
- Lexmark – Firmware eSF 2.x & eSF 3.x MFPs (scan to network) – http://support.lexmark.com/index?page=content&id=FA716&locale=en&userlocale=EN_US
- Linksys – Various routers (due to use of discontinued Samba version 3.0.28a) – http://community.linksys.com/t5/Wireless-Routers/CIFS-or-NFS/td-p/924535 & http://downloads.linksys.com/downloads/license/FW_LICENSE_WRT1900ACS_v126.96.36.199461.pdf
- Linux Kernel – CIFS client 2.5.42 to 3.5.x (3.7 added first SMB2 client implementation) – https://wiki.samba.org/index.php/LinuxCIFSKernel
Manage Engine – ServiceDesk Plus in versions older than 9.3.11 (build 9311) (single sign on feature) – https://www.manageengine.com/products/service-desk/readme-9.3.html & https://forums.manageengine.com/topic/smb-v1
- McAfee – Web Gateway – https://kc.mcafee.com/corporate/index?page=content&id=KB89350
- Microsoft – Windows XP, Windows Server 2003 (and older), Windows Embedded Standard 2009
- Mobotix – various products – https://www.mobotix.com/eng_GB/Support/User-Forum/Installation-Network/Windows-servers-%253E-SMB1-end-of-life-%253E-THIS-BEAKS-MOBOTIX-FUNCTIONALITY
- MYOB – Accountants Office & Accountants Enterprise (states requirement for disabling opportunistic locking, i.e. SMB1 behavior option)– https://www.myob.com/au/accountants-and-partners/support/minimum-system-requirements
- NetApp – Versions of ONTAP prior to 8.3.2P5, 9.0P1 & 9.1 require SMB1 for domain join (not client connections). ONTAP 8.3.2P5, 9.0P1, 9.1 can instead utilize SMB2 for domain join as well as client connections via SMB2 & 3, and ONTAP 9.2 allows for complete disabling of any SMB1 connections – http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=786189 & https://averageguyx.blogspot.com/2017/06/does-ontap-need-smb1-no.html?m=1
- NetGear – ReadyNAS running less than OS6, RAIDiator – https://community.netgear.com/t5/Using-your-ReadyNAS/SMB-1-0-Given-Wanna-Cry/m-p/1283738#M129977 & https://kb.netgear.com/24923/ReadyNAS-OS-6-SMB-Plus-App
- Nimble (HPE) – Nimble OS 3.1 (and older) domain join – https://connect.nimblestorage.com/people/rdm/blog/2016/03/01/nimble-os-30-active-directory-integration?commentID=2479#comment-2479
- NVIDIA – Shield line of products – https://forums.geforce.com/default/topic/1020382/?comment=5194685
- Oki – Various multifunction printers that support print to share – http://my.okidata.com/idocs2.nsf/2a6b07dbf414dda9852572b100580bbe/1f6b01dcdfd8294885257325006d62ee/$FILE/C3530-CIFS.pdf & https://okidata-ja.custhelp.com/euf/assets/images/answers/4074/MC361%20&%20MC561%20Scan%20to%20Shared%20Folder%20-%20Config%20Tool.pdf
- Open GI – ICP – Customer reported after contacting Open GI Support – Vendor does not publicly document their requirement for SMB1.
- Oracle – Solaris 11.3 and older – http://docs.oracle.com/cd/E86824_01/html/E54775/smb-4.html
- Pulse Secure – PCS devices running 8.1R9 / 8.2R4 and below or PPS devices running 5.1R9 / 5.3R4 and below – https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40602/?q=smb&l=en_US&fs=Search&pn=1&atype=
- QNAP – all storage devices using firmware lower than 4.1 – https://www.qnap.com/en-us/support/con_show.php?cid=11
- Rapid7 – Various products within suite (some components under some circumstances – the forums do not mention SMB1 at all, but developers and customers confirm some SMB1 usage) – https://github.com/rapid7/ruby_smb & https://twitter.com/thelightcosine/status/895682178713100289
- RedHat – RHEL 5, RHEL 6 domain join; earliest SMB2+ CIFS client documented is in RedHat 7.2 (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/file_systems.html); RedHat server provide by Samba, see Samba note below – https://access.redhat.com/solutions/3037961
- Ricoh (Ricoh/Savin/Gestetner/Lanier) – all MFP printers (supporting Scan to Folder, Fax Transmission backup to Folder, Fax Forwarding) except SP C220S / C222SF, SP C231SF / C232SF, SP C240SF / C242SF, SP C250SF / C252SF, SP 3400SF / 3410SF, SP 3000SF / 3510SF – Announce-19-05-17-WannaCry-Ransomware-and-SMB-v1.0-exploit
- RSA – Authentication Manager Server – https://community.rsa.com/thread/191171
- Samba – versions older than 3.5.0 (note: all supported versions of Samba support SMB2+, see https://wiki.samba.org/index.php/Samba_Release_Planning#Discontinued) – https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#SMB2_support & https://wiki.samba.org/index.php/Samba_3.5_Features_added/changed#Protocol_changes
- Sharp – Subset of MFP printers (many do support SMB2 and 3) – https://msdnshared.blob.core.windows.net/media/2017/06/sharp2017.pdf
- ShoreTel – ShoreTel Server – Customer reported after contacting ShoreTel Support – Vendor does not publicly document their requirement for SMB1.
- Sonos – Wireless speakers – https://en.community.sonos.com/setting-up-sonos-228990/sonos-support-for-smb-20-protocol-6739642/index1.html
- Sophos – Sophos has now updated all products to no longer require SMB1, as long as you update to Sophos XG Firewall 16.05 MR6 (16.05.6.266), Sophos UTM 9.5 MR2 (9.502), Sophos Web Appliance 4.3.3, Sophos Anti-Virus for Linux 9.13.2, Sophos Anti-Virus for vShield 2.1.10, Sophos for Virtual Environments 1.0.1 – https://community.sophos.com/kb/en-us/126757
- SUSE – SUSE Linux Enterprise Server 11 and older (note: 10 and older versions are unsupported, regardless) – https://www.suse.com/support/kb/doc/?id=7019892
- Synology – Should support SMB3 and/or SMB2 (but ensure not set to SMB1 maximum via https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/file_winmacnfs_win)
- Thomson Reuters – Some portions of CS Professional Suite might need oplocks disabled for troubleshooting purposes only, which requires SMB1 until RS3 provided the new leasing mode option; there is no pure requirement for SMB1 (note: Payroll CS, Trial Balance CS, and Write-Up CS no longer supported as of March 1, 2017. Replaced by Accounting CS and MyPay, see http://cs.thomsonreuters.com/ua/acct_pr/csa/cs_us_en/kb/transitioning-from-csa-to-acs.htm?product=csa) – http://cs.thomsonreuters.com/ua/acct_pr/csa/cs_us_en/kb/how-to-disable-opportunistic-locking-or-file-caching.htm
- Tintri – Tintri OS, Tintri Global Center – https://knowledge.tintri.com/Internal/KB_Drafts/FAQ_-Technical_Service_Bulletin_Document_No._TSB-05242017-01_–_Reduced_Severity
- Toshiba – E-Studio MFP line, 6508a – Customer reported after contacting Toshiba Support – Vendor does not publicly document their requirement for SMB1.
- TP-Link – Archer routers (at least; possibly all storage-supporting routers) – Customer reported after contacting TP-Link Support – Vendor does not publicly document their requirement for SMB1.
- Unitrends – Variety of products, see link – https://support.unitrends.com/UnitrendsBackup/s/article/ka840000000blnfAAA/000005618?t=1505917588676
- VMware Vcenter VMware vCenter Server Appliance, VMware vRealize Automation Identity Appliance – https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2134063&sliceId=1&docTypeID=DT_KB_1_1&dialogID=479220377&stateId=0 (note: steps to configure SMB2 for VCenter, at least on latest versions, until VMware updates their KB – https://virtualizationnation.com/2017/04/17/enabling-vcenter-server-appliance-vcsa-to-use-smb2/)
- VMware – Older than ESXI 6.0 – https://communities.vmware.com/message/2663902#2663902 & https://communities.vmware.com/message/2668266#2668266
- Worldox – Worldox GX3 DMS (SMB1 recommended but supports SMB2 under some circumstances; note that GX3 is end of life, per vendor) – https://knowledgebase.worldox.com/wp-content/uploads/2015/09/Worldox-and-SMB-White-Paper.pdf
- Xerox – SMB Workflow Scanning on printers not running ConnectKey Firmware, such as WC75XX models. Certain multifunction models – http://forum.support.xerox.com/t5/Copying-Faxing-Scanning/Xerox-Machines-and-SMBv2-V3-Scanning-Support/td-p/204802/highlight/true/page/2 & https://www.xerox.com/download/security/white-paper/1bcfc-55251eec62dd0/Xerox-Product-SMB-Supported-Versions.pdf
- Zebra – Zebra Label Printers, ZPL formats, & Eltron/EPL formats – Customer reported after contacting Zebra Support – Vendor does not publicly document their requirement for SMB1.
Adding a product to this list ideally requires direct quote or documentation from the vendor of that product, including their website, knowledgebase, support forums, or other vendor channels; third party forums are not enough to qualify. Alternatively, if your vendor has responded to you in a support case that SMB1 is required but does not provide public documentation, products will be added case-by-case. Consult your vendor for updates and newer product versions that support at least SMB 2.02. If you are a vendor and wish to report requirements for SMB1 or if information above has changed, email StillNeedsSMB1@microsoft.com.
There are vendors who are not publishing their SMB1 requirements. It is up to you, their customer, to have them publish this information – Microsoft cannot make them do so. If a vendor does not state if they require SMB1 but you believe they do, please contact that vendor directly. If you need assistance getting a vendor response, email StillNeedsSMB1@microsoft.com and we will try our best to assist. Politeness works best; the person you are speaking to at a vendor is extremely unlikely to have put SMB1 into the product & probably isn’t any happier about it than you are!
For more information on why using SMB1 is unsafe, see StopUsingSMB1. SMB1 has been deprecated for years and will be removed by default from many editions and SKUs of Windows 10 and Windows Server 2016 in the RS3 release.
Important: if your vendor requires disabling SMB2 in order to force SMB1, they will also often require disabling oplocks. Disabling Oplocks is not recommended by Microsoft, but required by some older software, often due to using legacy database technology. Windows 10 RS3 and Windows Server 2016 RS3 allow a special oplock override workaround now for these scenarios – see https://twitter.com/NerdPyle/status/876880390866190336. This is only a workaround – just like SMB1 oplock disable is only a workaround – and your vendor should update to not require it.
Be safe out there,
Ned Pyle, Principal Program Manager of the SMB protocol family at Microsoft