Disabling SMBv1 through Group Policy


Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle describes in his blog post, Stop using SMB1 there are many reasons to cease using it on your networks. We have added that recommendation to our baseline, and have exposed a way to do so through Group Policy editors for local or domain GPOs by adding to the custom “MS Security Guide” ADMX. That said, the settings that need to be manipulated are not a natural fit for GPO management, so you need to be careful while using it. Applying settings incorrectly can cause serious problems.

We wanted these custom settings to work for all supported versions of Windows and to be reversible so that SMBv1 could be re-enabled if necessary. Due to the limitations of the ADMX syntax, we ended up implementing it through three separate settings:

  • Configure SMB v1 server, to disable or enable server-side processing of the SMBv1 protocol. This is a simple Enabled/Disabled/Not Configured setting that controls the “SMB1” registry value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
  • Configure SMB v1 client driver, to configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10. Note that choosing the “Disabled” radio button deletes the “Start” value, so don’t do that! See the explain text shown in the table below if you need to restore default behavior. Note that the “Disabled” radio button is not the same thing as the dropdown value, “Disable driver (recommended).”
  • Configure SMB v1 client (extra setting…), which is needed only for older Windows versions. This setting controls the “DependOnService” REG_MULTI_SZ value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation, which represents the service and driver dependencies of the Workstation service (internal name: LanmanWorkstation). Older versions of Windows configure LanmanWorkstation with a dependency on the SMBv1 client driver (MrxSmb10) running, which can be problematic if MrxSmb10 is disabled. So this setting enables you to configure the LanmanWorkstation service’s dependencies directly. The setting’s Explain text describes exactly what to enter into the text box. Unfortunately, there is no way for the ADMX to offer a choice of predefined REG_MULTI_SZ values. You have to type – or copy/paste – the text yourself. And here again, choosing the “Disabled” radio button deletes the DependOnService value, which would be very bad, so don’t do that!

This table lists the settings and corresponding explain text from the Group Policy editor:

Setting name Explain text
Configure SMB v1 server Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.)

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547

Configure SMB v1 client driver Configures the SMB v1 client driver's start type.

To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown.

WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!

For Windows 7 and Servers 2008, 2008R2, and 2012, you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting.

To restore default SMBv1 client-side behavior, select "Enabled" and choose the correct default from the dropdown:
* "Manual start" for Windows 7 and Windows Servers 2008, 2008R2, and 2012;
* "Automatic start" for Windows 8.1 and Windows Server 2012R2 and newer.

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547

Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2) APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2):

To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following:
* Set the SMBv1 client driver to "Disable driver" using the "Configure SMB v1 client driver" setting;
* Enable this setting;
* In the "Configure LanmanWorkstation dependencies" text box, enter the following three lines of text:
Bowser
MRxSmb20
NSI

To restore the default behavior for client-side SMBv1 protocol processing, do ALL of the following:
* Set the SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting;
* Enable this setting;
* In the "Configure LanmanWorkstation dependencies" text box, enter the following four lines of text:
Bowser
MRxSmb10
MRxSmb20
NSI

WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547

You can obtain the "MS Security Guide" ADMX template in the download associated with the draft baseline for Windows 10 v1703 here. Copy SecGuide.admx into your %windir%\PolicyDefinitions directory, and copy SecGuide.adml into the en-us subdirectory.


Comments (13)

  1. Eric says:

    It would be helpful to include a link to where you get the “MS Security Guide” ADMX.

    [Aaron Margosis] Thanks. I’ll update the post with that information. In the meantime, it’s in the download package with the draft baseline here.
    [Aaron Margosis] Updated.
    1. uflRob says:

      I’ve opened the Windows-10-RS2-Security-Baseline package and while the Policy seems to contain some SMBv1 settings, the ADMX templates included in the package do not seem to contain some of the above definitions, such as “Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)”

      [Aaron Margosis] Copy the *.ADMX files to the %windir%\PolicyDefinitions directory, and the *.ADML files to the en-us subdirectory. If the Group Policy editor is open, close it and then re-open.
    2. Eric says:

      Thank-you!

  2. Bjørn says:

    A couple of times in the last setting states that we should type “Bowser” in dependencies box. That should be “Browser” should it not?

    [Aaron Margosis] No, it’s actually exactly correct as it is. See hklm\system\currentcontrolset\services\bowser
  3. Yoshihiro Kawabata says:

    Thank you, Group Policy for disabling SMBv1.
    I hope which ADMX file need to disable SMBv1.
    Is it SecGuide.admx ?

    [Aaron Margosis] Yes. Put SecGuide.admx in the %windir%\PolicyDefinitions directory and SecGuide.adml in the en-us subdirectory.
  4. David says:

    Can you confirm whether setting the “Configure LanmanWorkstation dependencies” as described above will NOT have any impact on Windows 8 (and server 2012R”) and above. i.e. if the above settings are applied in a generic policy for all Windows OS client version or do they need to be specifically segregated.

    [Aaron Margosis] You should segregate them, and not apply the “extra setting needed for pre-Win8.1/2012R2” to Win8.1/2012R2 or newer.
  5. Nick says:

    For the two settings with “WARNING: DO NOT SELECT THE “DISABLED” RADIO BUTTON UNDER ANY CIRCUMSTANCES!” what is the behavior when going from ‘Enabled’ to ‘Not Configured’?

    [Aaron Margosis] The last-applied settings should remain in place — “tattooed.”
  6. XR219 says:

    Hi , Is there a version of this guide for Windows 10 machines. We originally deployed the registry settings via GPO listed here:- https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/
    This template appears to do exactly the same thing as the registry edits in the above article.
    On the test machines it worked, but on over half of the production machines it killed SBM altogether.

    [Aaron Margosis] It should have the same effect whether you use the technique described in the post you referenced or with the custom GPO. The steps should be the same for 8.1/2012R2 or newer. Older than that and it has to be done a little differently. Note that it has to be done exactly right — get something wrong and it’s easy to kill SMB entirely, as you’ve seen.
  7. Aaron says:

    I’ve applied a new GPO to my test ou.

    Can I confirm that once this Group Policy is applied the SMBv1 flag within “Turn on-turn Off Windows Features” will remain in place?

    Is there a way to confirm that the Policy has in fact disabled SMBv1 on the client.

    I was hoping to use this as opposed to the Powershell method.

  8. Charlie S says:

    The “Supported On” section of these settings says at least Windows 2008/7. Sounds like a mistake.

    [Aaron Margosis] You are correct. It should be all supported OSes, which is Win7 and newer, and Server 2008 and newer.
  9. Kevin Morris says:

    Thanks for this guide. When you say ‘And here again, choosing the “Disabled” radio button deletes the DependOnService value, which would be very bad, so don’t do that!’, we were wondering what ‘very bad’ means and what the actual risks are if this occurs? Is it merely poorer security, or is there something more dangerous that can occur with OS stability? We’re asking because we’re weighing the risks of someone accidentally clicking disable and what harm that would cause and whether it would be better to push out the key via other methods that would avoid this risk altogether.Thanks!

    [Aaron Margosis] The answer is that we don’t know what would happen, but there’s a significant possibility of crashes and other instability. E.g., if the LanmanWorkstation service’s DependOnService value is deleted, Windows will think the service has no dependencies and might start it before (or without) starting components the service actually requires and expects to have running. That would almost certainly be an untested scenario.
  10. Charlie Sullivan says:

    I have a GPO for Windows 2012 R2 and 2016 on which I configured the 2 respective settings to disable SMB1 Server and Client. Is it a problem if some of these servers also have SMB1 actually uninstalled as a Windows feature?

    [Aaron Margosis] Should not be a problem.
  11. Conor says:

    Hi – I’ve added in secguide.admx and secguide to the correct directories above ( %windir%\PolicyDefinitions and en-us subdirectory) and still do not see option to enable these features – have shutdown Group Policy Manager

Skip to main content