Even the latest Windows 10 1703 still has SMB1 enabled by default. If you want to keep yourself safe from WannaCry / WannaCrypt0r 2 variants you need to disable SMB 1.0.
You can disable SMB 1.0 in 5 ways:
A – How to Disable SMB 1 using the GUI
- Click the START button and type FEATURES
- Click TURN WINDOWS FEATURES ON OR OFF
- Scroll through the list and uncheck SMB 1.0/CIFS FILE SHARING SUPPORT
B – How to Disable SMB 1 using a PowerShell Script:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 – Force
C – How to Disable SMB 1 using CMD Line:
DISM /online /disable-feature /featurename:SMB1Protocol
D – How to Disable SMB 1 using a GPO:
- Create a new GPO and edit it
- Expand COMPUTER > PREFERENCES > WINDOWS > REGISTRY
- Right click and one at a time add the following three entries:
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name: SMB1
Value type: REG_DWORD
.
Value data: 0Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
Value name: Start
Value type: REG_DWORD
.
Value data: 4Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
Value name: DependOnService
Value type REG_MULTI_SZ
Value data: - Bowser
- MRxSmb20
- NSI
Note: These 3 strings will NOT have bullets
For details read THIS Microsoft post.
E – How to Disable SMB 1 by Editing the Registry:
Create the registry entries specified in step 3 of option “D” above
How to Verify SMB 1.0 Is Disabled:
Note that there appears to be no ready way to test and confirm that SMB 1.0 is disabled. In fact I found that after setting the GPO that both the GUI and the following command showed that SMB 1.0 was still enabled.
DISM /online /get-features /format:table | more
Microsoft Partner Support tells me “…already use GPP to set the registry value to 0. Per the current information we have, if the value is 0, then the SMBv1 is disabled. For the UI of features, it just shows this computer has the ability to provide SMBv1 service, however, whether the service is enabled or not, the switch is in the registry.
If you want to see the discussion I had with Partner Support, which includes many screen shots, click HERE.
.