Disable SMBv1 Server with Group Policy:

This will configure the following new item in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled

To configure this using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

smb3

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0

smb2

This disables the SMBv1 Server components.  This Group Policy needs to be applied to all necessary workstations, servers, and domain controllers in the domain.

Note: WMI filters can also be set to exclude unsupported operating systems or selected exclusions such as Windows XP.

Caution! Be careful when making these changes on domain controllers where legacy Windows XP or older Linux and 3rd party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.

Disable SMBv1 Client with Group Policy:

To disable the SMBv1 client the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: = Disabled

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note: The default included MRxSMB10 which is now removed as dependency

To configure this using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

smb3

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4

smb4

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note: These 3 strings will not have bullets (see below)

smb7

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note: When using Group Policy Management Console, there is no need to use quotation marks or commas.  Just type the each entry on individual lines as shown above:

Reboot Required

After the policy has applied and the registry settings are in place, the targeted systems must be rebooted before SMB v1 is disabled.