How to disable SMB 1 on Windows 7 via Group Policy to Prevent Wa... http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windo...

GROUP POLICY CENTRAL

Information about Group Policy for IT Administrators

Advertise Here

How to disable SMB 1 on Windows 7 via Group Policy to

Prevent WannaCry
Posted by Alan Burchill on 27 March 2017, 2:49 pm

Update: These instructions will mitigate WannaCry / Wcry /

WannaCrypt virus propagation on Windows 7 and later (Windows 10 is
not affected). For more technical details about the virus see Troy
Hunts blog at https://www.troyhunt.com/everything-you-need-to-
know-about-the-wannacrypt-ransomware/

In case you have not got the message yet SMB 1 protocol Bad and that according to Microsoft you should
Stop using SMB1. Not that I should have to explain, but in case you need a refresher it is old (30 years old);
it is slow (especially over high-latency links); and its was superseded over a decade ago with the release of
Windows Vista, thats right VISTA!!!! So, by now you should be convinced that SMB 1 is really bad and that
you need to banish the protocol from your network.

If you want any more convincing we are now 30 years in the future from the release of the original SMB 1
protocol (and the Back to the Future movie). While we still dont have flying cars, at least we can get rid of
SMB 1. right!

Before you start it is always a good idea to check that all your servers in your environment support SMB 2.0
or later. For Windows server this is easy as any OS more recent that Windows Vista or Windows Server 2008
natively support SMB 2 and have it enabled by default. What might take a little more time is testing all the
non-windows server in your environment. In this case what i recommend you do is just disabled SMB 1
manually on a few test computers and just see what breaks. This is a sure fire way to ensure if the server is
running SMB 2+ as if the SMB 1 client is disabled then the file share almost certainly has to be SMB 2 or later.

To manually disable SMB 1 on your test workstations simple running the following commands from an
elevated command prompt:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Now that you have done your testing and you are confident that you want to disable SMB 1 you now need a
way to make this change to all your Windows 7 clients quickly and easily. Unfortunately, there is no Group

1 of 4 5/14/17, 6:48 PM
How to disable SMB 1 on Windows 7 via Group Policy to Prevent Wa... http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windo...

Policy setting or registry key that you can apply to Windows 7 to disable SMB1. So, even thought I cant
believe I am saying this, I recommend that you create a logon script to run the command that disables the
protocol. While even the very mention of logon scripts for a Group Policy guy like my self it total blasphemy in
this case, I would certainly consider it the lesser of two evils.

As always to begin you need to create a Group Policy object to the computer that you want to apply the
settings. Then you need to edit the policy and navigate to Computer Configuration > Windows Settings >
Scripts. Then double click on Startup and then click the Show Files button.

Windows Explorer will now open up to the Scripts folder in the GPO you have created and here you can just
right click and create a New Text Document.

Here just create a text file with the two command line as per above and save the file as disablesmb1.cmd (or
something like that).

Now go back to the Startup Properties windows and click Add then click Browse and select the file you
just created and then click ok.

2 of 4 5/14/17, 6:48 PM
How to disable SMB 1 on Windows 7 via Group Policy to Prevent Wa... http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windo...

The policy will now run a logon script then next time the computer reboots. It will disable the SMB 1 protocol
the next reboot after that and you will will very quickly have disabled it on all you Windows 7 computers.

Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one
line Powershell command that just simple removes the feature from the OS.

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one
line Powershell command that just simple removes the feature from the OS.

Additional References:

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-
smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-
windows-server-2012

Share this:

3 of 4 5/14/17, 6:48 PM
How to disable SMB 1 on Windows 7 via Group Policy to Prevent Wa... http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windo...

Tweet Share 5 Print Email More

Related

What is new in Windows 8 Windows 8.1 Group Policy Update Configuring a Software Library for
Performance Changes Group Policy Software Deployment

Filed underTutorials, Uncategorized | TaggedDisable, Group Policy, Intermediate, SMB 1, WannaCry, WannaCrypt, Wcry, Windows 7 | Comment |
Permalink

2016 Group Policy Central

Powered by WordPress | Theme F2 Metro.

4 of 4 5/14/17, 6:48 PM