Microsoft Will Disable SMB1 Client: What Does This Mean for Your Customers?

Credit: Getty Images

Author: Marc-Andre Tanguay, head automation nerd, N-able

As Microsoft announces it will disable SMB1 client, here are some scripts that will help MSPs to remove any instances of the software.

To be clear, SMB V1 has been deprecated, unsecure, and not recommended for a long time. But Microsoft is now taking the next step toward removing it from Windows entirely.

In recent years, Microsoft had stopped installing SMB1 server on all Windows versions by default; however, they have kept installing the SMB1 client in Home and Pro versions of Windows. This was meant to allow end users to connect to various devices, including NAS, which only supported SMB1. Microsoft was uninstalling SMB1 after 15 days of uptime on computers that didn’t use the protocol at all.

The new insider builds of Windows no longer have any version of SMB1 enabled by default. While current installs of Windows which are updated do seem to retain SMB1 functionality, at least for now.

Now, Microsoft has announced that it will be fully removing the SMB1 binaries in a future (as yet unspecified) release. This means that, in the near future, Windows and Windows Server will no longer have the ability to easily install the SMB1 client. Microsoft has said it will provide an SMB1 client that can be manually installed, but it has stated that this will be unsupported.

Now that the news is out of the way, what does this actually mean?

Finding SMB1 with automation

Probably not much for most people, but it will be important to check around and see if SMB1 is enabled on any end-user devices. Sometime ago, we published a batch file to disable SMB1 and enable SMB2, and I thought it would also be important to create a monitoring script for SMB1. To that end, I have included a script below that allows you to identify devices on which SMB1 is enabled. Depending on what RMM platform you use, you should be able to adapt it to export the information to a field, create a monitoring that will trigger a failed state if it is enabled, and possibly run the SMB1 disable script as a self-healing action.

If you want to use this in your own (non-N-able) RMM, modify the script to either trigger a failure (Exit 1000 code for example) or save the value to a field, etc.

If you want to use this in N-able RMM, we recommend you upload it as a script check (as part of your DSC). The RMM version above will automatically trigger a failed state if SMB1 is enabled

If you want to use this in N-central, we recommend you upload the script to your script repository and create a custom service from it. The threshold should be whether the field contains “Enabled” or not. If it does, make the service go failed. Then, apply it to your desired devices to see where the potential problems are.

What to do if you find SMB1

Ultimately, if you find that SMB1 is enabled, you have a few options:

  1. Disable SMB1 in favor of SMB2 and see if anyone complains. This is a bit aggressive but will get rid of the issue.
  2. Contact the companies/end users who have SMB1 enabled, warn them that it will be disabled, review devices in their environment (this will most likely be required for older NAS devices), and, based on that, then disable SMB1.
  3. Contact the companies/end users and let them make their decision.

The good news is that you still have some time. SMB1 will remain available until this fall at least. Whenever it is disabled, you’ll have the option to re-install it manually via the provided binaries. For now, be safe, find the problematic devices, and work your way through a more secure environment.


This guest blog is courtesy of N-able. Marc-Andre Tanguay is Head Automation Nerd at N-able. You can follow him on Twitter at @automation_nerd. Read more N-able guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program

Return Home

1 Comment

Comment

    Jamie L:

    It’s about time it get’s disabled for good… No native encryption, no thanks!

Leave a Reply

Your email address will not be published.