Disable SMBv1 with PowerShell

Disable SMBv1 with PowerShell: One will need to disable SMBv1 all over the network and an easy way of doing it is using PowerShell.

If you are getting rid out of SMBv1 and you haven’t read my previous article, Disable SMBv1 with Group Policy, please check it out., especially if you want to disable SMBv1 on an entire domain.

You will need PowerShell 2.0 or later for the following commands and restart your machine after running the commands. You will need to run the commands for Disable SMBv1 – Server and Disable SMBv1 Client, on both Windows Servers and Clients editions. Always have a backup before changing anything. At the bottom of the article you will find the commands to enable it back, in case something broke. As I mentioned in my previous article, if you are still running  Windows XP / Server 2003 in your network, don’t do it, because these old and expired versions of Windows do not support anything above SMBv1. In case you are wondering if

Disable SMBv1 – Server

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

disable smbv1 – client
  • For Microsoft Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8 and Windows Server 2012:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi  #not needed for Windows 8.1 and Windows 2012 R2
sc.exe config mrxsmb10 start= disabled

  • For Windows 8.1 and Windows Server 2012 R2:

sc.exe config mrxsmb10 start= disabled


On Windows Server 2016 and Windows 10 you can completely uninstall SMBv1 support, with the following PowerShell commands:

Remove-WindowsFeature -Name FS-SMB1 #Remove SMBv1 Server support
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol #Remove SMBv1 Client Support

On Windows 8.1 and Windows Server 2012 R2 you can run the check Server configuration PowerShell cmdlet to see enabled / disabled SMB versions and more:


Read more about how to disable or enable any SMB version at How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

To enable back SMBv1 in case something broke with the previous commands:

SMBv1 – Server

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 1 -Force

SMBV1 – Client

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi  #no need to run this for Windows 8.1 and Windows Server 2012 R2
sc.exe config mrxsmb10 start= auto

Disable SMBv1 with Group Policy

If you are planning to Disable SMBv1 with Group Policy, Microsoft has made it even easier for you. In the latest Security Baseline,“Creators Update” (v1703), Microsoft released “MS Security Guide” ADMX template, with which you can configure SMBv1 for Client and Server, via Group Policy.  In order to set it to work, copy SecGuide.admx into your Central Store PolicyDefinitions directory, and SecGuide.adml into the en-us subdirectory.

Warning: Do not disable SMBv1 if you are using old OS, like Windows XP and Windows 2003 in your environment (If you are using those old and expired OS, you are not secure anyway!).

Read Microsoft’s article for Disabling SMBv1 through Group Policy , before changing anything and please notice the BIG warning about the Configure SMBv1 client extra setting, WARNING: DO NOT SELECT THE “DISABLED” RADIO BUTTON UNDER ANY CIRCUMSTANCES!

Settings to Disable SMBv1 with Group Policy
Settings to Disable SMBv1 with Group Policy

SMBv1 is very old, almost 30 years old and is used only by old OS, Windows XP / Windows Server 2000 and older. Since Windows Vista / Windows Server 2008, Microsoft introduced SMB 2.0 version and then SMB 2.1 with Windows 7 / Windows Server 2008 R2. With Windows 8 / Windows Server 2012 SMB 3.0 made its appearance and then SMB 3.0.2 in Windows 8.1 / Windows Server 2012 R2. The latest version of SMB is SMB 3.1.1, which was introduced with Windows 10 and Windows Server 2016.

SMBv1 is not secure at all and even its owner, Ned Pyle, is begging you to stop using it in his article, Stop using SMB1

Sign PowerShell Scripts With An Enterprise PKI

PowerShell Execution Policy can be used as a control policy, to protect the administrators, or even the users, from accidental script execution. Do not think of it as a security measure, because it will not protect you from copy/paste the content of any script in the command line or run each script command by hand.

The Get-ExecutionPolicy cmdlet will show you the current policy on the machine and you can change the policy with the Set-ExecutionPolicy cmdlet and choose one of the following execution policies:

  • Restricted: No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned: Only scripts signed by a trusted publisher can be run.
  • RemoteSigned: Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted: No restrictions; all Windows PowerShell scripts can be run with a confirmation prompt.
  • Bypass: No restrictions, all Windows PowerShell scripts can be run

You can set the execution policy across your domain, using group policy. Create a new group policy (or add to an existing one), expand Computer Configuration\Policies\Administrative Templates\ Windows Components\Windows PowerShell and edit the Turn on Script Execution policy.

The recommended policies for a controlled enterprise environment, are AllSigned or RemoteSigned. In case you set the Execution Policy to one of these policies, you need to sign PowerShell scripts, in order for things to run smooth.

In this article I will describe the full procedure with all the steps, to sign PowerShell scripts in your environment, assuming that you have at least a domain controller in your environment and a Public Key Infrastructure (PKI).

Step 1. First we need to create the code signing certificate template, which we will enable on the Issuing Certificate Server.

On your CA Issuing server, open Certificate Authority tool, right click on Certificate Templates container and select Manage


Locate the Code Signing template in the Certificate Templates Console and right click, Duplicate Template


Set the properties of the new template, according to your environment. Below are the settings of my Code Signing template on my test environment. Leave the rest properties on default settings if you are not sure what to change. Notice the Security tab, I have allowed enroll permission for the PKI_Enroll_redmad.com_Code_Sign_24M security group (this is a global security group created in the AD, which its members will be authorized to enroll for a code sign certificate)

Close the Certificate Templates Console. In the Certificate Authority Tool, right click on the Certificate Templates, once again and select New-Certificate Template To Issuesign-powershell-scripts-with-an-enterprise-pki-08

In the Enable Certificate Templates window, select the template we have just created and click oksign-powershell-scripts-with-an-enterprise-pki-09

Step 2. Add your users in the members of the group with certificate enrollment permission

The group I created above is PKI_Enroll_redmad.com_CodeSign_24M, which will be able to sign PowerShell scripts. I will add my user espresso

Step 3. Request a code signing certificate from the Issuing CA

Login with the user who is member of the above group and request the certificate

Open Microsoft Management Console (mmc.exe), and go to File – Add/Remove Snap-in…
Select Certificate from the Available snap-ins, click Add and select My user account, to open the store of the current user. Click oksign-powershell-scripts-with-an-enterprise-pki-11

Go to the Personal Container and right click, All Tasks, Request New Certificatesign-powershell-scripts-with-an-enterprise-pki-12

Next, Select Active Directory Enrollment Policy and Next. A List with the available certificate templates will appear. Select the one we created above and click Enroll (If you do not see the certificate template we created, logoff and logon again)


You should see STATUS: Succeeded


Click Finish. In the Personal container you should now see the certificate to sign PowerShell scripts.sign-powershell-scripts-with-an-enterprise-pki-15

Step 4. Deploy the code signing certificate in the Trusted Publishers Store

Export the code signing certificate


You will export only the public part of the certificate (not the private)


In the file format, choose Base-64 encoded (or DER)


Specify the file name of the file you want to export, Next, Finish


Open Group Policy Management to create a new policy object, to deploy the code signing certificate across your domain


Name the new policy


And then edit the policy and expand Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers, Right click on Trusted Publishers and select Import


Certificate Import Wizard will pop up, click Next and locate the certificate you exported


Continue, with Next, notice that the wizard will place the selected certificate in the Trusted Publishers


Make sure that group policy object you made previously, is applied on the machine you are logged on (also on the machines you are going to run the signed PowerShell scripts)
run gpupdate /force to enforce the policy settings

So, now we have the certificate to sign PowerShell Scripts and also we trust this certificate as a Publisher.

STEP 5. Signing the script

I will use the following script version.ps1


For signing the certificate, we will use the Set-AuthenticodeSignature cmdlet

First we need to save the code signing certificate in a variable


Then sign the script


You can now check your script ans see it is signed


Your script is now signed. Repeat Step 5 for all your scripts.