How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows (2024)

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 11, Windows 10, Windows 8.1, Windows 8

This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities, and we strongly encourage you not to use it. SMB 1.0 isn't installed by default in any edition of Windows 11 or Windows Server 2019 and later. SMB 1.0 also isn't installed by default in Windows 10, except Home and Pro editions. We recommend that instead of reinstalling SMB 1.0, you update the SMB server that still requires it. For a list of third parties that require SMB 1.0 and their updates that remove the requirement, review the SMB1 Product Clearinghouse.

Disabling SMBv2 or SMBv3 for troubleshooting

We recommend keeping SMBv2 and SMBv3 enabled, but you might find it useful to disable one temporarily for troubleshooting. For more information, see How to detect status, enable, and disable SMB protocols on the SMB Server.

In Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, disabling SMBv3 deactivatesthe following functionality:

• Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
• Scale Out - concurrent access to shared data on all file cluster nodes
• Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
• SMB Direct - adds RDMA networking support for high performance, with low latency and low CPU use
• Encryption - Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
• Directory Leasing - Improves application response times in branch offices through caching
• Performance Optimizations - optimizations for small random read/write I/O

In Windows 7 and Windows Server 2008 R2, disabling SMBv2deactivates the following functionality:

• Request compounding - allows for sending multiple SMBv2 requests as a single network request
• Larger reads and writes - better use of faster networks
• Caching of folder and file properties - clients keep local copies of folders and files
• Durable handles - allow for connection to transparently reconnect to the server if there's a temporary disconnection
• Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
• Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
• Support for symbolic links
• Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
• Large MTU support - for full use of 10 Gigabit Ethernet (GbE)
• Improved energy efficiency - clients that have open files to a server can sleep

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. For more information about SMBv2 and SMBv3 capabilities, see the following articles:

• Server Message Block overview
• What's New in SMB

How to remove SMBv1 via PowerShell

Here are the steps to detect, disable and enable SMBv1 client and server by using PowerShell commands with elevation.

• Detect:

  Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

• Disable:

  Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

• Enable:

  Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Windows Server 2012 Windows Server 2012 R2, Windows Server 2016, Windows Server 2019: Server Manager method

To remove SMBv1 from Windows Server:

1. On the Server Manager Dashboard of the server where you want to remove SMBv1, under Configure this local server, select Add roles and features.
2. On the Before you begin page, select Start the Remove Roles and Features Wizard, and then on the following page, select Next.
3. On the Select destination server page under Server Pool, ensure that the server you want to remove the feature from is selected, and then select Next.
4. On the Remove server roles page, select Next.
5. On the Remove features page, clear the check box for SMB 1.0/CIFS File Sharing Support and select Next.
6. On the Confirm removal selections page, confirm that the feature is listed, and then select Remove.

Windows 8.1, Windows 10, and Windows 11: Add or Remove Programs method

To disable SMBv1 for the mentioned operating systems:

1. In Control Panel, select Programs and Features.
2. Under Control Panel Home, select Turn Windows features on or off to open the Windows Features box.
3. In the Windows Features box, scroll down the list, clear the check box for SMB 1.0/CIFS File Sharing Support and select OK.
4. After Windows applies the change, on the confirmation page, select Restart now.

How to detect status, enable, and disable SMB protocols

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

Registry entry: SMB1REG_DWORD: 0 = DisabledREG_DWORD: 1 = EnabledDefault: 1 = Enabled(No registry key is created)

Registry entry: SMB2REG_DWORD: 0 = DisabledREG_DWORD: 1 = EnabledDefault: 1 = Enabled(No registry key is created)

Disable SMBv1 by using Group Policy

This section introduces how to use Group Policy to disable SMBv1. You can use this method on different versions of Windows.

Auditing SMBv1 usage

To determine which clients are attempting to connect to an SMB server with SMBv1, you can enable auditing on Windows Server 2016, Windows 10, and Windows Server 2019. You can also audit on Windows 7 and Windows Server 2008 R2 if the May 2018 monthly update is installed, and on Windows 8.1 and Windows Server 2012 R2 if the July 2017 monthly update is installed.

• Enable:

  Set-SmbServerConfiguration -AuditSmb1Access $true

• Disable:

  Set-SmbServerConfiguration -AuditSmb1Access $false

• Detect:

  Get-SmbServerConfiguration | Select AuditSmb1Access

When SMBv1 auditing is enabled, event 3000 appears in the "Microsoft-Windows-SMBServer\Audit" event log, identifying each client that attempts to connect with SMBv1.

Summary

If all the settings are in the same GPO, Group Policy Management displays the following settings.

Testing and validation

After completing the configuration steps in this article, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMBv2 and SMBv3 are functioning for all other systems in the environment.