In connection with the recent outbreak of the WannaCry ransomware exploiting the SMB v1 vulnerability, tips for disabling this protocol have again appeared on the network. Moreover, Microsoft strongly recommended disabling the first version of SMB back in September 2016. But such a shutdown can lead to unexpected consequences, up to curiosities: I personally came across a company where, after the fight against SMB, they stopped playing wireless speakers Sonos.

Especially in order to minimize the likelihood of a "shot in the leg", I want to remind you about the features of SMB and consider in detail what threatens the ill-conceived disabling of its older versions.

SMB(Server Message Block) - network protocol for remote access to files and printers. It is he who is used when connecting resources via \ servername \ sharename. The protocol initially worked on top of NetBIOS using UDP ports 137, 138 and TCP 137, 139. With the release of Windows 2000, it began to work directly using TCP port 445. SMB is also used to log into and work in an Active Directory domain.

In addition to remote access to resources, the protocol is also used for interprocessor communication through named pipes. The process is addressed along the path \. \ Pipe \ name.

The first version of the protocol, also known as CIFS (Common Internet File System), was created back in the 1980s, but the second version appeared only with Windows Vista, in 2006. The third version of the protocol came out with Windows 8. In parallel with Microsoft, the protocol was created and was updated in its open source Samba implementation.

In each new version various kinds of improvements were added to the protocol, aimed at increasing performance, security and support for new functions. But at the same time, there was support for old protocols for compatibility. Of course, older versions had and still have enough vulnerabilities, one of which is used by WannaCry.

Under the spoiler, you will find a summary table of changes in SMB versions.

Version	Operating system	Added compared to the previous version
SMB 2.0	Windows Vista / 2008	Changed the number of protocol commands from 100+ to 19
		Possibility of "pipeline" work - sending additional requests before receiving a response to the previous
		Symbolic link support
		HMAC SHA256 message signature instead of MD5
		Increase cache and write / read blocks
SMB 2.1	Windows 7 / 2008R2	Performance improvement
		Higher MTU support
		BranchCache Service Support, a mechanism that caches WAN requests in local network
SMB 3.0	Windows 8/2012	Ability to build a transparent failover cluster with load balancing
		Support direct access to memory (RDMA)
		Powershell cmdlet management
		VSS support
		AES – CMAC signature
		AES-CCM encryption
		Ability to use network folders for storage virtual machines HyperV
		Ability to use network folders for storage Microsoft bases SQL
SMB 3.02	Windows 8.1 / 2012R2	Improvements to security and performance
		Automatic balancing in the cluster
SMB 3.1.1	Windows 10/2016	AES-GCM encryption support
		Integrity check before authentication using SHA512 hash
		Mandatory secure "negotiations" when working with clients SMB 2.x and higher

We consider conditionally injured

It is quite simple to view the currently used version of the protocol, we use the cmdlet for this Get – SmbConnection:

Cmdlet output when open network resources on servers with different version Windows.

It can be seen from the output that a client that supports all protocol versions uses the largest possible version supported by the server to connect. Of course, if the client only supports old version protocol, and on the server it will be disabled - the connection will not be established. Enable or disable legacy support in modern Windows systems using the cmdlet Set – SmbServerConfiguration, and look at the state like this:

Get – SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

Turn off SMBv1 on a server running Windows 2012 R2.

Result when connecting from Windows 2003.

Thus, if you disable the old, vulnerable protocol, you can lose the functionality of the network with old clients. At the same time, in addition to Windows XP and 2003, SMB v1 is also used in a number of software and hardware solutions (for example, NAS on GNU \ Linux, using an old version of samba).

Under the spoiler, I will give a list of manufacturers and products that will completely or partially stop working when you disable SMB v1.

Manufacturer	Product	A comment
Barracuda	SSL VPN
	Web Security Gateway backups
Canon	Scan to network share
Cisco	WSA / WSAv
	WAAS	Versions 5.0 and older
F5	RDP client gateway
	Microsoft Exchange Proxy
Forcepoint (Raytheon)	"Some products"
HPE	ArcSight Legacy Unified Connector	Older versions
IBM	NetServer	Version V7R2 and older
	QRadar Vulnerability Manager	Versions 7.2.x and older
Lexmark		Firmware eSF 2.x and eSF 3.x
Linux Kernel	CIFS client	From 2.5.42 to 3.5.x
McAfee	Web gateway
Microsoft	Windows	XP / 2003 and older
MYOB	Accountants
NetApp	ONTAP	Versions prior to 9.1
NetGear	ReadyNAS
Oracle	Solaris	11.3 and older
Pulse Secure	PCS	8.1R9 / 8.2R4 and older
	PPS	5.1R9 / 5.3R4 and older
QNAP	All storage devices	Firmware older than 4.1
RedHat	RHEL	Versions prior to 7.2
Ricoh	MFP, scan to network resource	In addition to a number of models
RSA	Authentication Manager Server
Samba	Samba	Older than 3.5
Sonos	Wireless speakers
Sophos	Sophos UTM
	Sophos XG firewall
	Sophos Web Appliance
SUSE	SLES	11 and older
Synology	Diskstation Manager	Control only
Thomson Reuters	CS Professional Suite
Tintri	Tintri OS, Tintri Global Center
VMware	Vcenter
	ESXi	Older than 6.0
Worldox	GX3 DMS
Xerox	MFP, scan to network resource	Firmware without ConnectKey Firmware

The list is taken from the Microsoft website, where it is regularly updated.

The list of products using the old version of the protocol is quite large - before disabling SMB v1, you must definitely think about the consequences.

Disable

If there are no programs and devices using SMB v1 on the network, then, of course, it is better to disable the old protocol. In this case, if shutdown on SMB Windows server 8/2012 is done using the Powershell cmdlet, then for Windows 7/2008 you will need to edit the registry. This can also be done using Powershell:

Set – ItemProperty –Path "HKLM: \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters" SMB1 –Type DWORD –Value 0 –Force

Or in any other convenient way. However, a reboot is required to apply the changes.

To disable SMB v1 support on a client, just stop the service responsible for its operation and fix the dependencies of the lanmanworkstation service. This can be done with the following commands:

sc.exe config lanmanworkstation depends = bowser / mrxsmb20 / nsi sc.exe config mrxsmb10 start = disabled

For the convenience of disabling the protocol across the entire network, it is convenient to use group policies, in particular Group Policy Preferences. With the help of them, you can conveniently work with the registry.

Creating a registry entry through group policies.

To disable the protocol on the server, just create the following parameter:

path: HKLM: \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters;

new parameter: REG_DWORD with the name SMB1;

• value: 0.

Create a registry key to disable SMB v1 on the server through Group Policy.

To disable SMB v1 support on clients, you need to change the value of two parameters.

First, disable the SMB v1 protocol service:

path: HKLM: \ SYSTEM \ CurrentControlSet \ services \ mrxsmb10;

parameter: REG_DWORD named Start;

• value: 4.

We update one of the parameters.

Then we will fix the dependence of the LanmanWorkstation service so that it does not depend on SMB v1:

path: HKLM: \ SYSTEM \ CurrentControlSet \ Services \ LanmanWorkstation;

parameter: REG_MULTI_SZ named DependOnService;

• value: three lines - Bowser, MRxSmb20 and NSI.

And replace with another.

After applying Group Policy, you must restart your organization's computers. After reboot, SMB v1 will no longer be used.

Works - don't touch

Oddly enough, this old commandment is not always useful - ransomware and Trojans can run in rarely updated infrastructure. However, inaccurate shutting down and updating services can paralyze an organization just like viruses.

Tell us, have you already disabled SMB of the first version? Were there many victims?

SMB or Server Message Block is a network communication protocol for sharing files, printers, and other various devices... There are three versions of SMB - SMBv1, SMBv2, and SMBv3. For security reasons, Microsoft recommends disabling SMB version 1, as it is outdated and uses technology that is almost 30 years old. To avoid infection with ransomware viruses such as WannaCrypt, you need to disable SMB1 and install updates for the operating system. This protocol is used by Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2 - therefore, network file access to these OS versions will not be available. The same applies to some NAS, scanners, etc.

Disable SMB1 from Control Panel

Start -> Control Panel -> Programs and Features -> Turn Windows features on or off

Disable ‘SMB 1.0 / CIFS File Sharing Support’

Disable SMB1 via Powershell

Open a Powershell console with administrator rights and enter the following command:

Set-ItemProperty -Path "HKLM: \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters" SMB1 -Type DWORD -Value 0 -Force

Disable SMB1 using Windows Registry

You can also disable SMBv1 by running regedit.exe and moving on to the next section:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters

Create a DWORD in this section SMB1 with the meaning 0 .

Values ​​to enable and disable SMB1:

• 0 = Disabled
• 1 = Enabled

After that, you need to install the update MS17-010. The update was released for all versions of Windows, including no longer supported Windows XP and Windows Server 2003.

And in conclusion, I would like to say that, despite installed antivirus and regular updates of the operating system, if your data is dear to you, you need to think about backup first.

Why and how to disable SMB1 in Windows 10/8/7

annotation

This article describes procedures to enable and disable Server Message Block (SMB) version 1, SMB version 2 (SMBv2), and SMB version 3 (SMBv3) in SMB client and server components.

A warning. We do not recommend disabling SMB v2 or 3. Disabling SMB v2 or 3 should only be used as a temporary troubleshooting measure. Do not leave SMB version 2 or 3 disabled.

On Windows 7 and Windows Server 2008 R2, disabling SMB version 2 will disable the following functionality.

• Combining requests, allowing multiple SMB 2 requests to be sent as a single network request.


• High volumes of read and write operations to optimize the use of fast networks.


• Caching the properties of files and folders in which clients save local copies of files and folders.


• Long-term descriptors to transparently reconnect to the server in the event of a temporary disconnection.


• Enhanced message signatures where the HMAC SHA-256 hashing algorithm replaces MD5.


• Improved scaling for file sharing (significantly increased the number of users, shares and open files to the server).


• Support for symbolic links.


• A client-side soft-lock lease model that limits the amount of data transferred between the client and the server, which improves the performance of high-latency networks and improves the scalability of the SMB server.


• Large MTU support for full use of 10 Gigabit Ethernet.


• Reduced power consumption - Clients with files open to the server can be in sleep mode.

On Windows 8, Windows 8.1, Windows 10, Windows Server 2012and Windows Server 2016, disabling SMB version 3 will disable the following functionality (as well as the SMB version 2 functionality described in the previous list).

• Transparent failover, in which clients fail over to cluster nodes during maintenance or outage without disruption.


• Scaling - providing concurrent access to shared data across all cluster nodes.


• Multichannel provides network link bandwidth aggregation and network resiliency across the various links available between the client and server.


• SMB Direct - Provides support for RDMA networks for very high performance, low latency, and low CPU utilization.


• Encryption - Provides end-to-end encryption of data and protects it from eavesdropping on untrusted networks.


• Directory leasing reduces application response times in branch offices through caching.


• Optimizes the performance of small data random read and write operations.

Additional Information

How to enable and disable SMB protocols on an SMB server

Windows 8 and Windows Server 2012

New cmdlet introduced in Windows 8 and Windows Server 2012 Windows PowerShell Set-SMBServerConfiguration. It allows you to enable or disable SMB versions 1, 2, and 3 on the server.
Notes. Enabling or disabling SMB version 2 in Windows 8 or Windows Server 2012 also enables or disables SMB version 3. This is due to the common stack used for these protocols.
After running the cmdlet

• To get the current state of the SMB server protocol configuration, run the following cmdlet:

  Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

• Set-SmbServerConfiguration -EnableSMB1Protocol $ false

• Set-SmbServerConfiguration -EnableSMB2Protocol $ false

• Set-SmbServerConfiguration -EnableSMB1Protocol $ true

• Set-SmbServerConfiguration -EnableSMB2Protocol $ true

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB server running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

Windows PowerShell 2.0 or later PowerShell

• To disable SMB version 1 protocol on the SMB server, run the following cmdlet:

  Set-ItemProperty -Path "HKLM: \ SYSTEM \ CurrentControlSet \ Serv ices \ LanmanServer \ Parameters" SMB1 -Type DWORD -Value 0 -Force

• To disable SMB versions 2 and 3 on the SMB server, run the following cmdlet:

  Set-ItemProperty -Path "HKLM: \ SYSTEM \ CurrentControlSet \ Serv ices \ LanmanServer \ Parameters" SMB2 -Type DWORD -Value 0 -Force

• To enable SMB version 1 protocol on the SMB server, run the following cmdlet:

  Set-ItemProperty -Path "HKLM: \ SYSTEM \ CurrentControlSet \ Serv ices \ LanmanServer \ Parameters" SMB1 -Type DWORD -Value 1 -Force

• To enable SMB versions 2 and 3 on the SMB server, run the following cmdlet:

  Set-ItemProperty -Path "HKLM: \ SYSTEM \ CurrentControlSet \ Serv ices \ LanmanServer \ Parameters" SMB2 -Type DWORD -Value 1 -Force

Note. After making these changes, the computer must be restarted.

Registry editor

Attention ! This article contains information about modifying the registry. It is recommended that you back up the registry before making any changes. and learn how to recover it in case a problem occurs. More information about creating backup, how to repair and modify the registry, see the following article in the Microsoft Knowledge Base.To enable or disable SMB version 1 protocol on an SMB server, configure the following registry key:

Registry subkey: Registry entry: SMB1
REG_DWORD: 0 = disabled
REG_DWORD: 1 = enabled
Default: 1 = Enabled

To enable or disable SMB version 2 protocol on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControl Set \ Services \ LanmanServer \ Parameters Registry entry: SMB2
REG_DWORD: 0 = disabled
REG_DWORD: 1 = enabled
Default: 1 = Enabled

sc.exe config lanmanworkstation depends = bowser / mrxsmb20 / nsi

sc.exe config mrxsmb10 start = disabled

• To enable SMB version 1 protocol on an SMB client, run the following commands:

  
  sc.exe config mrxsmb10 start = auto

• To disable SMB versions 2 and 3 protocols on an SMB client, run the following commands:

  sc.exe config lanmanworkstation depends = bowser / mrxsmb10 / nsi
  sc.exe config mrxsmb20 start = disabled

• To enable SMB versions 2 and 3 protocols on an SMB client, run the following commands:

  sc.exe config lanmanworkstation depends = bowser / mrxsmb10 / mrxsmb20 / nsi
  sc.exe config mrxsmb20 start = auto

Notes.

• These commands should be entered in command line with elevated privileges.


• After making these changes, the computer must be restarted.

Hey! For those who are not in the subject, I'll start from afar. On computers and laptops with installed Windows in the explorer there is a separate tab "Network". This tab displays devices from Network Neighborhood. That is, by opening the "Network" tab, we can observe computers, network attached storages (NAS), multimedia devices (DLNA), flash drives and external drives that are connected to the router and configured for sharing. Simply put, those devices that are connected through one router (are on the same network) and on which the network discovery function is enabled (devices that can be discovered on the local network)... Our router can also be displayed there. (section "Network Infrastructure") and other devices.

Now I will explain what and how, and why I decided to write this article at all. I have an ASUS router that I connected to USB stick, and set up general access to this flash drive for all devices on the network. And what do you think, in the "Network" section on all computers this network drive appeared (it appears there as "Computer") and it didn't show up on my computer. That is, my computer did not see a USB flash drive connected to the router, or other computers on this network. But the DLNA server was displayed running on the same router. But that doesn't change anything, since I need a regular one network access to the drive.

Also, I could not access the flash drive when I typed its address //192.168.1.1 in the explorer. This address was immediately opened through the browser. And I was unable to connect this drive as network drive... It just wasn't on the list of available devices in networked environment.

Such a problem, when Windows 7, Windows 8, or Windows 10 does not see network devices, is not uncommon. It doesn't have to be a USB stick, or external HDD which you connected to your router like in my case. Most often, they configure shared access between computers on a local network. And in the same way, they face the problem when computers are connected to the same network. (to one router), the sharing settings are correct, but the "Network" tab is empty. Or, only the router and your computer are displayed.

Since there can be many reasons and, accordingly, solutions, I will probably start with the simplest (which didn't help me) and at the end of this article I will share the solution that helped in my case. As a result, my laptop still saw all the devices on the network. Including a network drive and another computer that is also connected to this network.

But this does not mean that you have the same case. Therefore, I advise you to check all the settings in order.

Checking the sharing settings

We will consider two cases:

1. When computers do not see each other on the local network.
2. Sharing the NAS. We can have a flash drive, or HDD which is connected to the router, or a separate drive (aka NAS).

First case

For computers to be able to see each other and appear in the explorer in the "Network" section, they must be connected through the same router. Or directly connected (by cable, or via Wi-Fi)... Simply put, they must be on the same local network.

Further, on all computers (I don't know how many you have there), it is desirable to assign the network status "Home" (private). How to do this in Windows 10, I wrote in the article. In Windows 7, just go to the "Network and Sharing Center" and change the status of the current connection there.

If after that the computer still does not detect other computers (or vice versa), then let's check the sharing settings.

To do this, in the "Network and Sharing Center" window (if you do not know how to open it in Windows 10, then see the article) click on the "Change advanced sharing settings" item.

And for the current profile (usually "Private"), set the parameters as in the screenshot below.

Do it on all computers on the local network.

Articles on this topic:

As a rule, these tips solve all problems with detecting computers on the local network.

Second case

When you have problems accessing your NAS. As in my case. Windows 10 did not see the USB drive that was connected to the ASUS router. Many routers now have a USB port for connecting drives and other devices, so the topic is relevant.

You need to make sure that this drive is defined in the settings of the router, and public access to it is enabled. It is clear that this is done differently on different routers. On ASUS routers, for example, it looks like this:

Related articles:

Don't confuse sharing settings with FTP settings. In this case, the FTP server settings on the router have nothing to do with it.

Well, if other devices see the network drive and have access to it, but on a particular computer there is no access to it, then the problem is not on the side of the router. Go through the settings of the "problem" PC in this article.

Antivirus or firewall might block network devices

If your antivirus or firewall (firewall) installed on your computer does not like something, then it can easily make it so that neither you can see other devices in the network environment, nor can anyone find you.

True, after disabling the built-in firewall in the antivirus, the problem was not solved (which means that the problem is most likely not in him), but everything seems to me exactly that in my case it was not without the participation of an antivirus.

Therefore, try to completely stop the antivirus for a while, or at least disable the built-in firewall (firewall) ... NOD 32 does it like this:

To check this you need to do on all computers that will participate in the local network.

It is possible that you have installed some other programs that can monitor the network and manage network connections.

If it turns out that the problem is in the antivirus, then you need to add your network to the exceptions. Prevent the firewall from blocking the network itself, or network devices.

If you do not have antivirus, then you can experiment with disabling / enabling the Windows built-in firewall.

Working group

The workgroup should be the same on all devices. As a rule, it is. But it is advisable to check. To do this, open the computer properties "System" and go to "Advanced system settings".

The "Working Group" will be listed there. To change it, you need to click on the "Change" button.

Once again, the workgroup name must be the same on all computers.

If you have a problem accessing your NAS (to a USB flash drive through a router), then in the sharing settings on the same ASUS router it is also indicated working group... You can see the screenshot above in the article. It should be the same as on the computer.

Problem with accessing a shared network folder over SMB1 on Windows 10 (my solution)

Let's go back specifically to my problem. Everything that I described above has been checked and rechecked 10 times already. I did it a couple of times, but Windows 10 never saw other computers on the network, and most importantly, the shared folder in the form of a flash connected to the router did not appear in the explorer. And on other devices on the network, everything was determined without problems. Including my laptop.

I read somewhere that you can try to open the shared folder through the Run window. Pressed the key combination Win + R, entered the address of the network folder //192.168.1.1 (aka the address of the router).

I did not get access to the drive, but an interesting error appeared:

You cannot connect to the shared folder because it is insecure. This shared folder uses the legacy SMB1 protocol, which is insecure and could put your system at risk of attack.

Your system must be using SMB2 or later.

This is already interesting. At least something.

SMB (Server Message Block) is a network protocol that is responsible for sharing files, printers and others network devices.

I started looking. And it turns out that Windows 10 has dropped the SMB1 protocol. For security. And the Samba software package installed on my router runs over the SMB1 protocol. Therefore, Windows 10 does not see it. But other computers that also work on Windows 10 were also not displayed on the "Network" tab for me.

Since I could not update the protocol to SMB2 in the router settings, I decided that I needed to somehow enable SMB1 support in Windows 10. And as it turned out, this can be done without any problems. As a result, after connecting the "Client SMB 1.0 / CIFS" component, everything worked for me. The system saw shared folders on computers on the network and a network folder configured on the router itself.

How to enable SMB1 in Windows 10?

Search for and open the old "Control Panel".

Switch to Small Icons and open Programs and Features.

Open "Turn Windows features on or off". We find the item "Support for sharing files SMB 1.0 / CIFS". Open it and put a tick next to "SMB 1.0 / CIFS Client". Click Ok.

If the computer is prompted to restart, then restart it. If there is no window with a proposal, then reboot manually.

After rebooting, on the "Network" - "Computer" tab, all available devices on your network.

I would be glad if this article is useful to someone and helps to solve the problem. Do not forget to write in the comments about the results. Or ask a question, where can we go without them 🙂

In the dialog boxNew registry propertiesselect the following:

• Action:Create


• Bush: HKEY_LOCAL_MACHINE


• Section path:SYSTEM \ CurrentControlSet \ Services \ Lanman Server \ Parameters


• Parameter name:SMB1


• Value type:REG_DWORD.


• Meaning: 0

This will disable the SMB version 1 server components. This Group Policy must be applied to all required workstations, servers, and domain controllers in the domain.

Note. WMI Filters can also be configured to exclude unsupported operating systems or selected exceptions such as Windows XP.

Attention!Be careful when making changes on controllers where legacy systems such as Windows XP or Linux later and third-party systems(which do not support SMB version 2 or SMB version 3) requires access to SYSVOL or other shared folders where SMB version 1 has been disabled.

Disable SMB version 1 client with Group Policy

To disable SMB version 1 client, the service key of the registry key must be updated to disable MRxSMB10 from starting, and then the dependency in MRxSMB10 must be removed from the entry for LanmanWorkstation to be able to run in a standard way without asking MRxSMB10 on first startup.

This update replaces the default values ​​in the following two registry entries

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControl Set \ services \ mrxsmb10

Parameter: Start REG_DWORD: 4 = Disabled

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControl Set \ Services \ LanmanWorkstation

Parameter: DependOnService REG_MULTI_SZ: "Bowser", "MRxSmb20", "NSI"

Note. Contains MRxSMB10 by default, which is currently deprecated as a dependency

To configure using Group Policy:

1. Open up Management console group policies ... Click right click mouse-click the Group Policy Object (GPO) that should contain the new preferred item, then click Edit.


2. In the console tree under Computer configuration expand the Settings folder, then expand the Windows Settings folder.


3. Right-click the Registry node, click New and select Registry Item.

In the dialog box New registry properties select the following:

• Action: Update


• Bush: HKEY_LOCAL_MACHINE


• Partition path: SYSTEM \ CurrentControlSet \ services \ mrxsmb 10


• Parameter name: Start


• Value type: REG_DWORD.


• Data value: 4

Then remove the dependency in MRxSMB10 that was disabled

In the dialog box New registry properties select the following:

• Action: Replace


• Bush: HKEY_LOCAL_MACHINE


• Key path: SYSTEM \ CurrentControlSet \ Services \ Lanman Workstation


• Parameter name: DependOnService


• Paramter type REG_MULTI_SZ


• Data value:
  
  
  • Bowser
  
  
  • MRxSmb20
  
  
  

Note. These three lines will not have markers (see below)

The defaults contain a lot of MRxSMB10 Windows versions so replacing them with a multi-valued string will remove MRxSMB10 as a dependency for LanmanServer and move from the four defaults to only the three described above.

Note. When using Group Policy Management Console, you do not need to use quotation marks or commas. Just enter each record on a separate line as above

Restart required:

After applying the policy and entering the registry settings, SMB version 1 will be disabled after a system reboot.

annotation

If all the settings are in the same Group Policy Object (GPO), then Group Policy Management will display the settings below.

Testing and validation

Once configured, give permission to the policy to replicate and update. Since this is necessary for testing, run gpupdate / force from the CMD.EXE line and then watch the target machines to ensure the registry settings are applied correctly. Make sure SMB version 2 and SMB version 3 work for all systems in your environment.

Attention! Remember to reboot target systems.