The Server Message Block (SMB) protocol is a critical component of Windows networking, enabling file and printer sharing across devices on a network. While newer versions offer improved security and performance, the legacy SMB1 protocol remains available in Windows systems (despite serious security vulnerabilities that have led to devastating malware attacks like WannaCry).
This guide will walk you through the process of disabling SMB1 in Windows, as well as how to enable or disable SMB1 file sharing protocol for legacy devices, helping you balance necessary functionality with security.
Why disable SMB1?
The SMB1 protocol contains significant security vulnerabilities that have been exploited in major cyberattacks, most notably the WannaCry ransomware attack of 2017 which affected over 200,000 computers across 150 countries. This devastating attack specifically exploited the EternalBlue vulnerability in SMB1, enabling attackers to execute arbitrary code on targeted systems and rapidly spread across networks.
Microsoft has strongly recommended disabling SMB1 since 2016, formally deprecating it in Windows 10 and Windows Server 2016. Starting with Windows 10 Fall Creators Update and Windows Server 2019, the SMB1 client is no longer installed by default, and Microsoft has stated that “there is no scenario where SMB1 is still the right choice.”
In further reinforcement of this position, Microsoft now penalizes organizations using SMB1 through their secure score assessments, actively pushing businesses to eliminate this protocol from their environments.
Organizations that migrate away from SMB1 not only improve their security posture but also benefit from more efficient network operations, as newer SMB versions offer substantial performance and reliability upgrades. SMB2 delivers up to 30% faster performance in many file operations while reducing network packets by up to 40%. SMB3 further enhances these capabilities with features like multi channel connections for increased throughput, transparent failover for better reliability, and robust AES-based encryption to protect data in transit.
How to check if SMB1 is enabled in Windows
Using PowerShell
To check if SMB1 is enabled on your system, open PowerShell as Administrator and use these commands:
Check SMB1 Protocol status:
Get-SmbServerConfiguration | Select EnableSMB1Protocol
View all SMB versions installed:
Get-WindowsOptionalFeature -Online -FeatureName “SMB*”
Verifying in Control Panel
- Open Control Panel
- Navigate to Programs → Programs and Features
- Click “Turn Windows features on or off”
- Look for “SMB 1.0/CIFS File Sharing Support” in the list
- If the checkbox is selected, SMB1 is enabled
Registry Check
For a more thorough verification, especially on older systems:
- Open Registry Editor (Run → regedit)
- Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Look for the SMB1 entry
- If the value is 1, SMB1 is enabled; if 0, it’s disabled
- If the entry doesn’t exist, SMB1 is likely enabled by default on older systems
How to disable SMB1 in Windows 10/11
Via Windows Features (GUI method)
- Press Win + R, type control panel and press Enter
- Navigate to Programs → Programs and Features
- Click Turn Windows features on or off
- Locate and uncheck SMB 1.0/CIFS File Sharing Support
- Click OK to apply changes
How to disable SMB1 in Windows 10 using PowerShell
Run PowerShell as Administrator and use these commands:
Disable SMB1 Client:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Disable SMB1 Server:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Via Group Policy (for system administrators)
- Open Group Policy Management Console
- Create or edit a GPO linked to your target OU
- Navigate to Computer Configuration → Administrative Templates → MS Network Client → Microsoft Network Client
- Set “Configure SMB v1 client driver” to “Disabled”
- Navigate to Computer Configuration → Administrative Templates → MS Network Server → Microsoft Network Server
- Set “Configure SMB v1 server” to “Disabled”
Reboot requirements and verification
- A system restart is required for changes to take effect
- After rebooting, verify SMB1 is disabled using:
Get-SmbServerConfiguration | Select EnableSMB1Protocol - The command should return “False” if SMB1 is successfully disabled
How to enable SMB1 in Windows 10/11 (Only if absolutely necessary!)
Enabling SMB1 introduces significant security risks to your network. Only enable this protocol as a last resort and with full understanding of the vulnerabilities.
Via Windows Features (GUI method):
- Press Win + R, type control panel and press Enter
- Navigate to Programs → Programs and Features
- Click Turn Windows features on or off
- Find SMB 1.0/CIFS File Sharing Support
- Check the box and click OK
Via PowerShell (Administrative):
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
To enable SMB1 Server:
Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force
Security considerations
- Enabling SMB1 exposes your system to known exploits including EternalBlue
- No security patches will be released for SMB1 as it’s deprecated
- Systems running SMB1 may violate compliance requirements (GDPR, HIPAA, PCI)
- Microsoft security assessments will penalize your organization
Isolation recommendations
If you must use SMB1:
- Place legacy systems on isolated network segments
- Implement strict firewall rules to limit SMB1 traffic
- Disable SMB1 on all internet-facing systems
- Use VLANs to separate SMB1 traffic from your main network
- Consider application-level alternatives or middleware to avoid SMB1 entirely
What is SMB1?
Server Message Block version 1 (SMB1) is the original implementation of Microsoft’s file sharing protocol that dates back to the 1980s. Initially developed as part of the Microsoft LAN Manager product, SMB1 became an integral part of Windows networking, enabling basic file sharing, printer access, and remote service requests between networked computers. This protocol laid the groundwork for networked Windows environments, but was designed in an era when network security concerns were vastly different than today.
SMB2 brought significant improvements over SMB1, including enhanced performance, reduced network traffic, better security through stronger encryption, and support for larger file sizes.
SMB3, released with Windows 8 in 2012, further improved the protocol with features like end-to-end encryption, performance optimizations for virtualized environments, and enhanced protection against man-in-the-middle attacks. While SMB1 uses a simple challenge-response authentication system that’s vulnerable to attacks, SMB3 implements AES-based encryption and more robust security measures.
SMB1 on Windows Server versions
Windows Server handles SMB1 differently across versions, reflecting Microsoft’s progressive efforts to eliminate this vulnerable protocol:
Windows Server 2012/2012 R2
- SMB1 enabled by default
- Can be disabled through Server Manager → Add Roles and Features
- PowerShell command:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Windows Server 2016
- SMB1 installed but not enabled by default
- First server version with formal SMB1 deprecation
- Server Manager shows SMB1 as a deprecated feature
- PowerShell verification:
Get-WindowsFeature FS-SMB1
Windows Server 2019
- SMB1 not installed by default
- Installation requires explicit action
- PowerShell installation (if absolutely necessary):
Install-WindowsFeature FS-SMB1 -IncludeAllSubFeature -IncludeManagementTools
Windows Server 2022
- SMB1 completely removed from installation media
- Requires workarounds to install
- Administrative options focused on ensuring SMB1 remains disabled
- Introduces SMB over QUIC as a more secure alternative to all SMB versions
All server versions support Group Policy management of SMB1 through:
- Computer Configuration → Administrative Templates → MS Network Server
- Setting: “Configure SMB v1 server”
Compatibility considerations
Devices and services that may still rely on SMB1
Legacy devices and systems that might still require SMB1 include older Network Attached Storage (NAS) devices manufactured before 2016, many of which lack firmware updates to support newer SMB versions. Multifunction printers and document scanners released before 2015 often rely exclusively on SMB1 for network file transfers.
Other systems that may require SMB1 include embedded industrial control systems, point-of-sale terminals running older Windows Embedded versions, and specialized medical equipment with long lifecycle requirements. Many organizations also still maintain legacy applications that were developed for Windows XP/Server 2003 environments and haven’t been updated to support newer protocols.
Workarounds and migration strategies
For NAS devices, check manufacturer websites for firmware updates that add SMB2/3 support, as many vendors have released these even for older models. If updates aren’t available, consider using alternative protocols like NFS, FTP, or WebDAV which are often supported alongside SMB1.
For printers and scanners, update to the latest firmware if available, or use alternative protocols such as IPP (Internet Printing Protocol) for printing and FTP/SFTP for scanning functions. In cases where hardware replacement isn’t feasible, network isolation is recommended — create a separate VLAN for legacy devices that strictly controls traffic to and from these systems.
For business-critical applications that require SMB1, consider implementing middleware solutions or virtualization technologies that can bridge between SMB1 and newer protocols. Application containerization can also help isolate SMB1 dependencies from the broader network environment while plans for modernization are developed.
Security best practices
Enforce SMB2/SMB3 wherever possible
Enforce the use of SMB2 or SMB3 protocols whenever possible by configuring minimum SMB security settings through Group Policy:
- Navigate to Group Policy Editor (gpedit.msc)
- Browse to Computer Configuration → Administrative Templates → Network → Lanman Workstation
- Set “Enable insecure guest logons” to Disabled
- Configure registry to enforce minimum SMB version:
- Open Registry Editor (regedit.exe)
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Create or modify DWORD value: SMB2
- Set value to 1 (to require SMB2 or higher)
Network segmentation and monitoring legacy systems
Implement proper network segmentation to isolate systems that still require SMB1, keeping them separated from critical infrastructure and data. Use VLANs, firewalls, and access control lists to restrict traffic flows between these segments and your primary network.
Additionally, deploy enhanced monitoring solutions that specifically watch for SMB1 traffic patterns and potential exploitation attempts. You can set up alerts for any unexpected SMB1 activity, particularly across network boundaries.
Regular audits of SMB usage across the environment
Conduct regular network-wide audits to identify systems still using SMB1 protocol. (Use tools like Microsoft’s Message Analyzer to capture and analyze network traffic for SMB protocol usage.) Create and maintain an inventory of systems requiring SMB1 and develop migration plans for each. Implement a scheduled validation process to ensure new systems aren’t introducing SMB1 dependencies into your environment, and include SMB protocol checking in your security assessment workflows.
Frequently Asked Questions (FAQ)
Q: Is SMB1 still safe to use in 2025?
A: No, SMB1 is not safe to use in 2025. The protocol contains fundamental security vulnerabilities that cannot be patched, and major exploits like EternalBlue remain a threat despite years of awareness. Using SMB1 may violate security compliance requirements in regulated industries.
Q: What breaks when you disable SMB1?
A: Legacy NAS devices manufactured before 2016 may become inaccessible, while older multifunction printers and scanners might lose functionality.
Windows XP and Windows Server 2003 machines cannot connect to file shares without SMB1, and some specialized industry applications with hardcoded SMB1 dependencies may fail. Older embedded systems (manufacturing, healthcare, etc.) may lose connectivity.
Q: Can you disable SMB1 remotely?
A: Yes, SMB1 can be disabled remotely using several methods:
- PowerShell remoting: Invoke-Command -ComputerName [hostname] -ScriptBlock {Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force}
- Group Policy deployment to targeted computers/OUs
- Windows Admin Center for managing multiple servers
- Configuration Manager (SCCM) using compliance settings
Q: Does disabling SMB1 affect file sharing in general?
A: No, disabling SMB1 does not affect modern file sharing capabilities. Windows automatically uses SMB2 or SMB3 for all file sharing operations between compatible systems.
In summary
Strong security requires a proactive approach to managing legacy protocols like SMB1. While complete removal might pose challenges for organizations with older systems, the security benefits far outweigh the compatibility concerns. By following the steps outlined in this guide, you can effectively disable SMB1 in Windows and implement proper isolation measures where keeping it active is a necessity.
Remember that Microsoft has been clear about SMB1’s status — it’s a deprecated protocol with no future support.
Taking action now to migrate to SMB2 or SMB3 will not only protect your Windows systems from known vulnerabilities but also improve performance and prepare your infrastructure for future security demands.
For more detailed guidance and official documentation on managing the SMB1 file sharing protocol in Windows, refer to the following Microsoft resources:
