Saturday 13 May 2017

Disable and Remove SMB1 via ConfigMgr Compliance Settings

In the wake of the recent WannaCry worm wreaking havoc across the globe, I thought I'd knock up a quick set of Configuration Manager compliance settings and a baseline to easily disable and remove SMB1 from devices within an environment.

Just as I started to gather the information I would need about the various settings, I noticed that Alex Pooley had already documented what I was about to do.

You can find his blog post with his methods here:
https://alexpooleyblog.wordpress.com/2017/03/09/disabling-smb1-via-configmgr-desired-state-configuration-dsc/

There's not much value in me repeating all of the steps in this post, refer to the excellent work that Alex has already done.
However, I've made some minor changes to some of the PowerShell, set names consistently, tested it and exported it as a cab file for easy import into other environments.

Download from the TechNet Gallery here

This baseline will perform the following:
  • Disable SMB1 on Windows 8 & Server 2012 or newer
  • Remove SMB1 on Windows 8.1 & Server 2012 R2 or newer
  • Disable SMB1 Client on Windows 7 & Server 2008 R2
  • Disable SMB1 Server on Windows 7 & Server 2008 R2
Importing the cab file should give you a new folder named Security with 4 CI's within it.



These CI's are mainly using PowerShell scripts to discover and then remediate the various SMB1 configurations on the relevant Operating Systems except for the disabling of SMB1 (Server) for Windows 7/Server 2008(R2) which uses a registry value check and set.

These 4 CI's are wrapped into a Baseline called "Disable SMB1" that you can find in the folder named Security. This baseline then needs targeting at a collection that you would like to disable/remove SMB1 from.

I've run it across my estate, but I do only have 2012 R2 and Windows 10 devices. A few devices are reporting script timeout errors and I still need to dig into those further, but overall it runs fine and successfully disables SMB1.