How To Disable SMBv1 on Windows Server Without Rebooting

SMBv1 was released almost 40 years ago now in 1984, you would think by now that most, if not nearly all systems and services will no longer rely on an ancient technology, however, if you thought that, you would be wrong. Although your Windows infrastructure may be current and up to date, other services, apps and systems may not always be as advanced as you might think.

In this tutorial I am going to show you how you can enable auditing for SMBv1 on your servers, then once you are happy, how to disable SMBv1 quickly using PowerShell, without having to reboot your server.

Page Contents 

  • Enable SMBv1 auditing to detect if it’s still in use
  • Find SMBv1 audit logs in the Windows event log​
  • Disable SMBv1 with PowerShell
  • Re-enable SMBv1 with PowerShell
  • Uninstall SMBv1

Enable SMBv1 auditing to detect if it's still in use

Before you do anything, it is important to evaluate if disabling SMBv1 will have an impact on your environment and what that impact might be. 

Thankfully, there is a built-in property for the SMB server configuration where we can turn on auditing so SMBv1 events are captured in our Windows event log. To turn on SMB auditing, use the following command:

Set-SmbServerConfiguration -AuditSmb1Access $true

You can validate that SMBv1 auditing has been enabled with the Get-SmbServerConfiguration cmdlet.

Get-SmbServerConfiguration | Select AuditSmb1Access

If you have successfully enabled SMBv1 auditing, your output will look like the following and show True.

Audit SMBv1 Access Enabled
Audit SMBv1 Access Enabled

Find SMBv1 audit logs in the Windows event log

The Audit logs for SMBv1 will help you identify if the protocol is still being used by any clients accessing services on the server in question. 

To find audit events, start by opening the Event Viewer within windows. Then go to: Application and Services Logs > Microsoft > Windows > SMBServer > Audit

From there you will be able to see Audit events with ID: 3000. The general tab of these events will inform you of the client address which is initiating the connection with this protocol. 

Alternatively you can use PowerShell to view these events:

Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit

If no events are found after a period of time, you are likely safe to continue.

Get-WinEvent
Get-WinEvent

Disable SMBv1 with PowerShell

Disabling SMBv1 on Windows Server is fairly simple and no reboots will be required. However, if are running Windows Server 2019 or above, SMBv1 will not be installed by default, so this is only necessary if you are running Windows Server 2016 or earlier. 

Run the following command to disable SMBv1 is an elevated PowerShell session:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

You can verify the command has run successfully by checking the configuration:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

If successful, your output should show a value of False.

SMBv1 Disabled
SMBv1 Disabled

Re-enable SMBv1 with PowerShell

Once you have disabled SMBv1, if any issues arise it can be quickly enabled by running the Set-SmbServerConfiguration cmdlet with the value $True.

Set-SmbServerConfiguration -EnableSMB1Protocol $true

Use the Get-SmbServerConfiguration cmdlet to validate that it is enabled and check that the issue is resolved.

Uninstall SMBv1

Uninstalling the SMBv1 protocol will require a reboot and as soon are you run the command the server will instantly reboot once it is executed. 

The following command with remove SMBv1 from your system.

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

If you need to re-enable the server, you can run the following command also: (this will also instantly reboot your server).

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply