CRITICAL

|Auth: none|Reboot: recommended|Est. 10 minutes (+ optional reboot if using Windows Features method)|✓ ScriptJump to Patch ↓

Disable SMBv1 to Remove the Attack Surface Exploited by EternalBlue and WannaCry

SMBv1 is the protocol that WannaCry, NotPetya, and EternalBlue exploit for worm-speed lateral movement — disabling it removes an entire class of attack from your environment.

✓ Tested on WS2022·Rollback included

Published May 7, 2026 · Updated May 7, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker or worm on the same network segment can scan for open port 445, probe for SMBv1 support, and exploit EternalBlue or related vulnerabilities for unauthenticated remote code execution as SYSTEM. WannaCry demonstrated this at global scale, spreading to over 200,000 systems in hours. Disabling SMBv1 provides complete protection against this entire class of attack.

How the attack works

SMBv1 is a 30-year-old file-sharing protocol with numerous well-documented security vulnerabilities. The NSA-developed EternalBlue exploit (CVE-2017-0144) targets SMBv1 and was used in the WannaCry and NotPetya ransomware outbreaks. Windows Server enables SMBv1 by default for backward compatibility. Any server with SMBv1 enabled is a potential hop point in lateral movement and vulnerable to unauthenticated exploitation by worm-type malware that traverses networks looking for the SMBv1 port.

Am I affected?Quick check

Probably yes if any of these apply:

●All Windows Servers

●Domain Controllers

●File Servers

●Any server reachable on port 445

●Running SMBv1 enabled (SMB1Protocol = $true)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022

Fixed inSMBv1 disabled (SMB1Protocol = $false)

Real-world incidentsWhat we've seen

During the WannaCry outbreak in May 2017, every organisation with SMBv1-enabled Windows servers that was reachable from an infected system was at risk of compromise. Hospitals, telecoms, and manufacturers lost entire networks within hours. Microsoft had released a patch (MS17-010) two months earlier, but organisations that had patched but not disabled SMBv1 remained vulnerable to other SMBv1-based exploits.

How to patchRecommended: PowerShell script

Script Package✓ Tested WS2022

v1.0.0

Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1

4.2 KB

↓ Download Fix

Rollback-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1

1.6 KB

↓ Download Rollback

SHA-256: 770d14e97cd0a54c0a0516c6a26363800f7271ced82d5fefa7821536317ca4c5

Run interactively

.\Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1

Run silently (SCCM / Intune)

.\Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1 -Silent -OutputPath C:\Logs

Manual fallback (no script)

⏱ 10 minutes (+ optional reboot if using Windows Features method)

Check SMBv1 Status

Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# EnableSMB1Protocol = True means vulnerable

Disable SMBv1

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

Disable SMBv1 Client (Prevents Outbound SMBv1 Connections)

Set-SmbClientConfiguration -EnableSMB1Protocol $false -Force

Disable via Windows Features (Recommended)

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Verification

Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Must return EnableSMB1Protocol = False
Get-SmbClientConfiguration | Select-Object EnableSMB1Protocol
# Must return EnableSMB1Protocol = False

Notes

A reboot is required when disabling via Windows Features but not when using Set-SmbServerConfiguration

Verify no legacy devices (pre-Windows XP era, older NAS devices, old printers) require SMBv1 before disabling

SMBv2 and SMBv3 remain fully functional after disabling SMBv1

✓

Verify after patching

Confirm the patched version is running:

# Expect: SMBv1 disabled (SMB1Protocol = $false) or later

Script details · parameters · exit codes↓

Script Packagev1.0.0 · Tested WS2022 · Rollback included

✓ Fully tested

Fix Script

Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1

↓ Download

Rollback Script

Rollback-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1

↓ Download

SHA-256 verified · Hashes confirmed on download

Tested On

—

Reboot

Reboot Recommended

SCCM

✓ Compatible

Est. Time

10 minutes (+ optional reboot if using Windows Features method)

Parameters

-SilentSuppress all console output. Always used when called via API or SCCM.

-OutputPathDirectory for log files and downloaded installers. Defaults to script directory.

How to Run

Interactive — see output in console

.\Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1

Silent mode — for SCCM / automation

.\Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1 -Silent

With custom log path

.\Fix-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1 -OutputPath "C:\Logs"

Exit Codes

Code	Meaning
0	Success — fix applied or already patched
1	Failure — check log file
3010	Success — reboot required to complete

✓ Fully tested

Fix, idempotency, and rollback verified on

⚠ Rollback available. If this fix causes issues, run Rollback-Windows-Server-Smbv1-Protocol-Disabled-Hardening.ps1 to restore the previous state.