How to verify SMBv1 is disabled in Windows and Windows Server

Since WannaCry and Petya ransomware were spreading through Windows systems in 2017, it’s recommended to have Server Message Block version 1 (SMBv1) disabled in Windows clients and Windows Server. Now SMBv1 is not installed by default in Windows 10 1709 and Windows Server, version 1709 and later, but how can you be sure it is disabled in older Windows versions? Easy, use PowerShell.

Sometimes you want the reassurance you did something right in the past. Suppose you want to want to test if Windows versions older than Windows 10 and Windows Server 2016 have SMBv1 disabled, then you use PowerShell to verify the following registry value is not present or set to 0:


In PowerShell, you can get all your computers and servers in your Active Directory Domain using Get-ADComputer, and you can query that list with Invoke-Command to verify SMBv1 is disabled.

For example:

Get-ADComputer -Filter {(enabled -eq $True) -and (OperatingSystem -Like "Windows Server*")} | % {
	invoke-command -ComputerName $_.DNSHostName -scriptblock {
		If ( (Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters").SMB1 -eq 1 ) {
			Write-Output "SMBv1 is enabled on ${env:computername}"

This is one of those ways to increase Windows Server security in your environment. You may find more information in Microsoft’s Support article “How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server“.


Leave a Reply

Your email address will not be published. Required fields are marked *