How to disable SMBv1 with Intune [deep dive analysis]

I recently got motivated to research a bit about new MDM settings available in the latest Windows 10 Insider Build (17074) and how to configure them. Settings available in preview Windows 10 versions normally do not have a lot of technical documentation for it or there is even no documentation for a particular feature and corresponding setting at preview release time.

In this post I would like to show how to get the right pieces of information to configure an ADMX-backed policy setting in Windows 10 via Intune OMA-URIs with no technical documentation for it. We need to get all implementation details by our self. My goal is to show some of the inner workings how parts of the MDM policies are implemented and how we can get a deeper understanding of them.

I’ll demonstrate my analysis with some new Windows 10 latest Insider build settings (at time of writing build version 17074) derived from MSSecurityGuide to control SMBv1 on the device. The two settings are:

  • ConfigureSMBV1ClientDriver
  • ConfigureSMBV1Server

These settings control the SMB 1.0/CIFS File Sharing Support

Optional Feature SMBv1

 

How do we get to know this new available settings?

First we have a look at the registry. There is a new place where you can find MDM Policy CSP settings. Group Policy settings are stored in the Policies registry key and MDM Policy CSP settings can be found in the PolicyManager key here:

HKLM\SOFTWARE\Mircosoft\PolicyManager

As we see in the screenshot below there are two different sub keys. One current key and a default key.

Within the current key we find all settings configured for this device by Policy CSP via MDM like Intune. Within the default key we find all available settings for the particular Windows 10 release.

RegistryPolicyManagerDefault

As mentioned the latest Windows 10 version (at time of writing build version 17074) has a sub key for MSSecurityGuide with additional sub keys for ConfigureSMBV1ClientDriver and ConfigureSMBV1Server.

RegistryPolicyManagerSMBv1

If we have a look at the details, for example of ConfigureSMBV1ClientDriver we see the value name admxMetadataDevice. This gives us a hint that this particular policy is an ADMX-backed policy.

SMBv1ADMXHint

 

How do we configure it if we don’t know the input values for it?

The way Microsoft implemented the feature ADMX-backed policies is as follows:

A defined set of the default policies which come with the OS in the path C:\Windows\PolicyDefinitions are parsed at OS build time and stored in the MDM store as converted MDM policies. The second way is to ingest custom ADMX files after OS shipment which are then also parsed and stored in the MDM store as MDM policies. I wrote an ADMX file ingestion article for a custom OneDrive ADMX file here: Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive.

For a thorough understanding everyone should read the Background section of the Microsoft docs article Understanding ADMX-backed policies.

With all that in mind we need to find the original ADMX file for the policy and then we can derive the actual values for configuration because ADMX-backed policies are configured by a schema derived from the ADMX xml file structure.

Luckily I know that the MSSecurityGuide is provided by Microsoft through the Microsoft Security Compliance Toolkit 1.0 and within that package is the Windows 10 Version 1709 Security Baseline.zip. This includes the SecGuide.admx in the subfolder Templates.

SecGuideAdmx

Due to public knowledge how to configure ADMX-backed policies we can derive the configuration input values from the SecGuide.admx file. To derive the input values we need to study the article Understanding ADMX-backed policies especially the sections ADMX-backed policy examples and Sample SyncML for various ADMX elements.

To create the OMA-URI we append the registry key MSSecurityGuide and the sub key ConfigureSMBV1ClientDriver to ./Vendor/MSFT/Policy/Config/

./Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver

Now we need to follow the Sample SyncML for various ADMX elements for proper Enum usage as input value to disable the SMBv1 Client driver

  1. find enum
  2. get name from id attribute
  3. choose value for disable

SecGuideAdmxXml

construct the xml data element with derived values for id and value:

<data id="Pol_SecGuide_SMB1ClientDriver" value="4"/>

The result is the following custom OMA-URI setting:

Name: ConfigureSMBV1ClientDriver
OMA-URI: ./Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver
Data type: string 
Value:
<enabled/>
<data id="Pol_SecGuide_SMB1ClientDriver" value="4"/>

 

According to How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server the SMBv1 Server can be controlled by this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1 REG_DWORD: 0 = Disabled

To disable the SMBv1 Server we need to set the registry value SMB10 and this is the disabled value in the SecGuide.admx xml file.

SecGuideAdmxXml2

The result is the following custom OMA-URI setting:

Name: ConfigureSMBV1Server
OMA-URI: ./Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1Server
Data type: string 
Value: <disabled/>

Now we configure this as a custom OMA-URI in Intune and target it to our user group with Windows 10 Insider builds

SMBv1MDMOMAURI

 

How to verify if the settings are correctly deployed?

First of all we can generate a MDM Advanced Diagnostics Report:

Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”

AdvancedDiagnosticsReport

open the Report MDMDiagReport.html it in Edge and look for:

MDMReport

Second we can check the registry for MDM applied settings:

SMBv1MDMSetting

Third we can verify the SMBv1 LanmanServer > Parameters > SMB1 = 0:

SMBv1ServerSetting

We can query the Windows feature if not enabled via PowerShell:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

SMBv1WindowsFeature

We can verify the SMBv1 Client and Server component via PowerShell:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

SMBv1ServerConfig

sc.exe query MRXSMB10

SMBv1ClientConfig

Congratulations you successfully disabled the SMBv1 protocol as recommended in the Security Baseline for Windows 10!

Important note

SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709
https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709

If a Windows 10 Version was upgraded from an earlier edition like RS2 to RS3, SMBv1 is not deactivated, the install state is migrated. SMBv1 will not be installed for fresh RS3 installations. The setting above would enforce uninstall of SMBv1 for migrated devices.

Further information

3 thoughts on “How to disable SMBv1 with Intune [deep dive analysis]”

  1. Sorry, me again…
    Nice find, just being curious can we also use ADMX ingest to achieve the same, so ingest ADMX content with oma-uri and create an OMA-URI to set the policy >

    Second questsion, to disable an ADMX backed policy the value is always [disabled/] ?

    1. Yes you can! See my blog post “Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive” for an example:
      https://oliverkieselbach.com/2017/11/07/deep-dive-admx-ingestion-to-configure-silentaccountconfig-with-onedrive/
      There I ingest the custom OneDrive.admx file and configure it via OMA-URI in the end.

      Regarding the second question, if we follow the documentation then yes that’s true:
      https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies#a-href-idadmx-backed-policy-examplesaadmx-backed-policy-examples
      -> section “Disabling a policy” -> [disabled/]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s