Exchange Server and SMBv1

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server.

There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. If you want to learn more about SMBv1 and why you should stop using it, I’d recommend reading this blog post published and updated by Ned Pyle.

Microsoft publicly deprecated the SMBv1 protocol in 2014 and so we stopped installing it by default when using Windows Server 2016 1709 (RS3). Please see this KB for more information.

What about Exchange 2010?

As announced earlier here, Exchange Server 2010 end of support is coming soon.

We did not nor will validate if Exchange 2010 server works properly with SMBv1 disabled. Please follow our recommendation and migrate from Exchange 2010 to Office 365 or newer version of Exchange Server if you want to stay on-premises.

What about DAG witness server?

Before disabling SMBv1 you should make sure that you use a correctly configured and supported DAG witness server which supports at least SMBv2.

You should make sure that the witness server is running a supported version of Windows Server which is Windows Server 2012/2012R2/2016 or 2019.

Please find more information about Exchange and DAG witness server here.

How can I check if SMBv1 is in use on my server?

It depends on your operating system!

The required steps for the mostly used operating systems with SMBv1 enabled are:

  • Windows Server 2008 R2:


Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}


Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned. If query returns a value of 1, SMBv1 is enabled. A value of 0 means SMBv1 is disabled

  • Windows Server 2012:


Get-SmbServerConfiguration | Select EnableSMB1Protocol


If you get a return of True it means SMBv1 is enabled and False means SMBv1 is not enabled.

  • Windows Server 2012 R2 or higher:


(Get-WindowsFeature FS-SMB1).Installed Get-SmbServerConfiguration | Select EnableSMB1Protocol


If you get a return of True it means SMBv1 is enabled and False means SMBv1 is not enabled

The latest version 2.39.1 of Exchange HealthChecker script may help you to detect if SMBv1 is enabled on your Exchange servers, so you can easily use it to just figure out what's going on.

How can I disable SMBv1 on my Exchange Server?

This will also differ based on the OS version in use:

  • Windows Server 2008 R2:


Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Type DWORD -Value 0 –Force


  • Windows Server 2012:


Set-SmbServerConfiguration -EnableSMB1Protocol $false -force


  • Windows Server 2012 R2 or higher:


Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol Set-SmbServerConfiguration -EnableSMB1Protocol $false


It is also possible to disable SMBv1 on the server via Group Policy. You can find more information about this topic in the article How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows. Please check that document, because server restart needs might vary depending on the OS in question (SMB settings are OS settings, not Exchange).

Thanks for reading and stay safe!

Lukas Sassl

REMEMBER: these articles are SYNDICATED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.