Check for SMB1 and hotfixes

Regarding recent WannaCrypt’ incident:

  • is it possible to use SCOM to check if SMB1 is enabled? I can see SMB State as part of the File Services MP, but not version. I guess a PowerShell task would do it, but I imagine that pretty much all our servers with SMB enable will have version 1.
  • Is there any way to check for installed hotfixes – I’m assuming not, but we don’t have SCCM agent on our servers and they’re not all pointing at WSUS.
  • Will disabling SMB1 on SCOM Management Servers have any impact on SCOM?
1 Like

Looking at the MP guide, it does not discover the version of SMB. MP guide can be downloaded here:

A monitor to check SMB version would be wise. PowerShell to check SMB version:

You could also create a task to disable SMB1 in the event you find it enabled:,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Stop using SMB1:

1 Like

You could also create a monitor that checks the registry:

HLKM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 = 0


1: Yes. you can create a simple MP with a discovery. Windows have default SMB1 enabled

2: Probably, but havent looked in to how. If you are worried about the WannaCrypt vulnerability, MSFT released a patch for this in March(?)

3: Not that i know of.

to disable SMB1 from powershell

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

You could also set this through GPO.



Thanks all. I’ve created a Task to check SMB version.

Using Kevin Holman’s ‘execute any PowerShell’ that’s part of his Agent Management MP, I can check for the following to see if the hotfix has been installed:

Windows 2012 R2

Get-WmiObject -class “win32_quickfixengineering” | where-object {$_.HotFixID -eq “KB4019215”}

Windows 2008 R2

Get-WmiObject -class “win32_quickfixengineering” | where-object {$_.HotFixID -eq “KB4012212”}

Windows 2008

Get-WmiObject -class “win32_quickfixengineering” | where-object {$_.HotFixID -eq “KB4012598”}

I’ve disabled SMB1 across my SCOM Management Group and everything is working so far! Checked for any connections first with Get-SmbConnnection and there was nothing on SMB1.

Awesome response :slight_smile:

Side note, OMS does updates now, so you could in use this for checking if the patch is installed - This can of course then be pulled into Squared Up :slight_smile: