Check for SMB1 and hotfixes

PowerShell
, ,
1

Regarding recent WannaCrypt’ incident:

  • is it possible to use SCOM to check if SMB1 is enabled? I can see SMB State as part of the File Services MP, but not version. I guess a PowerShell task would do it, but I imagine that pretty much all our servers with SMB enable will have version 1.
  • Is there any way to check for installed hotfixes – I’m assuming not, but we don’t have SCCM agent on our servers and they’re not all pointing at WSUS.
  • Will disabling SMB1 on SCOM Management Servers have any impact on SCOM?
1 Like
2

Looking at the MP guide, it does not discover the version of SMB. MP guide can be downloaded here:

https://www.microsoft.com/en-us/download/details.aspx?id=34970

A monitor to check SMB version would be wise. PowerShell to check SMB version:

http://windowsitpro.com/windows-server-2012/checking-your-smb-version

You could also create a task to disable SMB1 in the event you find it enabled:

https://support.microsoft.com/en-gb/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Stop using SMB1:

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

1 Like
3

You could also create a monitor that checks the registry:

HLKM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 = 0

2 Likes
4

1: Yes. you can create a simple MP with a discovery. Windows have default SMB1 enabled

2: Probably, but havent looked in to how. If you are worried about the WannaCrypt vulnerability, MSFT released a patch for this in March(?)

3: Not that i know of.

to disable SMB1 from powershell

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

You could also set this through GPO.

Martin

2 Likes
5

Thanks all. I’ve created a Task to check SMB version.

Using Kevin Holman’s ‘execute any PowerShell’ that’s part of his Agent Management MP, I can check for the following to see if the hotfix has been installed:

Windows 2012 R2

Get-WmiObject -class “win32_quickfixengineering” | where-object {$_.HotFixID -eq “KB4019215”}

Windows 2008 R2

Get-WmiObject -class “win32_quickfixengineering” | where-object {$_.HotFixID -eq “KB4012212”}

Windows 2008

Get-WmiObject -class “win32_quickfixengineering” | where-object {$_.HotFixID -eq “KB4012598”}

I’ve disabled SMB1 across my SCOM Management Group and everything is working so far! Checked for any connections first with Get-SmbConnnection and there was nothing on SMB1.

6

Awesome response :slight_smile:

Side note, OMS does updates now, so you could in use this for checking if the patch is installed - This can of course then be pulled into Squared Up :slight_smile: