Information
This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled.
The recommended state for this setting is: Enabled: Disable driver (recommended).
Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems.
Rationale:
Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3.
More information on this can be found at the following links:
Stop using SMB1 | Storage at Microsoft
Disable SMB v1 in Managed Environments with Group Policy - 'Stay Safe' Cyber Security Blog
Disabling SMBv1 through Group Policy - Microsoft Security Guidance blog
Impact:
Some legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: SMB1 Product Clearinghouse | Storage at Microsoft
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled: Disable driver (recommended):
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration/MS Security Guide
Setting Name: Configure SMB v1 client driver
Configuration: Enabled; Disable driver (recommended)
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Windows 7 and Windows 8.0: Enabled: Manual start.
Windows 8.1 and Windows 10 (up to R1703): Enabled: Automatic start.
Windows 10 R1709 and newer: Enabled: Disable driver.