IBM BigFix Patch: Content Modification: Patches for Windows published 2017-05-23

BaiYunfei · May 24, 2017, 2:24am

Content in the Patches for Windows site has been modified:

New Fixlets:

[Major] 2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547 (ID: 269654705)
[Major] 2696547: Disable SMBv1 in Windows and Windows Server - Disable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547 (ID: 269654707)
[Major] 2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Disable SMB v1) - Windows 7 / Windows 8 / Windows Vista / Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 - KB2696547 (ID: 269654701)
[Major] 2696547: Disable SMBv1 in Windows and Windows Server - Disable Workaround (Disable SMB v1) - Windows 7 / Windows 8 / Windows Vista / Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 - KB2696547 (ID: 269654703)

Reason for Update:

Fixlets to disable SMBv1 has been released according to instructions described in KB2696547.

Actions to Take:

None

Published site version:

Patches for Windows, version 2764.

Additional links:

None

Application Engineering Team
IBM BigFix

Pete_F · May 24, 2017, 8:54pm

We have discovered a small problem with the Removing of SMB1 from Windows 8.1.

We have a NAS system based on Netapps and using the fixlet
2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547
Breaks connectivity with the NAS…
The Reason appears to be the LanmanWorkstation dependancy which depends on the start of MRxSMB10…
If you apply the following before the fixlet, connectivity is maintained.
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

So I believe the fixlet should also include either the above OR
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10]
“Start”=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation]
“DependOnService”=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,00,00,4d,00,52,00,78,00,53,00,6d,00,62,00,32,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00

Any thoughts?

BaiYunfei · May 25, 2017, 2:47am

Thanks for the feedback! We are looking into this.

Do note that there may be other side-effects caused by removing SMBv1, thus the Fixlets were released without default action.

Jason_L · May 25, 2017, 3:00pm

Thank you Pete!

Proposed change is published in IBM BigFix Patch: Content Modification: Patches for Windows published 2017-05-25 .