Intune - Disable SMBv2

Author: Ram Apter

Introduction

While SMBv2 offers improved performance and security features over its predecessor SMBv1, it has also been targeted by several high-profile security vulnerabilities.

Disabling SMBv2 can be a proactive measure to enhance network security, particularly in environments where the protocol is not required. Implementing this change involves configuring server settings to prevent the use of SMBv2, thereby reducing the attack surface and enhancing the overall security posture.

So, let's get to the script itself:

        $smbv2log = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\SMBv2.log"
if ((Get-ItemProperty -Path $smbv2log).length/1MB -gt 10)
{
    $a = get-date
    $b = $a.Day.ToString() + "." + $a.Month.ToString() + "." + $a.Year.ToString()
    Compress-Archive -Path $smbv2log -DestinationPath "$smbv2log.$b.zip"
}
Start-Transcript -append $smbv2log

try {
   $smbv2 = Get-SmbServerConfiguration
   Write-Output "$smbv2"
   if ($smbv2.EnableSMB2Protocol -eq $True) 
   {
       Set-SmbServerConfiguration -EnableSMB2Protocol $False -Force
       Write-Output "SMBv2 Was Successfully Disabled"
       exit 0
   } 
   else
   {
       Write-Output "Not successful, SMB2 protocol was already disabled"
       exit 0
   }
} 
catch {
   Write-Output "An error occurred: $_"
   exit 1
}

I'm deploying this script from Intune as a platform script with this configuration:

To conclude:

• This script will get the SMB configuration of the device.
• If EnableSMB2Protocol is enabled, it will disable it.
• It will also save logs so you can diagnose raised issues if necessary.
• That way, you will harden your environment.