Issue Removing SMB1 from Windows with Ansible

As part of a large configuration script for Windows, and executed via Ansible, one step was to remove SMB1.

The official Microsoft Guidance on removing SMB1 states to use Disable-WindowsFeature - https://support.microsoft.com/en-gb/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server

I didn’t think too much more of this and simply added the step to the configuration script. However, upon executing it from Ansible I received the following error:

This got me questioning why is the recommendation to use Disable-WindowsOptionalFeature when the detect method is Get-WindowsFeature? It might seem more logical that Uninstall-WindowsFeature would be paired with Get-WindowsFeature.

I found this article which highlights some of the differences between the two different sets of commands that do pretty similar things: https://peter.hahndorf.eu/blog/WindowsFeatureViaCmd

I simply switched to Uninstall-WindowsFeature -Name ‘FS-SMB1’ and all was good.

Other alternatives are the native Ansible modules for configuring feature state:

• win_optional_feature_module https://docs.ansible.com/ansible/latest/modules/win_optional_feature_module.html#win-optional-feature-module .
• win_feature https://docs.ansible.com/ansible/latest/modules/win_feature_module.html#win-feature-module

We choose not to go down this route in this instance since there were many other items which needed to be configured in Windows which could not be done via Ansible modules and it was more practical to keep everything in a single PowerShell script.

We could of course take out SMB1 from the Windows template, but that’s another story……