When using GP to disable SMB, it's BOWSER, not BROWSER
I got this letter in the ol’ inbox. I got explicit permission to share it with you from it’s author, with name included. A true warrior is one who makes mistakes, takes ownership of those mistakes, and then shares those mistakes with the world to make it a better place.
Steven Stein, my hat is off to you. Here’s Steve’s letter to me, which I hope helps you out if you plan to kill SMB using GP using my previous post’s links.
To my fave GP guy who I try to avoid bothering with useless trivia: Here is major “How could I be so stupid” accident waiting to happen, and I made it happen re disabling SMB1 using GP. To myself. At a client. Sheesh.
In the instructions, it states to enter the following Value Data into the “DependendOnService” key – part of disabling (actually NOT enabling) SMB10: “Bowser”
I knew this was to “enable the Browser” service and though my eyes saw “Bowser” at least a dozen time, my brain read “Browser” a dozen times and my fingers rolled off “Browser” … all 12 times. That mental typo rolled out to a test group of four machines. And, all SMB was disabled on each target. No browser service, no contacting Sysvol, no mapped drives, no group policy to fix the mental typo. Not wonderful.
Knowing it would fail, I fixed the GPO and tried to run it. Anyway. . . . . Since sysvol was unreachable, the repaired GPO couldn’t be reached. So, had to manually edit the typo in each registry. Fortunately, there were only four.
You may want to perform your usual saintly magic and keep a few other folks from getting themselves into a real pickle – like manually editing 10,000 registry entries????
Regards – and keep up the good work.
Steven R. Stein – CCNA, MCSE, VCP
Sr. Systems Engineer