Click on the Category button to get more articles regarding that product.
PowerShell script to check if you SMB setup is 25H2 ready
Windows 11 25H2 – Small Update, Big Impact for SMB Environments
Windows 11 25H2 is now being offered on home and business systems as an Enablement Pack.
This means it’s not a full new installation — instead, it’s a small ~50 MB update that simply activates features already included in Windows 11 24H2.
Microsoft has been quietly pre-shipping most of the 25H2 components via cumulative updates over the past months.
For small business (SBS) or even enterprise environments, this makes upgrading technically simple — a real low-hanging fruit.
In fact, OEMs like HP or Dell might soon ship devices that already include Windows 11 25H2 or integrate seamlessly into Modern Workplace / Autopilot deployment workflows.
However, here’s the point we’ve always warned about:
While this type of update process can be convenient, it’s not always the right choice. There are scenarios where a traditional OS deployment (via Ivanti, SCCM, image or MDT) remains the safer and more controlled path.
If Dell or HP ships the next device with the next OS level and you are short on time you may get into real trouble. The time and cash you saved with modern OS Deployment like Autopilot > you may loose now and lewarn it the hard way.
Why It Can Go Wrong
The biggest potential issue we’ve seen among SBS customers is legacy SMB (Server Message Block) configurations — particularly SMBv1 still being active somewhere in the network.
This can happen due to:
- Old NAS devices or file servers still using SMBv1
- Scanners or copiers that rely on outdated SMB protocols
- External file appliances or even older Windows Server versions (like 2008 R2 / 2012)
Windows 11 25H2 and future releases are increasingly restrictive with SMBv1 and NetBIOS, meaning these older services may stop working or become inaccessible after the upgrade.
How to Check Your Environment
To help assess the situation, we’ve created a small PowerShell utility – “SMBCHECK”.
It queries all key SMB-related configurations on your local Windows 10/11 system or Windows Server and highlights potential risks in a clear color-coded output.
Running this script gives IT admins and service providers a quick health overview of SMB configuration and network readiness before enabling 25H2.
An overview Server side if you did not change too much to make legacy devices work:
| Server Version | SMBv1 Default | SMBv2/3 | NetBT | 25H2 Risk | Notes |
|---|---|---|---|---|---|
| 2016 | May be enabled | Yes | Often enabled | High [!!] |
Likely to break SMB1 over NetBT for 25H2 clients |
| 2019 | Disabled | Yes | Sometimes enabled | Moderate [!!] |
Only if SMBv1 manually re-enabled |
| 2025 | Removed | Yes | Disabled | Low [OK] |
Future-proof, minimal SMB1 issues |
Conclusion:
- Server 2016
is the
most likely to cause problems
for 25H2 clients because SMBv1 + NetBT can still be active by default or legacy upgrade paths.
- Server 2019
is generally safe unless someone has explicitly re-enabled SMBv1.
- Server 2025
should be "ready out of the box" — SMBv1 and risky transports are gone.
<#
.SYNOPSIS
V1.0, 02.10.2025, www.butsch.ch
Enterprise SMB audit for local Windows 11/Server host
.DESCRIPTION
- Detects SMBv1/v2/v3 client/server
- Checks NetBT (legacy transport)
- Checks SMB signing and encryption
- Lists shares and marks risky ones
- Evaluates 25H2 readiness
- Uses colors + ASCII markers for robust console output
#>
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
function Get-WindowsVersion {
$os = Get-CimInstance Win32_OperatingSystem
return "$($os.Caption) ($($os.Version))"
}
function Evaluate-25H2 {
param(
[bool]$SMBv1_Client,
[bool]$SMBv1_Server,
[bool]$NetBT_Enabled,
[array]$Shares
)
$reason = @()
$affectedShares = @()
if ($SMBv1_Client) { $reason += "SMBv1 client enabled → may fail in 25H2" }
if ($SMBv1_Server) { $reason += "SMBv1 server enabled → may fail in 25H2" }
# NetBT is risky only if SMB1 is active
$netbtRisk = ($NetBT_Enabled -and ($SMBv1_Client -or $SMBv1_Server))
if ($netbtRisk) { $reason += "NetBT enabled while SMB1 active → risky transport" }
if ($SMBv1_Client -or $SMBv1_Server) {
foreach ($s in $Shares) { $affectedShares += $s.Name }
}
if ($reason.Count -eq 0) {
return @{Status="GOOD";Reason="No SMB1 active, shares work normally";AffectedShares=@()}
} else {
return @{Status="RISKY";Reason=($reason -join "; ");AffectedShares=$affectedShares}
}
}
function Get-SMBStatus {
$result = [PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
WindowsVersion = Get-WindowsVersion
SMBv1_Client = $false
SMBv2_Client = $false
SMBv1_Server = $false
SMBv2_Server = $false
SMBv3_Server = $false
SMBSigningRequired = "Unknown"
SMBEncryptionRequired = "Unknown"
NetBT_Enabled = $false
SMBv1_GPOOverride = "None"
Readiness25H2_Status = "Unknown"
Readiness25H2_Reason = ""
Shares = @()
AffectedShares = @()
}
# SMB client/server
try {
$client = Get-SmbClientConfiguration
$server = Get-SmbServerConfiguration
$result.SMBv1_Client = if ($null -eq $client.EnableSMB1Protocol) { $false } else { $client.EnableSMB1Protocol }
$result.SMBv2_Client = if ($null -eq $client.EnableSMB2Protocol) { $false } else { $client.EnableSMB2Protocol }
$result.SMBv1_Server = if ($null -eq $server.EnableSMB1Protocol) { $false } else { $server.EnableSMB1Protocol }
$result.SMBv2_Server = if ($null -eq $server.EnableSMB2Protocol) { $false } else { $server.EnableSMB2Protocol }
$result.SMBv3_Server = $true
$result.SMBSigningRequired = $server.RequireSecuritySignature
$result.SMBEncryptionRequired = if ($server.EnableSMBEncryption -eq $true) { "Yes" } else { "No" }
} catch {}
# NetBT
try {
$adapters = Get-CimInstance Win32_NetworkAdapterConfiguration -Filter "IPEnabled=TRUE"
foreach ($a in $adapters) {
if ($a.TcpipNetbiosOptions -ne 2) { $result.NetBT_Enabled = $true; break }
}
} catch {}
# GPO SMBv1 override
try {
if (Get-Command Get-GPResultantSetOfPolicy -ErrorAction SilentlyContinue) {
$gpReport = "$env:TEMP\gpresult.html"
Get-GPResultantSetOfPolicy -ReportType Html -Scope Computer -Path $gpReport -ErrorAction SilentlyContinue
$content = Get-Content $gpReport -Raw
if ($content -match "EnableSMB1") { $result.SMBv1_GPOOverride = "Defined" }
}
} catch {}
# Shares
try {
$shares = Get-SmbShare -ErrorAction SilentlyContinue
foreach ($s in $shares) {
$result.Shares += [PSCustomObject]@{
Name = $s.Name
Path = $s.Path
Description = $s.Description
}
}
} catch {}
# Evaluate readiness
$eval = Evaluate-25H2 -SMBv1_Client $result.SMBv1_Client -SMBv1_Server $result.SMBv1_Server -NetBT_Enabled $result.NetBT_Enabled -Shares $result.Shares
$result.Readiness25H2_Status = $eval.Status
$result.Readiness25H2_Reason = $eval.Reason
$result.AffectedShares = $eval.AffectedShares
return $result
}
function Display-Status {
param([object]$sys)
function FlagColor($val, $risk=$false) {
if ($risk) { return @("[!!]","Red") }
elseif ($val -eq $true) { return @("[OK]","Green") }
else { return @("[?]","Yellow") }
}
Write-Host "********************************************************" -ForegroundColor Cyan
Write-Host "** SMBCHECK a helper tool for W11 25H2 pre-evaluation **" -ForegroundColor Cyan
Write-Host "********************************************************" -ForegroundColor Cyan
Write-Host "V1.0, 02.10.2025, www.butsch.ch" -ForegroundColor Cyan
Write-Host "********************************************************" -ForegroundColor Cyan
Write-Host "Computer: $($sys.ComputerName)" -ForegroundColor Cyan
Write-Host "Windows Version: $($sys.WindowsVersion)" -ForegroundColor Cyan
Write-Host "`n********************* SMB CONFIGURATION ****************" -ForegroundColor Cyan
$flag = FlagColor $sys.SMBv1_Client $sys.SMBv1_Client
Write-Host "SMBv1 Client: $($sys.SMBv1_Client) $($flag[0])" -ForegroundColor $flag[1]
$flag = FlagColor $sys.SMBv1_Server $sys.SMBv1_Server
Write-Host "SMBv1 Server: $($sys.SMBv1_Server) $($flag[0])" -ForegroundColor $flag[1]
$flag = FlagColor $sys.SMBv2_Client
Write-Host "SMBv2 Client: $($sys.SMBv2_Client) $($flag[0])" -ForegroundColor $flag[1]
$flag = FlagColor $sys.SMBv2_Server
Write-Host "SMBv2 Server: $($sys.SMBv2_Server) $($flag[0])" -ForegroundColor $flag[1]
$flag = FlagColor $sys.SMBv3_Server
Write-Host "SMBv3 Server: $($sys.SMBv3_Server) $($flag[0])" -ForegroundColor $flag[1]
Write-Host "SMB Signing Required: $($sys.SMBSigningRequired)"
Write-Host "SMB Encryption Required: $($sys.SMBEncryptionRequired)"
Write-Host "`n--------------------- NETWORK -----------------------" -ForegroundColor Cyan
$netRisk = ($sys.NetBT_Enabled -and ($sys.SMBv1_Client -or $sys.SMBv1_Server))
$flag = FlagColor $sys.NetBT_Enabled $netRisk
Write-Host "NetBT Enabled: $($sys.NetBT_Enabled) $($flag[0])" -ForegroundColor $flag[1]
Write-Host "`n--------------------- GPO ---------------------------" -ForegroundColor Cyan
Write-Host "SMB1 GPO Override: $($sys.SMBv1_GPOOverride)"
Write-Host "`n********************* SHARES ************************" -ForegroundColor Cyan
foreach ($s in $sys.Shares) {
$marker = if ($sys.AffectedShares -contains $s.Name) { "[!!]" } else { "[OK]" }
$color = if ($marker -eq "[!!]") { "Red" } else { "Green" }
Write-Host " - $($s.Name) : $($s.Path) ($($s.Description)) $marker" -ForegroundColor $color
}
Write-Host "`n********************* FINAL VERDICT *****************" -ForegroundColor Cyan
$finalFlag = if ($sys.Readiness25H2_Status -eq "GOOD") { "[OK]" } else { "[!!]" }
$finalColor = if ($finalFlag -eq "[OK]") { "Green" } else { "Red" }
Write-Host "Readiness for 25H2: $($sys.Readiness25H2_Status) $finalFlag" -ForegroundColor $finalColor
Write-Host "Reason: $($sys.Readiness25H2_Reason)"
Write-Host "*****************************************************" -ForegroundColor Cyan
}
# MAIN EXECUTION
$localSystem = Get-SMBStatus
Display-Status -sys $localSystem
# Export CSV/HTML
# Build file name with computer name and current date
$today = Get-Date -Format "dd_MM_yyyy"
$exportPath = $PWD.Path
$fileNamePrefix = "$($localSystem.ComputerName)_$today" # e.g., BUTSCHW10_04.11.2025
# Export CSV and HTML
$localSystem | Export-Csv -Path "$exportPath\$fileNamePrefix`_SMBcheck.csv" -NoTypeInformation
$localSystem | ConvertTo-Html -Property ComputerName,WindowsVersion,SMBv1_Client,SMBv1_Server,SMBv2_Client,SMBv2_Server,SMBv3_Server,SMBSigningRequired,SMBEncryptionRequired,NetBT_Enabled,SMBv1_GPOOverride,Readiness25H2_Status,Readiness25H2_Reason,Shares | Set-Content "$exportPath\$fileNamePrefix`_SMBcheck.html"
Write-Host "CSV & HTML reports exported to current folder: $exportPath" -ForegroundColor Cyan
Starting with updates released around
September 2025
(the same base build code in 24H2 and 25H2):
-
Microsoft confirmed that
SMB v1 over NetBIOS (NetBT)
fails to connect between systems if
either side
has the newer Windows update.
-
The failure specifically occurs
only when SMBv1 is using the legacy NetBIOS transport
— i.e., the 137–139 ports — not when it’s using direct TCP 445.
So:
| Scenario | Affected? | Notes |
|---|---|---|
| Win 11 25H2 client ↔ old NAS using SMBv1/NetBT (137-139) | ✅ Broken | The Windows client can’t connect to that NAS share. |
| Win 11 25H2 client ↔ old NAS using SMBv1 over direct TCP 445 | ⚠️ Works (if NAS supports direct TCP) | Many NAS boxes from 2010+ do; older ones may not. |
| Win 11 25H2 client ↔ Windows Server 2012/2008 with SMBv1 enabled via NetBT | ✅ Broken | Same cause. |
| Legacy Win 7 client ↔ Win 11 25H2 file server with SMBv1 enabled | ✅ Broken if NetBT used | Old clients often use NetBT automatically. |
| Modern SMBv2/3 clients ↔ any server (SMBv1 disabled) | 🟢 Unaffected | SMBv2/3 are normal and fully functional. |
So the “break” affects any combination where:
one side = Windows 11 24H2/25H2 (or a September 2025-patched Windows version)
AND the session = SMBv1 over NetBIOS/NetBT.
A Domain Joined W11 client looks OK
A Server 2022 Kombi Trellix EPO 5.1 and WSUS Server
A Server 2019 with a company with long update/migration history
Active Directory Domain Controller DC Server 2019
A Server 2016 Kombi EPO and WSUS
