Hi,
Thanks for posting in Q&A platform.
May I know if the content of Event 3000 is "This event indicates that a client attempted to access the server using SMB1." If yes, then this just indicates that there is a client tries to access the server via SMB1, if SMBv1 has been disabled from server side, then the server will not be affected by this.
We also run “disable-WindowsOptionalFeatue -online -FeatureName SMB1Protocol” but didn’t restart server. Does it need to restart server after running this command?
If you run this command from client side to disable SMBv1, it will need a reboot from client side.
Will ransomware attach the server if enabled SMBv1 from client side?
If the SMBv1 has been disabled from server side, then the client can only initiate the access request, but the server will not response this request, so the server will not be affected. However, Microsoft suggest you disable SMBv1 on both client and server side due to security consideration and support consideration. Always installing the latest patch should effectively help to prevent attacks.
Best Regards,
Sunny
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.