Summary
This knowledgebase article provides information regarding the risks of using SMBv1 feature which was deprecated and superseded by SMBv2 on Windows Server operating system starting with 2019 version. And how this bad-practice interacts with Continuity Engine File Server plugin functionality.
Description
How SMBv1 may get enabled on Windows Server 2019 (or higher)?
Windows Server 2019 no longer has enabled by default the SMBv1 client or server by default after a clean installation. However, SMBv1 can still be installed at a later time via Add Roles and Features. Also, SMBv1 configuration is preserved in case of an in-place upgrade to Windows Server 2019.
Continuity Engine interaction with SMBv1
The Computer Browser service relies on the SMBv1 protocol to populate the Windows Explorer Network node (also known as "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because the service cannot function without SMBv1, it is removed at the same time starting WS2019. But what happens on systems where this feature gets enabled?
Computer Browser service depends directly on Server service, which is protected by Continuity Engine via the File Server plugin. The target state of the Server service on active is Restarted whilst protected by the File Server plugin (i.e. Server service is bounced each time an Engine node is made active). Consequently, Computer Browser service is also bounced as dependent service. This behavior is by design and has no undesired impact on the operating systems supporting SMBv1. But, starting with WS2019, bouncing this deprecated service (if present) may lead to bowser.sys driver failing to unload properly. And this could lead to BSOD.
In other words Engine is nothing more than the "usual suspect" for system instability. Just because it triggers a regular operation which in a deprecated scenario misbehaves.
Recommendation
Using SMBv1 feature makes your system both unsecure and unstable disregarding if Engine is in the picture or not. So better leave it disabled.
Microsoft's official recommendation about SMBv1: We strongly recommend that you don't reinstall SMBv1. This is because this older protocol has known security issues regarding ransomware and other malware.
Workaround (only if recommendation is ignored)
Remove Server (lanmanserver) service from FileServer plugin's protected list: this will eliminate the risk of Computer Browser (browser) service being bounced at switchover, but creates a potential risk for newly added file shares not being visible on new active after the switchover (till lanmanserver is restarted).
- Attention: This workaround just prevents Engine from bouncing browser service. The BSOD may still happen in the case Computer Browser is bounced by any other component.
Applies to
Continuity Engine 9.x (or newer) protecting WS2019 (or newer) File Server with SMB1 and Computer Browser features installed