Heya folks, Ned here again. With the publication of Windows 11 24H2 Release Preview, customers are trying out the new OS prior to general availability. If you were in the Windows Insider Canary or Dev release program for the past few years, nothing I'm about to share is new. But if you weren't and you're now having issues mapping a drive to your third-party network attached storage (NAS) devices using SMB, this article is for you.
In Windows 11 24H2, we've made two major security changes that can affect mapping drives to third-party consumer NAS or routers with USB storage:
SMB signing has been available in Windows for 30 years but, for the first time, is now required by default on all connections. Guest has been disabled in Windows for 25 years and SMB guest fallback disabled since Windows 10 in Enterprise, Education, and Pro for Workstation editions. Both changes will make billions of devices - not just Windows, but everything running SMB that wants to talk to Windows - more secure. They've been in Windows Insider Dev and Canary builds for a year.
There's one unavoidable consequence, though: we don't know when someone intended to be unsafe.
If you have installed Windows 11 24H2 Release Preview and see one of these errors trying to connect to your third-party device afterwards that was working fine previously, you're in the right place.
If signing isn't supported by your third-party device, you may get error:
If guest access is required by your third party, you may get error:
To solve these issues, we recommend you do the following in this order. It's ordered from the safest to the least safe approach, and our goal is for your data to be protected, not to help third parties sell you unsafe products.
Now we're into the less recommended steps, as they will make your Windows device and your data much less safe. They will, however, let you access this unsafe NAS.
6. Disable the SMB client signing requirement:
a. On the Start Menu search, type gpedit and start the Edit Group Policy app (i.e. Local Group Policy Editor). If you are using Home edition, skip to step 8.
b. In the console tree, select Computer Configuration > Windows Settings > Security Settings> Local Policies > Security Options.
c. Double-click Microsoft network client: Digitally sign communications (always).
d. Select Disabled > OK.
7. Disable the guest fallback protection:
a. On the Start Menu search, type gpedit and start the Edit Group Policy app (i.e. Local Group Policy Editor). If you are using Home edition, skip to step e.
b. In the console tree, select Computer Configuration > Administrative Templates> Network > Lanman Workstation.
c. Double-click Enable insecure guest logons
d. Select Enabled > OK.
8. If you're running Windows 11 Home edition, the guest fallback option is still enabled by default, so you're probably not reading this blog post. But if for some reason it is on, or you need to turn off SMB signing due to some third-party NAS, you will need to use PowerShell to configure your machine because there is no gpedit tool by default. To do this:
a. On the Start Menu search, type powershell then under the Windows PowerShell app, click Run as administrator. Accept the elevation prompt.
b. To disable SMB signing requirement, type:
Set-SmbClientConfiguration -RequireSecuritySignature $false
d. Hit enter, then hit Y to accept.
c. To disable guest fallback, type:
Set-SmbClientConfiguration -EnableInsecureGuestLogons $true
e. Hit enter, then hit Y to accept.
At this point you will be working if Signing or Guest were your real problems.
Important: we have not removed your ability to enable SMB1. All editions of Windows 11 have SMB1 disabled by default - this has been the case for over a year now and, in some editions, going back to Windows 10 - but you are free to re-enable it if you have a third-party NAS that only supports SMB1. SMB1 supports signing but your NAS may not, so the steps above for disabling signing can still apply. SMB1 always allows guest fallback and it cannot be stopped, so the guest steps are not applicable. If your third-party NAS still requires SMB1, it's likely listed here https://aka.ms/stillneedssmb1. If you find that it also doesn't support SMB signing, please let us know with the email address below.
If you have a third-party NAS device that doesn't support SMB signing, we want to hear about it. Please email [email protected] with the make and model of your NAS device so we can share with the world and perhaps get the vendor to fix it with an update.
For more details on these technologies, what they do, and what the future holds, review blog posts:
For the official MS Learn docs, review:
Until next time,
Ned Pyle
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.