Over a year ago, Microsoft announced that it will no longer ship Windows 11 Home with Server Message Block version 1 (SMB1), since it is a very old network security protocol that has been considered insecure for some time and has been succeeded by newer iterations. That said, SMB is still present in Windows 11, and in fact, the company made SMB signing the default behavior in Windows Insider Enterprise builds earlier this month. However, Microsoft has learned that SMB authentication is failing in certain scenarios, and as such, it has now offered a workaround for the issue.
Essentially, SMB authentication in Windows 11 Insider builds is not working for guest logons anymore because SMB signing fails when you are utilizing guest authentication. The key used to generate a signature for a message that is being sent is derived from the user’s password. When you enable guest authentication, there is no password, which means that the two concepts are mutually exclusive, you can’t have both. Since there is no user password available to create a signature, Windows currently just fails the SMB connection for a guest client since SMB signing – which requires a password – is now enabled by default in certain Windows Insider builds.
It is important to note that this isn’t exactly a radical change in behavior. Microsoft stopped allowing guest logons by default back in Windows 2000, stopped built-in Guest accounts from connecting remotely to Windows, and even disabled SMB2 and SMB3 guest access starting with Windows 10 version 1709. The aim is to stop malicious actors from remotely executing malicious code on your server without requiring credentials.
As such, if you leverage guest authentication on Windows, you’ll be treated to error messages about the network path not being found (error 0x80070035) or a message about your organization blocking unrestricted and unauthenticated guest access. While you can enable guess access in SMB2+ by following Microsoft’s guide here, it won’t be helpful in the latest Windows 11 Insider builds – and presumably future editions of Windows once this change rolls out generally – and the connection will fail.
Microsoft’s recommended fix is to immediately stop accessing your third-party devices using guest credentials. The firm has cautioned that continuing with this behavior puts your data at risk as anyone can utilize this technique to access your data without leaving an audit trail. It has emphasized that device manufacturers typically enable guest access by default because they don’t want to deal with customers regarding the complexity of setting up a more secure form of access. The Redmond firm has recommended that you consult your vendor’s documentation to enable password-based authentication and if that is not supported, you should phase out the associated product completely.
However, if disabling SMB guest access is not possible for your organization, your only option is to disable SMB signing, which Microsoft does not recommend since it negatively affects your company’s security posture. Regardless, Microsoft has outlined three ways in which you can disable SMB signing, detailed below:
- Graphical (local group policy on one device)
- Open the Local Group Policy Editor (gpedit.msc) on your Windows device.
- In the console tree, select Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options.
- Double-click Microsoft network client: Digitally sign communications (always).
- Select Disabled > OK.
- Command-line (PowerShell on one device)
- Open an administrator-elevated PowerShell console.
- Run
Set-SmbClientConfiguration -RequireSecuritySignature $false
- Domain-based group policy (on IT-managed fleets)
- Locate the security policy applying this setting to your Windows devices (you can use GPRESULT /H on a client to generate a resultant set of policy report to show which group policy is requiring SMB signing.
- In GPMC.MSC, change the Computer Configuration> Policies> Windows Settings> Security Settings> Local Policies> Security Options.
- Set Microsoft network client: Digitally sign communications (always) to Disabled.
- Apply the updated policy to Windows devices needing guest access over SMB.
In terms of next steps, Microsoft has noted that it will work on improving the error messaging and having a clearer description in group policy in future Windows Insider releases. The associated Microsoft documentation available online will also be updated to better explain this change and the corresponding workarounds. However, the company’s overall recommendation is still to disable guest access from third-party devices.