Blog Post

Storage at Microsoft
6 MIN READ

Accessing a third-party NAS with SMB in Windows 11 24H2 may fail

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
May 29, 2024

Heya folks, Ned here again. With the publication of Windows 11 24H2 Release Preview, customers are trying out the new OS prior to general availability. If you were in the Windows Insider Canary or Dev release program for the past few years, nothing I'm about to share is new. But if you weren't and you're now having issues mapping a drive to your third-party network attached storage (NAS) devices using SMB, this article is for you. 

 

What changed

In Windows 11 24H2, we've made two major security changes that can affect mapping drives to third-party consumer NAS or routers with USB storage:

 

  1. By default, SMB signing is required on all connections. This increases your security by preventing tampering on the network and stops relay attacks that send your credentials to malicious servers.
  2. Guest fallback is disabled on Windows 11 Pro edition. This increases your security when connecting to untrustworthy devices. Guest allows you to connect to an SMB server with no username or password. While convenient for the maker of your NAS, it means that your device can be tricked into connecting to a malicious server without prompting for credentials, then given ransomware or having your data stolen.

SMB signing has been available in Windows for 30 years but, for the first time, is now required by default on all connections. Guest has been disabled in Windows for 25 years and SMB guest fallback disabled since Windows 10 in Enterprise, Education, and Pro for Workstation editions. Both changes will make billions of devices - not just Windows, but everything running SMB that wants to talk to Windows - more secure. They've been in Windows Insider Dev and Canary builds for a year.

 

What happens with a third-party NAS

There's one unavoidable consequence, though: we don't know when someone intended to be unsafe.

 

  • We don't know the difference between a NAS that doesn't have SMB signing enabled and an evil server that doesn't want SMB signing enabled.
  • We also don't know the difference between a consumer NAS - where the manufacturer used guest access to simplify connecting to their storage at the expense of security - and an evil server that wants you to connect without any security prompts in order to steal all of your files and or deliver malware. Furthermore, SMB signing cannot be used with guest credentials. So even if you have guest fallback enabled, SMB signing will prevent it from working. 

If you have installed Windows 11 24H2 Release Preview and see one of these errors trying to connect to your third-party device afterwards that was working fine previously, you're in the right place.  

 

If signing isn't supported by your third-party device, you may get error:

  • 0xc000a000
  • -1073700864
  • STATUS_INVALID_SIGNATURE
  • The cryptographic signature is invalid

If guest access is required by your third party, you may get error:

  • You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network
  • 0x80070035
  • 0x800704f8
  • The network path was not found
  • System error 3227320323 has occurred

 

How to solve the issues

To solve these issues, we recommend you do the following in this order. It's ordered from the safest to the least safe approach, and our goal is for your data to be protected, not to help third parties sell you unsafe products.

 

  1. Enable SMB signing in your third-party NAS. Your vendor will have steps to do this online if it's possible in the device's management software.
  2. Disable guest access in your third-party NAS. Your vendor will have steps to do this online if it's possible in the device's management software.
  3. Enable a username and password in your third-party NAS. Your vendor will have steps to do this online if it's possible in the device's management software.
  4. Upgrade your NAS if you cannot enable signing, cannot disable guest, or cannot use a username and password. The NAS will usually have an upgrade option in its management software, possibly labeled as "firmware update."
  5. Replace your NAS if you cannot upgrade your NAS software to support signing and credentials (you will need to use steps 6 and later to copy your data off of it to your new NAS first)

Now we're into the less recommended steps, as they will make your Windows device and your data much less safe. They will, however, let you access this unsafe NAS.

 

6. Disable the SMB client signing requirement:

a. On the Start Menu search, type gpedit and start the Edit Group Policy app (i.e. Local Group Policy Editor). If you are using Home edition, skip to step 8.

b. In the console tree, select Computer Configuration > Windows Settings > Security Settings> Local Policies > Security Options.

c. Double-click Microsoft network client: Digitally sign communications (always).

d. Select Disabled OK.

 

7. Disable the guest fallback protection:

a. On the Start Menu search, type gpedit and start the Edit Group Policy app (i.e. Local Group Policy Editor). If you are using Home edition, skip to step e.

b. In the console tree, select Computer Configuration > Administrative Templates> Network > Lanman Workstation.

c. Double-click Enable insecure guest logons

d. Select Enabled OK.

 

8. If you're running Windows 11 Home edition, the guest fallback option is still enabled by default, so you're probably not reading this blog post. But if for some reason it is on, or you need to turn off SMB signing due to some third-party NAS, you will need to use PowerShell to configure your machine because there is no gpedit tool by default. To do this:

a. On the Start Menu search, type powershell then under the Windows PowerShell app, click Run as administrator. Accept the elevation prompt.

b. To disable SMB signing requirement, type:

 

Set-SmbClientConfiguration -RequireSecuritySignature $false

d. Hit enter, then hit Y to accept.

c. To disable guest fallback, type: 

 

Set-SmbClientConfiguration -EnableInsecureGuestLogons $true

e. Hit enter, then hit Y to accept.

 

At this point you will be working if Signing or Guest were your real problems. 

 

Importantwe have not removed your ability to enable SMB1. All editions of Windows 11 have SMB1 disabled by default - this has been the case for over a year now and, in some editions, going back to Windows 10 - but you are free to re-enable it if you have a third-party NAS that only supports SMB1. SMB1 supports signing but your NAS may not, so the steps above for disabling signing can still apply. SMB1 always allows guest fallback and it cannot be stopped, so the guest steps are not applicable. If your third-party NAS still requires SMB1, it's likely listed here https://aka.ms/stillneedssmb1. If you find that it also doesn't support SMB signing, please let us know with the email address below. 

 

Learning more & helping the community

If you have a third-party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share with the world and perhaps get the vendor to fix it with an update.

 

For more details on these technologies, what they do, and what the future holds, review blog posts:

 

For the official MS Learn docs, review:

 

 

Until next time,

 

Ned Pyle

 

Updated Jun 14, 2024
Version 10.0
  • tadeasjerecic's avatar
    tadeasjerecic
    Copper Contributor

    Hello. I want to ask you, how could i solve this issue. When we have security baselines in InTune above the GPOs. How can i enable the smb connection to our linux workstations? 

     

    Thanks.

  • ghodyil's avatar
    ghodyil
    Copper Contributor

    hi! this is solved my problem with 0x80070035 code. but my fileserver running on pc with win 10

  • ColinAntes's avatar
    ColinAntes
    Copper Contributor

    "We also use local network sharing and none of the PC's that updated to 24H2 can connect to the other network shares. Mapped drives fail to connect. Reverting to 23H2 resolves the problem. Is this related to this NAS SMB1 issue or unrelated?"

     

    We are having pretty much the same issue as well. Connecting to our file shares gives us a credential error when the same process would give us no error on devices running builds prior to 24H2.

     

    We are also unable to update Computer Management on the domain joined device when logged in as regular user, even when attempting to passthrough credentials with a domain admin account when prompted. We get the same credential errors as we do with the shares. Issue still occurs even when logged in as local or domain admin.

     

    Our Autopilot also got new issues with provisioning a user account during the autopilot pilot sign-in, as it would time out with an error after about 90 minutes and not intiate Bitlocker when signing in with a new user account not having MFA already setup for the account.
    The device would still join the domain and allow us to login to the desktop with our accounts, but I would then have to login with an existing user account that already had MFA setup, and then sign into the Company Portal with that account to finish the device Intune enrollment join and Bitlocker setup. Since most autopilots are for new user accounts not already having MFA setup, this is a rather annoying workaround for the time being.

     

    Lastly, we are also unable to run gpupdate on the 24H2 devices, as that gives us an error as well stating a lack of network connectivity to the domain controller.
    All devices are Autopilot Hybrid Domain Joined devices. When trying to then run a gpreport, we get an error that the user does not have RSoP data.

     

    These are the current main issues we have discovered on devices that have been "upgraded" to 24H2. So far, it's been an aggravating mess.

  • I believe the connection issues could be SMB signing which is mandantory and is crucial to avoid man in the middle attacks easy to spy passwords. 

  • DimkaLTC's avatar
    DimkaLTC
    Copper Contributor

    I have a Surface Pro 11 with Windows 11 Pro 24H2. The Home Network has several computers, 1 NAS (SMB1) and a TV box with a flash drive for sharing. I have meticulously followed all of the Ned's recommendations – especially points 6, 7 and even 8. In Network  all Windows PC are visible, but the NAS and TV box are not visible. I connected the NAS as a Network Drive. It became visible and works in the My Computer folder. I could not connect the TV box, although Samba server is running there, the network name, login and password are specified (24H2 at the login/password input stage says - check the network name). As a result, I only see computers on the Home Network, and in Computer I see the NAS as a network drive. From a nearby PC on Windows 23H2 I can see the entire home Network completely and easy – all PC, NAS, TV box etc. What did I do wrong in 24H2?

    • Karl-WE's avatar
      Karl-WE
      MVP

      I am sad to hear that you need to rely on SMB 1 (NAS). Usually network neighbourhood will not show devices in 24H2 for security reasons also SMB 1 is Normally off by default. 

      If you don't care for security check for the following 

       

      Check if SMB 1 in installed and enabled 

      Click on systray > networking °in settings app change the network from public to private. 

      Open legacy control panel> network > network neighbourhood and enable discovery

      Disable SMB signing as per this article. 

       

      Mind that all of this means man in the middle attacks are then possible, your password can be easily stolen and compromise (encrypt, modify or delete ) your data. This is all a thing that happens in reality and hackers, depending their targets, don't care whether it's business or home. 

       

      The best thing is try updating Firmware and hope these devices like TV and NAS can Support setting up SMB 2 or better 3 and SMB signing. And abstain from network neighbourhood discovery. 

  • DimkaLTC's avatar
    DimkaLTC
    Copper Contributor

    Dear Karl-WE, Of course, I first followed these simple recommendations and studied the article in detail. But on the Network, I can see perfectly all the PCs on my home network, but I can't see the NAS and TV box. I see the NAS well in the Computer folder - I connected it as a Map Network Drive. I can't do anything with the TV box sharing resource... It's amazing that in 23H2 on the Network, EVERYTHING is visible and works at once, without the debilitating witchcraft. Microsoft, of course, took care of network security, but created great difficulties for 24H2 users.