Window$ 11 and SMB fail after update

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Synthohol
    Certified Konica Expert

    Site Contributor
    5,000+ Posts
    • Mar 2016
    • 5740
    #1

    Window$ 11 and SMB fail after update

    found this on ASUS's website and found it very interesting and i hope the fixes help you all out there as M$ just makes the job harder.

    If you cannot use SMB in Windows 11, please refer to the following solutions and choose one of them to set up:

    Note: The following methods may reduce system security, so they are recommended only in trusted network environments.



    Method 1. Enable insecure guest logons:

    a. Using the Registry Editor:

    a1. Type and search [registry editor] in the Windows search bar, then click [Open].

    a2. Navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\LanmanWorkstation].

    If [LanmanWorkstation] does not exist, right-click on [Microsoft], select [New] > [Key], and name it [LanmanWorkstation].

    a3. Right-click on [LanmanWorkstation], select [New] > [DWORD (32-bit) Value], and name it [AllowInsecureGuestAuth].

    a4. Right-click on [AllowInsecureGuestAuth], select [Modify], set the Value data to 1, then click [OK].



    b. Using the Local Group Policy Editor:

    b1. Press [Win] + [R] key on the keyboard, type [gpedit.msc], then click [OK].

    b2. Navigate to [Computer Configuration] > [Administrative Templates] > [Network] > [Lanman Workstation].

    b3. In the right pane, right-click on [Enable insecure guest logons], select [Edit],

    b4. Select Enabled, then click [OK].



    Method 2. Disable SMB Signing Requirement:

    a. Using the Registry Editor:

    a1. Type and search [registry editor] in the Windows search bar, then click [Open].

    a2. Navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanWorkstation\Parameters\RequireSecuritySig nature].

    If [RequireSecuritySignature] does not exist, right-click on [Parameters], select [New] > [DWORD (32-bit) Value], and name it [RequireSecuritySignature].

    a3. Right-click on [RequireSecuritySignature], select [Modify], set the Value data to 0, then click [OK].



    b. Using Windows PowerShell

    b1. Type and search [Windows PowerShell] in the Windows search bar, open [Windows PowerShell] as Administrator.

    b2. Enter the following command and press Enter on the keyboard.
    • [*=1]Set-SmbClientConfiguration -RequireSecuritySignature $false



    Please refer to Microsoft Official Website Information

    Group Policy
    PowerShell
    We know a thing or two because we've seen a thing or two.
    The medication helps though...
    Tags: None
      👍 5
    • Slammers
      Trusted Tech

      100+ Posts
      • Feb 2019
      • 107
      #2
      I would be very careful when modifying these settings on a customers infrastructure. I suggest having a read up on NTLMv2 auth.

      These settings are now being enforced for a reason and this is the sort of stuff that gives us copier techs a bad name.
      If the device does not support NTLMv2 abnd SMBv3 the client should be informed and alternative methods should be implemented.
      This could be a NAS box, USB or Scan To Email, but should really be an upgrade to an newer MFP.

      Network security LAN Manager authentication level - Windows 10
      https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
      Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.


      I am finding more and more that NTLMv2 is now enfroced with the LmCompatabilityLevel set to Level 5. This is a requirement now for most cyber security insurance and if the customer finds out you have dropped their security level to enable SMB us copy techs will end up on the shit lists.

      On my latest boxes, the device connects via NTLMv2 with a key length of 128. This can be verifed through an NTLM audit via Event Log on the DC handling AD. I have also found that if the Client IT has aggressive firewalls and blocks port 53054 the NTLVMv2 handshake cannot complete and falls back to NTLMv1 which causes a failure in login when LmCompatLevel is set to 5.

      Example of a succesful SMB login via NTLMv2 from a 2554ci with the Event Log from the DC handling domain auth:

      image.png
        👍 5

        Comment

        • Synthohol
          Certified Konica Expert

          Site Contributor
          5,000+ Posts
          • Mar 2016
          • 5740
          #3
          i forgot about domains, yeah i wouldnt touch them at all but if a cust in a flowershop wanted to scan to their laptop running win 11 and as a last resort to try a registry change (after backing up the registry) then if the change worked id give them the option to leave it or restore the registry and pursue other scanning protocols.
          domains and domain security totally slipped my mind, been a few years now, probably going stale little by little.
          thanks for the reminder!
          We know a thing or two because we've seen a thing or two.
          The medication helps though...

            Comment

            • Duplicator
              IT Manager

              100+ Posts
              • May 2022
              • 245
              #4
              The good news is as long as it's a 4 series machine (224, c364, ect.) or newer it will do SMBv2 as long as it's firmware is updated.
              Last edited by Duplicator; 03-28-2025, 04:18 PM.
              Worked in IT for 12 years from Helpdesk up to System Administrator. Now working as the IT Manager at a copier company for the last 4 years.

              If I helped you out, please give me a thumbs up! It helps my reputation.

                Comment

                Previous template Next
                Working...