Microsoft blocked some SMB shares on Windows, but here’s how you can fix it

With the rollout of Windows 11 version 24H2, Microsoft has introduced significant modifications to the functionality of SMB (Server Message Block) shares on Windows systems. These changes are primarily aimed at enhancing security protocols. Now, SMB shares necessitate SMB signing, and for most editions of Windows 11—excluding the Home version—guest access has been disabled. This means that users must provide a username and password to connect to SMB shares.

While these security enhancements are undoubtedly beneficial, they may inadvertently restrict access for users with Network-Attached Storage (NAS) setups at home, even when no immediate security threat exists. Fortunately, there are methods to regain access to these shares, which we will explore further.

Why these changes were made

Addressing security risks

The impetus behind these changes is rooted in security concerns. Although accessing a home NAS may seem innocuous, the potential for cyber threats is ever-present. SMB signing ensures that communication between devices utilizing the SMB protocol is secure, effectively preventing unauthorized interception of data. While this feature has been part of Windows for some time, its enforcement began with Windows 11 version 24H2, which could lead to accessibility issues for those who had not previously enabled SMB signing.

Moreover, the option for guest access to SMB shares introduces additional vulnerabilities. It allows users to connect without entering credentials, which can lead to accidental connections to malicious servers. Although guest access has been largely disabled in Windows for some time, a fallback feature previously allowed connections without credentials. This fallback has now been eliminated for most Windows 11 editions, with only the Home version retaining this capability. These adjustments are designed to bolster security and reduce the likelihood of unauthorized data access.

What you should do

Make your NAS secure

If you find yourself unable to access your NAS following the installation of Windows 11 version 24H2, the optimal solution is to enhance the security of your SMB share. This involves enabling SMB signing on your NAS and disabling guest access. The specific steps will depend on your NAS operating system; for instance, TrueNAS typically enables SMB signing by default in its latest versions. If you are using an older version, you can add the following line under Additional parameters in your SMB share settings:

server signing = required

By default, TrueNAS disables guest access when creating an SMB share, which simplifies the setup process. Your SMB shares are generally shared with the builtinusers group, which includes your default administrator account, allowing you to use those credentials for access from a Windows machine. If multiple users need access without sharing your administrator credentials, you can create new user accounts within TrueNAS that have the necessary permissions for the SMB share. Users in the builtinusers group will automatically gain access, enabling them to connect using their own credentials.

What are your other options?

Proceed at your own risk

Should enforcing these security measures prove unfeasible, you still have the option to disable the security protections to maintain your usual SMB share functionality. However, this approach is not recommended. If you choose to proceed, you can use Windows PowerShell to disable the SMB signing requirement and enable guest fallback. To do this, run Windows PowerShell (or Terminal) as an administrator and enter the following command:

Set-SmbClientConfiguration -RequireSecuritySignature $false

When prompted, confirm the change by pressing Y. If you also need to re-enable guest fallback, you can enter this command:

Set-SmbClientConfiguration -EnableInsecureGuestLogons $true

Again, confirm the change by pressing Y. This step is typically unnecessary on Windows 11 Home, where guest fallback remains supported for SMB shares. Alternatively, users of Windows 11 Pro can utilize the Group Policy Editor for these adjustments, but the PowerShell method is universally applicable across all Windows editions.

Security is preferable

While it can be frustrating when familiar functionalities change, the rationale behind the adjustments to SMB shares is valid and rooted in a broader industry commitment to security. The adoption of SMB signing and the disabling of guest access by platforms like TrueNAS further emphasize this collective effort. Therefore, enabling the necessary security features is advisable to ensure smooth operation. Although disabling security measures remains an option, it should be viewed as a last resort.

Winsage
Microsoft blocked some SMB shares on Windows, but here's how you can fix it