Can’t Access Shared Folders on NAS in Windows 11 24H2

Microsoft recently announced that mandatory SMB packet signing for access to shared network folders will be enabled by default in Windows 11 24H2. This may cause problems when accessing shared folders on NAS (Network Attached Storage) devices where SMB signing is not supported or disabled by default.

SMB Signing is one of the security features of the SMB/CIFS file-sharing protocol. If this option is enabled, a digital signature will be added to the header of each SMB message. This signature makes it possible to ensure that the content of the message has not been changed and provides authentication by verifying the identity of the server and client. This helps prevent SMB man-in-the-middle and NTLM relay attacks. Previously, SMB signing was only required to access SYSVOL and NETLOGON shares on AD domain controllers.

SMB signing is required for all outbound SMB connections starting with Windows 11 24H2 (Accessing a third-party NAS with SMB in Windows 11 24H2 may fail). If the SMB server doesn’t support this mode, the Windows client will reject the connection. Other supported versions of Windows will later receive this change.

Important! Implementing mandatory SMB signing will result in additional RAM and CPU usage on both the client and server. It also reduces the speed of file transfers over the network.

If the remote device does not support SMB signing, errors will occur when accessing a shared folder on that device:

  •  0xc000a000
  •  -1073700864
  •  STATUS_INVALID_SIGNATURE
  •  The cryptographic signature is invalid

The default Windows (and Samba) SMB server settings assume that SMB packet signing is only used when requested by one of the parties. Use PowerShell to list the current SMB signing settings on a Windows client:

Get-SmbClientconfiguration | fl EnableSecuritySignature,RequireSecuritySignature

get smbclientconfiguration check if smb signing ispng -

  • RequireSecuritySignature = False — mandatory use of the SMB signature is not enabled.
  • EnableSecuritySignature = True – the client only uses SMB signing when required by the server.

To disable (or enable) mandatory SMB signing, use the command

Set-SmbClientConfiguration -RequireSecuritySignature $false

Restart the computer after changing the settings.

In the same way, you can enable or disable SMB signing on the server side (host with shared folders):

Get-SmbServerConfiguration | fl *sign*
Set-SmbServerConfiguration -RequireSecuritySignature $true (or $false )

The EnableSecuritySignature option value is ignored if the legacy SMB1 protocol is disabled (this is the default behavior in Windows).

These SMB client and server options can be enabled via the registry. The next set of commands will turn off the mandatory use of SMB signing for both the client and the server:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f

The GPO editor can also be used to configure the SMB signing mode for a Windows client. The following options are available in the local Group Policy Editor (gpedit.msc) under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

  • Microsoft network client: Digitally sign communication (always)
  • Microsoft network client: Digitally sign communication (if server agrees)

gpo microsoft network client digitally sign smbpng -

Some NAS models and firmware versions support the SMB signing mode, but it is not enabled by default (for example in Synology, ASUStor, QNAP, and some other devices). For example, in Synology DSM 7+, this option can be found in the Control Panel -> File Services -> SMB -> Advanced Settings. Find the option Enable server signing. Signing is disabled by default. To enable SMB signing when requested by the client, select Client defined from the drop-down menu.

synology dsm nas enable smb signingpng -

Thus, if you experience problems when accessing NAS shares after upgrading to Windows 11 24H2, you will need to:

  • Enable SMB signing on the NAS device (recommended way)
  • Disable mandatory SMB signing on the Windows client (less secure option)

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir