Microsoft has released the latest Windows 11 build for Insiders on the Canary channel today. The new build 25381 brings a major change in SMB (Server Message Block) signing. Previously SMB singing was not mandatory but with the latest build, Windows 11, Windows 10 and Server will require SMB signing by default. This change has been made to improve the security, Microsoft says.
The changelog for build 25381 is given below:
What’s new in Build 25381
SMB signing requirement changes
Beginning with Windows 11 Insider Preview Build 25381 Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape.
All versions of Windows and Windows Server support SMB signing. But a third-party might disable or not support it. If you attempt to connect to a remote share on a third-party SMB server that that does not allow SMB signing, you may receive the one of following error messages:
- 0xc000a000
- -1073700864
- STATUS_INVALID_SIGNATURE
- The cryptographic signature is invalid.
To resolve this issue, configure your third-party SMB server to support SMB signing. This is Microsoft’s official recommended guidance. Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties.
SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs.
To see the current SMB signing settings, run the following PowerShell commands:
Get-SmbServerConfiguration | fl requiresecuritysignature Get-SmbClientConfiguration | fl requiresecuritysignatureTo disable the requirement for SMB signing in client (outbound to other device) connections, run the following PowerShell command as an elevated administrator:
Set-SmbClientConfiguration -RequireSecuritySignature $falseTo disable the requirement for SMB signing in server (on Windows 11 Insider Preview Build 25381 and higher with Enterprise edition devices), run the following PowerShell command as an elevated administrator:
Set-SmbServerConfiguration -RequireSecuritySignature $false
No reboot is required but existing SMB connections will still use signing until they are closed.
For more information on this change, visit https://aka.ms/SMBSigningOBD.
Changes and Improvements
[General]
- If a camera streaming issue is detected such as a camera failing to start or a closed camera shutter, a pop-up dialog will appear with the recommendation to launch the automated Get Help troubleshooter to resolve the issue.
You can find the official blog post here.