8

It's become clear that last night's (Tues Jan 8th 2019) patches to Windows 7 broke SMB2 networking in Lanman Server.

One or both of KB 4480970 and KB 4480960 results in any OS that uses SMB2 (such as Windows XP, some Windows 7, and same generation server OS' and Mac OS X machines (certainly 10.10, 10.11 not sure about others yet)) being unable to connect to Windows 7 Pro shares.

Client machines repeatedly prompt for login despite credentials being correct.

Andrew
  • 243
  • 2
  • 8

2 Answers2

6

EDIT 14Jan2019:- please see the new accepted answer instead, it contains the official fix instead of this work-around.

I'm posting an answer in the hope others find it easier to find here than I did on the original site:

Rolling back the updates solves the problem, however I can also confirm that the registry edit below resolved the problem in all cases that I've encountered so far today (7 calls and counting). (source: https://www.computerworld.com/article/3332202/microsoft-windows/patch-tuesday-updates-for-win7-kb-4480970-and-kb-4480960-knock-out-networking.html)

if the Windows 7 user accesses a share, and he is an administrator on the remote system, this should work on the W7 that hosts the share (elevated cmd):

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

A reboot is required after making the change.

EDIT: Additional information for less technically minded people who may trip over this

Run REGEDIT.exe

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

and add a New DWORD named: LocalAccountTokenFilterPolicy

with a value of: 1

EDIT: Additional Information from El Reg as per comment.

The problem apparantly only manifests when attempting to connect to a Windows 7 or Windows 2008 R2 shares using local user accounts that are part of the Administrator group, though my experiance shows you also have to be using SMB2 as it does not affect Windows 10 clients.

Since we're unclear the implications of the registry edit described above a more prudent approach maybe to have remote clients use non-Administrator accounts and specifically give the account permissions on the required shares.. or roll back the update.

Community
  • 1
Andrew
  • 243
  • 2
  • 8
  • This worked for me also -- Thanks for sharing this fix. Occurred when attempting to connect to Windows 7 Pro from Windows 10, after KB4480970 was installed last night. So what exactly is being broken here? Is this part of UAC that prevents non-admins from accessing shares, or what? – Ryan Griggs Jan 09 '19 at 17:36
  • I can confirm that rolling back KB4480970 restores access to printer and file shares on one of my client's Windows 7 Pro machine. Customer call was that UPS Worldship didn't work but a deeper dive showed the target machine, while appearing on the network, wasn't sharing a printer or the files Worldship needs to function. – J. Michael Milner Jan 09 '19 at 21:37
2

Microsoft released the Update KB4487345 to fix the issue:

This update resolves the issue where local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows 7 SP1 and Windows Server 2008 R2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.

So download and install the update by doing a double click on the msu file.

magicandre1981
  • 1,110
  • 2
  • 10
  • 20
  • 1
    Changed accepted answer to this one as it's clerly the more sensible thing to do now there's a patch. – Andrew Jan 14 '19 at 14:21
  • After I installed the 2019-01 Preview of Monthly Quality Rollup for Windows 7 (KB4480955) as part of the normal Windows Update, I no longer encounter this error. (KB4480955 doesn't seem to explicitly mention including the KB4487345 patch though.) – jamesdlin Jan 27 '19 at 19:47
  • @jamesdlin next months update include the former updates, so I expect that the new one include januar sec fixes + non security related bugfixes. – magicandre1981 Jan 28 '19 at 15:14