How to fix SMB Signing error to access NAS on Windows 11 24H2

  • To disable the SMB Signing requirement on Windows 11, open the “Group Policy Editor” and disable the “Microsoft network client: Digitally sign communication (if server agrees)” policy.
  • Alternatively, you can complete this task through Command Prompt and PowerShell.

On Windows 11, after installing version 24H2 (2024 Update), you may no longer be able to access your network-attached storage (NAS), and in this guide, I’ll explain the reason and how to fix the issue.

Alongside the slew of new changes and the addition of new features available on Windows 11 24H2, Microsoft is making some security improvements to the system, which now makes Server Message Block (SMB) sign-in a required step for all communications. However, since many file server devices already in the market usually don’t use this configuration, upgrading to the next version of the operating system may cause a number of errors.

For example, you may see “The cryptographic signature is invalid,” “STATUS_INVALID_SIGNATURE,” or “0xc000a000,” and “1073700864” error messages.

You have at least two alternatives if you stumble upon one of these errors. The recommended approach is to enable SMB Signing in the NAS. For example, the popular NAS brand Synology offers this feature through the “Domain/LDAP” and “File Services” settings, depending on your model. Or you can turn off SMB Signing on the affected computer.

In this guide, I will explain the steps to check and enable SMB Signing on Windows 11 24H2 and affected versions of the operating system.

Disable SMB Signing to access NAS on Windows 11 from Group Policy

To turn off the SMB Signing feature from Group Policy on Windows 11 Pro, Enterprise, or Education, use these steps:

  1. Open Start on Windows 11.

  2. Search for gpedit and right-click the top result to open the Group Policy Editor.

  3. Open the following path:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  4. Right-click the “Microsoft network client: Digitally sign communication (if server agrees)” policy and choose the Properties option.

  5. Check the Disabled option.

  6. Click the Apply button.

  7. Click the OK button.

  8. Restart the computer.

Once you complete the steps, the feature will be disabled, and you should be able to access the NAS without errors.

Disable SMB Signing to access NAS on Windows 11 from Command Prompt

To disable the SMB Signing feature from Command Prompt, use these steps:

  1. Open Start.

  2. Search for Command Prompt (or Terminal), right-click the top result, and select the Run as administrator option.

  3. Type the following command to disable SMB Signing and press Enter:

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 0 /f

  4. Restart the computer.

After you complete the steps, you should no longer receive error messages trying to access the file server using SMB protocol.

If you want to revert the changes, you can use the same instructions, but in step 3, run the reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f command.

Disable SMB Signing to access NAS on Windows 11 from PowerShell

To disable the SMB Signing feature on Windows 11, use these steps:

  1. Open Start.

  2. Search for PowerShell (or Terminal), right-click the top result, and select the Run as administrator option.

  3. Type the following command to disable SMB Signing and press Enter:

    Set-SmbClientConfiguration -RequireSecuritySignature $false

  4. Type “Y” and press Enter to apply the changes.

  5. (Optional) Type the following command to confirm the SMB Signing status on Windows 11 and press Enter:

    Get-SmbClientconfiguration | Format-List EnableSecuritySignature,RequireSecuritySignature
  6. Restart the computer.

Once you complete the steps, you should now be able to access and browse and access the file server in the network without errors.

If you want to revert the changes, you can use the same instructions, but in step 3, run the Set-SmbClientConfiguration -RequireSecuritySignature $true command.

SMB Signing considerations

On networking, SMB Signing is part of the CIFS (Common Internet File System) and SMB file-sharing protocols used in Windows storage systems. If this feature is enabled, when the protocol sends a message, the header will include a signature that can then be verified to ensure that the packet’s contents have been altered along the way. In other words, this feature helps to prevent attacks, such as man-in-the-middle attacks.

The feature has been available for a long time, but the operating system didn’t enforce it until version 24H2.

Ultimately, the SMB Signing feature helps to improve security in the network and between server and client devices. However, since this feature will require extra processing, it will affect performance and transfer speeds between the server and connected devices.

Whenever possible, the best approach is to configure the NAS to accept the SMB Signing feature. However, if it’s not possible, or it negatively affects performance and speeds, you have multiple ways to turn off the feature on Windows 11.

You can also refer to these instructions if Microsoft decides to enforce this feature on older versions of the operating system, including Windows 10.


Source link
Exit mobile version