Microsoft releases Windows 11 Build 25951 to insiders on the Canary channel. The company highlights several improvements made to SMB, including SMB NTLM Blocking and SMB Dialect Management.
What's new in Windows 11 Build 25951 (Canary)
SMB NTLM blocking
Starting with this build (Build 25951), the SMB client supports NTLM blocking for remote outgoing connections. This changes the previous behavior in which Windows SPNEGO would negotiate Kerberos, NTLM, and other mechanisms with the target server to decide which security suite to support. In this case, NTLM refers to all versions of the LAN Manager security suite: LM, NTLM, and NTLMv2.
With this option, an administrator can block Windows' ability to offer NTLM over SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and will not be able to brute force, crack, or transmit the password because it will never be sent over the network. This adds a new layer of security for businesses without requiring the OS to completely disable NTLM. You can configure this option using Group Policy and PowerShell. You can also block the use of NTLM on SMB connections on demand using NET USE and PowerShell.
Detailed information can be found at this link: https://aka.ms/SmbNtlmBlock.
SMB Dialect Management
Starting with this build (Build 25951), the SMB server supports managing the SMB dialects 2 and 3 with which it will communicate. This changes the previous behavior in which Windows SMB would always negotiate with SMB 2.0.2 through 3.1.1 clients the most appropriate server dialect. Windows 10 added support for managing SMB client dialects, but not server dialects.
With this option, an administrator can prevent the use of older SMB protocols in an organization, blocking connections to older, less secure, and less capable Windows-based devices and other systems.
You can configure this option using Group Policy and PowerShell. Both the SMB client and server now have full management support (previously client support only involved manually editing the registry).
Detailed information can be found at this link: https://aka.ms/SmbDialectManage.
Changes and Improvements
Updated the Network flyout on the Lock screen to better match the design of the Network flyout from the Quick Actions menu on the taskbar.
- Some popular games may not work correctly in insider builds for the Canary channel. If you notice any problems, be sure to leave feedback in the Feedback Center app.
- [New] Investigate reports that the "Print Queue" is unavailable.
The official announcement is linked here.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!