Windows 11 now has SMB NTLM blocking, adding an extra layer of protection

News

Reading time icon 3 min. read

Calendar icon Published on

by Flavius Floare 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Windows 11 Build 25951

Microsoft just released Windows 11 Build 25951 to the Canary Channel inside the Windows Insider Program, and the release brings an important feature that will greatly enhance protection in Windows 11 devices.

This feature is SMB NTLM blocking which an IT admin can use to intentionally block Windows from offering NTLM via SMB.

Starting with this build (Build 25951), the SMB client now supports blocking NTLM for remote outbound connections. This changes legacy behavior, where Windows SPNEGO would negotiate Kerberos, NTLM, and other mechanisms with the destination server to decide on a supported security package. NTLM in this case refers to all versions of the LAN Manager security package: LM, NTLM, and NTLMv2.

This is a new feature that will add an extra layer of protection for Windows 11.

An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and cannot brute force, crack, or pass a password, as they will never be sent over the network. This adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS.

An IT admin will be able to configure this option with Group Policy and PowerShell.

Windows 11 Build 25951: All the features

SMB Dialect Management

Starting with this build (Build 25951), the SMB server now supports controlling which SMB 2 and 3 dialects it will negotiate. This changes legacy behavior, where Windows SMB always negotiated the highest matched server dialect from SMB 2.0.2 to 3.1.1 clients. Beginning in Windows 10, support was added for controlling SMB client dialects, but not server dialects.

With this new option, an administrator can remove older SMB protocols from usage in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting.

You can configure this option with Group Policy and PowerShell. Both SMB client and server now include complete management support (previously the client support was only manual registry editing).

For more information on understanding and configuring SMB dialects, review https://aka.ms/SmbDialectManage.

Changes and Improvements

[Lock screen]

  • We’ve adjusted the network flyout on the Lock screen to better match the UI of the network flyout from quick settings in system tray on the taskbar.Windows 11 Build 25951

Known issues

  • Some popular games may not work correctly on the most recent Insider Preview builds in the Canary Channel. Please be sure to submit feedback in Feedback Hub on any issues you see with playing games on these builds.
  • [NEW] We’re investigating reports that the print queue is no longer accessible.

More about the topics: Windows 11, Windows Update

Flavius Floare

Flavius Floare Shield

Tech Journalist

Flavius is a writer and a media content producer with a particular interest in technology, gaming, media, film and storytelling. He's always curious and ready to take on everything new in the tech world, covering Microsoft's products on a daily basis. The passion for gaming and hardware feeds his journalistic approach, making him a great researcher and news writer that's always ready to bring you the bleeding edge!