On Microsoft’s Patch Tuesday, January 8th, the company released new monthly rollup for Windows 7 and Windows Server 2008 R2 SP1, along with the security updates for these Operating systems versions. But, soon after the release, reports emerged that the updates, KB4480960 and KB4480970, seems to have caused serious network issues for some users. Network shares can no longer be achieved via SMBv2 in certain environments.
About KB4480960 and KB4480970
KB4480970 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) addresses several security vulnerabilities, like additional Spectre Variant 2 mitigations, a fix for a security vulnerability in session isolation hitting PowerShell remote endpoints, security patches for the Windows Kernel, the Windows storage and filesystem, the Windows wireless networking service, and the Microsoft JET database engine. While the security-only update KB4480960 comes just with the security improvements already taken care of by KB4480960.
KB4480960 and KB4480970 causing Network issues
Both KB4480960 and KB4480970 cause issues with network shares with several administrators complaining that post-install they were unable to reach the Shares. The reason is a STATUS_INVALID_HANDLE error when negotiating the SMBv2 connection.
Digging a little deeper, it is reported that the issue is triggered only if the user attempting to make the connection is an administrator on the machine that hosts the Share. Therefore, if the user is “just” a user on the device that hosts the share, the connection works fine.
The Workaround
Uninstalling the patch solves the problem but since it is a security update with remote execution vulnerability fix it is recommended to be kept. The suggested solution is to modify the Windows Registry around admin credentials, and it should run on the system that hosts the share. Note that you need to run from an elevated command prompt. You can try the following solutions from Microsoft-
Method 1: Use Audit mode to edit the registry before you use Sysprep on the image
- Start the computer in Audit mode. To do this, press Ctrl+Shift+F3 at the Windows Welcome screen.
- Follow these steps to manually edit the registry:
- Click Start, type regedit in the Start Search box, and then click exe in the Programs list.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- On the Edit menu, point to New, and then click DWORD Value.
- Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER.
- Right-click LocalAccountTokenFilterPolicy, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor.
- After you configure the Windows installation, use sysprep /generalize /oobeto reseal the image for deployment.
Method 2: Edit the registry automatically during an unattended installation
Create an Unattended answer file (Unattend.xml) for unattended installation. This file uses the REG ADDcommand to edit the registry during the installation. Add the REG ADD command as a RunSynchronous command in the AuditUser pass or in the oobeSystem pass. Or, add the REG ADD command as a FirstLogonCommand in the oobeSystem pass.
You can read more about it all at Microsoft.
