[German]The KB4480970 (Monthly Rollup) and KB4480960 (Security only) updates were released by Microsoft on January 8, 2018 for Windows 7 SP1 and Windows Server 2008 R2 SP1. The updates seem to cause serious network issues for some people. Network shares can no longer be achieved via SMBv2 in certain environments. Here are details and a probably a fix.
I thought I’d put the subject in a separate blog post. Maybe there will be a solution. Or Microsoft improves.
What is Update KB4480970 doing?
Last night Microsoft released the update KB4480970 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1). his fixes several security vulnerabilities, including a remote execution vulnerability in PowerShell. Furthermore, Windows is to be hardened against various side channel attacks.
Windows 7 SP1 and Windows Server 2008 R2 SP1 should therefore be patched quickly because of the vulnerabilities (especially PowerShell). I covered the update in Patchday: Updates for Windows 7/8.1/Server Jan. 8, 2019.
Microsoft mentioned, that after installing this update, network controllers (NICs) stop working – and provided a workaround to fix this issue. See KB4480970 for details.
Also security only update KB4480960 addresses the same vulnerabilities. But for this update Microsoft writes, that there are no known issues – although this update is also causing the share-issue – see below.
Shares not accessible
Afer I released my German blog post Patchday: Updates für Windows 7/8.1/Server 8. Jan. 2019 I received several comments from administrators, reporting, that after installing KB4480970, network shares could not be accessed anymore.
#1: For one of our customers who do not yet participate in patch management (“save costs”), the installation of the KB4480970 could not achieve network shares on other clients. Was/is this also the case for others?
#2: KB4480970 has caused us communication problems with SQL servers at various customers today (strangely, even the fileshare could not be reached partially, if it was on a server with SQL installation). Uninstallation fixed the problem.
#3: We use RDP to access RemotePC from our thin clients, after installing the update KB4480970 this was no longer possible. Only the deinstallation helped. Can / Could somebody still reproduce this or found a way to fix the bug. We do not want to leave such a security update uninstalled.
So there seems to be an issue with KB4480970 and network shares (via SMBv2). You can uninstall the update, then the problem is gone. But a security update with remote execution vulnerability fix should be installed somehow. First I thought, that the security-only update didn’t cause this issue – but I got now feedback, that there is the same behavior. So the ‘workaround’: Installing KB4480960 didn’t help. Also reinstalling the NIC won’t cure that issue.
Analysis: SMBv2 issue and Workaround
Whilst I wrote the German edition of this blog post, German blog reader Andi left a comment (thanks for that) with a link to German site administrator.de, where he posted some analysis. Here are the analysis for my English readers:
Andy wrote that the updates KB4480960 and KB4480970 are affected. After his analysis, there is no SMB2 connection to a Windows 7/Server 2008 R2 SP2 share anymore. The reason is a STATUS_INVALID_HANDLE error when negotiating the SMBv2 connection.
Meanwhile Andi has published a workaround on administrator.de. The problem: Those updates are applying some restrictions know for administrative shares to all shares. Andri wrote:
If the Windows 7 user accesses a share, and he is an administrator on the remote system, this should work on the W7 that hosts the share (elevated cmd):
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Afterwards you have to reboot the system
The registry entry sets above, are discussed within this article from Microsoft. Maybe you can give feedback if that helped.
Warning: The above registry ‘hack’ is just a quick fix. But keep in mind, that this is lowering security – your client has ‘admin credentials’ on shares (bad, if malware nooping your network). So keep this registry change in mind – after Microsoft has released a fix, reset the LocalAccountTokenFilterPolicy to 0.
Addendum: There are also SMBv1 connections are affected (used by scanners pushing scans to network shares for instance). And it seems that those updates also affecting KMS activation on Windows 7 clients, see Update KB971033/KB4480960/KB4480970 bricks Windows 7 Genuine (0xc004f200).
Addendum 2: Microsoft has now informed us, that the KMS activation issue has nothing to do with KB4480960/KB4480970 – it was just coincidence. And Microsoft hat released a fix for the network issue (see my blog post Fix for the Windows 7 SMB network bug caused by Update KB4480970/KB4480960).
Microsoft Office Patchday (January 2, 2019)
Office 2010 Updates for January 2019 has been pulled
Microsoft Security Update Summary (January 8, 2019)
Patchday: Updates for Windows 7/8.1/Server Jan. 8, 2019
Patchday Windows 10-Updates (January 8, 2019)