[German]Microsoft recently released Fix KB4487345 to fix the network bug in Windows 7 Service Pack 1 and Windows Server 2008 R2. Now there are users claiming, that this fix should not work on Windows Server 2008 R2.
What is the network bug about?
The KB4480970 (Monthly Rollup) and KB4480960 (Security only) updates released on January 8, 2018 for Windows 7 SP1 and Windows Server 2008 R2 SP1 caused collateral damage.
- Many users were unable to access (administrative) network shares after the update was installed.
- The network problem also affects SMBv1 shares used by scanners or fax machines.
- DATEV users also suffered from the fact that access to network shares no longer worked. And I've has some Feedback, about connection issues to Exchange Server.
I had described the problem regarding network access in more detail in the blog post Network issues with updates KB4480970 and KB4480960. A workaround was also posted there: Changing the LocalAccountTokenFilterPolicy in the registry allowed access network shares again.
Microsoft delivers the Fix KB4487345
Microsoft released the KB article Description of the update for Windows 7 SP1 and Windows Server 2008 R2: January 11, 2019 and provided a fix (KB4487345) for the issue in 2019.
This update resolves the issue where local users who are part of the local "Administrators" group may not be able to remotely access shares on Windows 7 SP1 and Windows Server 2008 R2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.
The fix can be downloaded as a standalone update from the Microsoft Update Catalog, but must be installed manually. I've covered this within the article Fix for the Windows 7 SMB network bug caused by Update KB4480970/KB4480960. I assumed that the fix would solve the problems of accessing shares of administrative accounts. In other words, the LocalAccountTokenFilterPolicy change in the registry mentioned above is no longer required. For security reasons you should disable this policy again.
At AskWoody a user mentioned, that update KB4487345 from Microsoft Update Catalog substitutes:
Also two readers gave me feedback, that KB4487345 solved the All-in-one device network issue (scan to SMBv1 shares) and also the Exchange Server access issues.
Isn't the fix working?
However, I have now received two feedback in the blog about the following comments that the Microsoft fix KB4487345 does not solve the problem of blocked access to network shares. In this comment blog reader Sebastian writes:
we have two computers in an external administration that had the problem.
Unfortunately the patch of MS didn't solve the problem?
It was installed, "Client" and "Server" were restarted but access was not possible. – has anyone else experienced this?
Only after setting the RegKey – we could access the shares.
As a 'single incident, I didn't discuss it any further at first. Now a second comment arrived a few hours ago:
KB4487345 doesn't fix the problem of the share access contrary to the KB article description. This requires the registry entry. Tested here on several 2008R2 servers.
This is the point where I put the topic up for discussion in a separate blog post here. I can't test it currently (and I don't have any servers running anyway). Did the fix (without changing the LocalAccountTokenFilterPolicy in the registry) fix your access problems to network shares? Or was the adjustment of the registration entry still necessary? In this case the fix is pretty useless.
Cookies helps to fund this blog: Cookie settings