Win10 2004 SMB1 issue

Forums › Microsoft Windows › Win10 2004 SMB1 issue

1101

3122 posts

Uber Geek

#272686 9-Jul-2020 13:01

Win10 2004 SMB1 mapped drive issue

Hi . Has anyone found a fix for the new 2004 build's SMB1 bug.
Its causing chaos at one site .
Im having to roll back to the previous 1909 build and pause updates as a temp fix .

Yes, they do need to keep using SMB1 :-)

mentalinc

3238 posts

Uber Geek

Trusted

#2520071 9-Jul-2020 13:17

Pretty sure it's been disabled it for security purposes.

refer here to re-enable (but look to see if you can move off SMB1 really!)

https://www.prajwaldesai.com/cant-connect-to-file-share-obsolete-smb1-protocol/

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

gehenna

8506 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2520079 9-Jul-2020 13:28

Don't know why people would be rolling out 2004 to production given all it's current issues.

Don't use SMB1. If you were to engage a security auditor it'd be one of the first things showing up in red on their report.

1101

3122 posts

Uber Geek

#2520095 9-Jul-2020 14:18

they do need to keep using SMB1 (CNC machines). Its internal only. Actual Security risk is pretty much zero .
Small businesses across the country do use old systems. Thats just a fact of life . I have 2 clients still using DOS :-)

SMB1 is enabled in Win10 and was working in previous Win10 builds .

Its the latest 2004 build thats made it unusable for these mapped drives , to the extent it will hang PCs if clicking on those now broken
mapped drives.
2004 was auto installed by Win10 . 2004 is being rolled out & auto installed across the planet regardless. (I do agree not to rush in with these
build updates where possible)

fe31nz

1232 posts

Uber Geek

#2520446 9-Jul-2020 23:41

Do they have a Linux box somewhere? I have a Ubuntu 18.04 box that I mount all sorts of network connections on, including my old OS/2 box (now running in a VM), which only supports SMB1. In fstab it is easy to add a "vers=1.0" option. Anything else on my network that needs access to those connections then does that by connecting to that Ubuntu 18.04 box, rather than directly. So if your client has an old PC that could run Linux, they could set up a similar arrangement.

1101

3122 posts

Uber Geek

#2520553 10-Jul-2020 09:06

fe31nz:

Do they have a Linux box somewhere?

Thanks for the suggestion , but Linux isnt a option for workstations in a Business environment .

The Win10 PC's still on 1909 or below dont have the issue. Its going to become more of an ongoing issues, as win10 build updates cant be
delayed indefinitely

MS havnt even acknowledged the issue (it seems) , googling I have found plenty of others with this issue, but no working fix
Only an issue when you need to map a drive on an old PC/server/NAS etc .
Its a CNC machine , so cant just upgrade it .

bagheera

539 posts

Ultimate Geek

#2520557 10-Jul-2020 09:19

1101:

MS havnt even acknowledged the issue (it seems) , googling I have found plenty of others with this issue, but no working fix
Only an issue when you need to map a drive on an old PC/server/NAS etc .
Its a CNC machine , so cant just upgrade it .

Personally I do not see this is a MS issue - you are trying to connect a new OS to a none supported protocol. SMB1 is over 30 years old, and MS has said they not going to support it for some time now, and why should they as it a security risk. If you need it, then you need to come up with a working solution, not MS.

mentalinc

3238 posts

Uber Geek

Trusted

#2520569 10-Jul-2020 09:35

Have you asked the CNC machine vendor if they have any updates available?

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

1101

3122 posts

Uber Geek

#2520619 10-Jul-2020 10:45

So an update breaks SMB1 , and its not a MS issue . Ok .
SMB1 WAS supported by Win10 , and still is (it broken thats all) . Win10 even has the option to enable it (off by default I think)
The security risk, in real life on this system , is ZERO. NADA. Zitlch .

I fully understand why MS doesnt seem to be bothered to fix it though.

And yes, systems should be upgraded when obselete. In NZ , thats not the way things are, in real life (in small/med businesses).
Im just trying to get things usable .

wratterus

1687 posts

Uber Geek

#2520622 10-Jul-2020 10:52

Is getting a NAS or something for file storage an option? At least that way it can be enabled & won't break every 6 months when MS release a feature update.

engedib

254 posts

Ultimate Geek

#2520626 10-Jul-2020 11:01

1101:

So an update breaks SMB1 , and its not a MS issue . Ok .
SMB1 WAS supported by Win10 , and still is (it broken thats all) . Win10 even has the option to enable it (off by default I think)
The security risk, in real life on this system , is ZERO. NADA. Zitlch .

I fully understand why MS doesnt seem to be bothered to fix it though.

And yes, systems should be upgraded when obselete. In NZ , thats not the way things are, in real life (in small/med businesses).
Im just trying to get things usable .

Other than the rant, can you provide some useful information so the others can help?

What is the destination system you are trying to connect to? What is the error message? Anything in the SMB client event log?

Is it working with a fresh 2004 install when SMB1 is enabled?

Have you done Wireshark network captures to identify which part is failing?

Oblivian

7300 posts

Uber Geek

ID Verified

#2520656 10-Jul-2020 11:41

Not quite. It was a legacy feature that is still present to keep working if systems using it are upgraded for negotiation detection and quasi use to stop hangs. But it's removed after 15 days if not manually changed to drive the point home.

But not supported. Their stance if it breaks under the 1709-1909 enable/disable errors, is still:

To work around this issue, contact the manufacturer of the product that supports only SMBv1, and request a software or firmware update that support SMBv2.02 or a later version. For a current list of known vendors and their SMBv1 requirements, see the following Windows and Windows Server Storage Engineering Team Blog article:

SMBv1 Product Clearinghouse

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-is-dead-long-live-smb/ba-p/1185401

"Not only does Microsoft not support these EOS operating systems (OS’s), we do not support interoperability with them. Meaning, if the latest version of Windows 10 does no work with an EOS version of Windows over SMB, Microsoft will not support you."

It's not about security - It's liability and ongoing cost risk. By offering continual workaround support because 1 part of the puzzle is kept up to date and 'seems' to work between patching, if not advising of the operational downtime risks (not security) in doing so or an action plan and budgeting is not drawn up and ready across the board. Puts liability back on the supporter. Not MS -Their stance is strong.

I've struck similar myself. But it was 'I told you so'. Had to appologise, point to the warnings I made some years before. Give the contact of the original hardware supplier and walk away.

Might not like spending money to keep up to date. But there's always someone higher up ready to jump on you when the production line comes to a halt and want's the answer as to why there was no continuity plan in place.

'no good deed goes unpunished'

fe31nz

1232 posts

Uber Geek

#2520973 10-Jul-2020 23:10

1101:

fe31nz:

Do they have a Linux box somewhere?

Thanks for the suggestion , but Linux isnt a option for workstations in a Business environment .

I was not suggesting Linux on your workstations - rather a Linux box as an intermediary between your workstations and the CNC machines, to translate from Windows 10 SMB to SMB1. It would be run like a server by your IT people and be tucked away with the servers. Any old PC with a gigabit lan card and 4 GiB of RAM can do a job like this, so if you are retiring PCs like that as they do not do Windows 10 very well, you might well have a surplus one somewhere.

And Linux is most certainly an option for workstations in business environments - there are plenty of companies doing just that, including Microsoft. But I would not suggest trying to convert your business to Linux just because of a small problem like this one. That would not work out well.

fearandloathing

504 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2521019 11-Jul-2020 10:16

@1101 you need to move on and accept that legacy protocols go, SMB1 has been out of Windows 10 for a while, you could add the module back. This should have been your first warning that it was on the way out. A solution should have been looked for when this SMB1 was first removed from WIndows 10.

@fe31nz is correct, you need to start earning your money as a solution provider in providing good solutions to a problem. You also need to get the company to accept this is an issue with running old hardware, and is not Microsoft's fault for removing support for insecure components regardless of the perception of the security risk.

There are a number of options available.

Running a legacy device to work with the legacy machinery
Running a legacy VM device to work with the legacy machinery
Using an interim device that provides a share

Personally I would look at a NAS device to act as interim. As I suspect the price of replacement/upgrade of the CNC machine is cost-prohibitive.

(I would choose a NAS device (Synology) as you will be able to load all the necessary components without any great knowledge of Linux)

To sit between the CNC machine and the users' desktops.

Users save the file to a new share on the NAS

The NAS has a cron job to move the file to the legacy CNC machine SMB1 share.

Only the NAS should be able to access the CNC machine.

Segregate the network for the CNC machine to be the only device that can communicate with the NAS.

Then provide good documentation on how it all works.

Most importantly not leave the company stuck on old hardware/software to support one old piece of hardware.

1101

3122 posts

Uber Geek

#2522695 14-Jul-2020 14:06

I can suggest best practice & recommend upgrade paths , but I cant demand it . Real world : many companies wont upgrade when obselete/end of life (not all) .

=================

Anyway , I have the fix , just in case anyone else has similar issues . This works, so far

create a bat file and start it when logging in (schedule to run on login):
timeout /t 30
net use w: "\\IP adress\folder" /persistent:no
be sure to put /persistent:no

So far , It looks like having a persistent smb1 mapped drive was the issue in v2004 .

Quinny

885 posts

Ultimate Geek

Trusted

#2522912 14-Jul-2020 18:36

We have a NAS that needs SMB1 for people to see the shares. Working fine with Windows 10 2004 but then it was set on in 1909 already