We return loaded with updates this time on the Canary channel. An update that offers us some improvements, although this week there have not been many improvements. Let’s see what they’ve been working on.
Back at it with two more builds! One for the Canary Channel (25951) and one for the Dev Channel (23545)!
Check the blog posts for all the details. 😃
Dev: https://t.co/MBXisdZ7w1 pic.twitter.com/gl5DM4KJd2
What’s new in Build 25951
SMB NTLM Lock
Starting with this build (build 25951), the SMB client now supports NTLM blocking for outgoing remote connections. This changes the legacy behavior, in which Windows SPNEGO negotiated Kerberos, NTLM, and other mechanisms with the target server to decide a compatible security package. NTLM in this case refers to all versions of the LAN Manager security package: LM, NTLM and NTLMv2.
With this new option, an administrator can intentionally block Windows from offering NTLM over SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and will not be able to brute force, crack, or pass a password as it will never be sent over the network. This adds a new level of protection for businesses without needing to completely disable the use of NTLM in the operating system. You can configure this setting using Group Policy and PowerShell. You can also block the use of NTLM on SMB connections on demand with NET USE and PowerShell.
For more information on how to configure and troubleshoot NTLM blocking, see https://aka.ms/SmbNtlmBlock.
SMB dialect management
Starting with this build (build 25951), the SMB server now supports control of the SMB dialects 2 and 3 that it will negotiate. This changes the legacy behavior, where Windows SMB always negotiated the highest-matching server dialect from SMB 2.0.2 to 3.1.1 clients. Starting with Windows 10, support was added to control SMB client dialects, but not server dialects.
With this new option, an administrator can remove older SMB protocols from use in the organization, blocking older, less secure and less capable Windows and third-party devices from connecting.
You can configure this setting using Group Policy and PowerShell. Both the SMB client and server now include full management support (previously, client support consisted of manual registry editing only).
For more information about understanding and configuring SMB dialects, see https://aka.ms/SmbDialectManage.
Changes and improvements in Build 25951
- They have adjusted the network drop-down menu on the lock screen to better match the user interface of the quick settings network drop-down menu in the system tray on the taskbar.
- Some popular games may not work correctly in the latest Insider Preview versions of the Canary Channel. Please be sure to post feedback in Feedback Hub about any issues you see with the games in these versions.
- [NUEVO] Reports that the print queue is no longer accessible are being investigated.