Last week Microsoft released the January 2019 Patch Tuesday updates and included in the release were two updates that caused problems connecting to ntework shares on Windows 7 and Windows Server 2008 R2. On January 11th, Microsoft has released a a stand-alone update that resolves this issue.
The two updates that caused this problem are KB4480960 and KB4480970 and when installed caused local users who are part of the local "Administrators" group to not be able to connect to remote shares on Windows Server 2008 R2 or Windows 7 Machines. Microsoft added the following information to the update's release notes:
Local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.
To resolve this issue, on January 11th, 2019 Microsoft released the stand-alone update KB4487345 which makes it so local users who are also in the Administrators group can access remote shares again.
The description of this update is:
This update resolves the issue where local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows 7 SP1 and Windows Server 2008 R2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.
If you have been unable to connect to remote shares since installing the January Patch Tuesday updates, then you should download and install the KB4487345 package.
When users first encountered this bug, it was suggested that they make the following registry changes in order to be able to connect to shares again.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
This key created an elevated, or administrator security token, which is no longer needed or wanted now that the fix has been released. Therefore, if you added these registry changes, please delete the LocalAccountTokenFilterPolicy or at least change it to 0 so it uses default behavior.
Comments
freon - 5 years ago
This bug also prevents that same group of users from connecting to the host computer with Remote Desktop, with an error saying that "The Local Security Authority cannot be contacted."
BobGruett - 5 years ago
Unless there's something unique to my environment which I have not yet discovered, this patch actually introduces a new problem (though it does correct the existing issue). The new problem has to do with local accounts on workgroup machines now requiring explicit membership in the share permissions and NTFS security ACLs. In other words, if you're granting share permissions and/or NTFS security via local groups (as I imagine most would in a workgroup setup), members of those local groups will continue to be unable to connect. Only by adding those local accounts explicitly into the ACLs does the problem go away.
I've never seen this before - not in this environment or any other - so I suspect this is the result of KB4487345 breaking something new (or possibly not fixing something that KB4480970 broke but was not obvious until now.
Eric_Thomas - 5 years ago
Couldn't apply KB4487345, gave me an error. Something along the lines that it wasn't applicable to my OS (Win 7 SP1). Did the registry edit and all is well once again. Guess I'll just leave it at that!