Patch Tuesday updates for Win7, KB 4480970 and KB 4480960 knock out networking

Reports are popping up all over that yesterday’s Win7 Monthly Rollup and Security-only patches are causing big problems with networks using SMBv2 shares. The known solution is to uninstall the patch. There’s also a registry fix that may or may not work.

putting on a band-aid patch with binary code
Thinkstock

It’s Reboot Wednesday (the day following Microsoft's Patch Tuesday) and, like roses unto spring, bugs are starting to crawl out of the woodwork. This time, if you have a network that uses SMBv2, this month’s Win7 patches may knock your network upside the head.

I first read about it on Günter Born’s site:

The KB4480970 (Monthly Rollup) and KB4480960 (Security only) updates were released by Microsoft on January 8, 2018 for Windows 7 SP1 and Windows Server 2008 R2 SP1. The updates seem to cause serious network issues for some people. Network shares can no longer be achieved via SMBv2 in certain environments.

He goes on to cite the German-language site administrator.de, which says (Google translation):

Update 01/2019 is no SMB2 connection to a W7 Share more, here the Wireshark Trace from the client who wants to access the W7 Share: always leads to the error message Invalid Handle!

On Reddit’s sysadmin forum, BenScobie posts:

We've ran into the same issue on a Windows 2008 R2 server. We also cannot authenticate with our TFS server hosted on the same box. ... Uninstalling the update fixed both issues for us.

After all of the SMBv1 controversy in June of last year, and WannaCry’s ugly appearance, many folks thought that SMBv2 was sacrosanct. Or at least functional. What fools these patching mortals be.

At this point, the best advice is to not install the patch. (Raise your hand if you’ve heard me say that before.)

There’s a possible registry fix. Andi on administrator.de says:

If the Windows 7 user accesses a share, and he is an administrator on the remote system, this should work on the W7 that hosts the share (elevated cmd):

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Afterwards you have to reboot the system

I have no idea if that works in general, but as the U.S. wakes up to yet another Win7 bork, we’ll likely find out soon.

Go ahead. Make my day. Tell me that Microsoft tests this stuff, on the AskWoody Lounge.

Related:

Copyright © 2019 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?
  
Shop Tech Products at Amazon