Windows 11 24H2 and Insecure Guest Logins settings

Question

I updated a computer to Windows 11 24H2 in the Release Preview channel. My question is, is Microsoft going to default insecure guest logins to disabled in 24H2? Windows Enterprise already is set this way. After updating a computer to 24H2 from 23H2, I could not connect to shares on another machine that are set up to not require a login (everyone access in the security and shares screen, and password protected sharing turned off). If the shares have a password that is set up and everything, I could get them to work properly, also setting it in group policy to allow insecure guest logins worked too. Is it a bug or is it the new default?

***Moved from Windows Insider Program / Windows Insider Preview / Files, folders, and online storage***

Answer 1

Hello Logan,

Thank you for reaching out with your question regarding insecure guest logins in Windows 11 24H2.

Background:

Microsoft has been progressively increasing the security measures in Windows, and disabling insecure guest logins is one of those steps. Insecure guest logins can pose a significant security risk because they allow access to network shares without requiring a username or password. This change aligns with the security enhancements seen in Windows Enterprise editions.

Your Situation:

After updating to Windows 11 24H2, you found that connecting to network shares without requiring a login (everyone access, password protected sharing turned off) no longer works. Shares with a password and those configured in group policy to allow insecure guest logins function correctly.

Explanation:

Based on the behavior you described, it seems Microsoft is indeed defaulting insecure guest logins to disabled in Windows 11 24H2. This change would enhance security by preventing anonymous access to network shares.

Steps to Address the Issue:

1. Enable Insecure Guest Logins via Group Policy:

• Press **Win + R**, type gpedit.msc, and press Enter to open the Group Policy Editor.
• Navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Lanman Workstation**.
• Double-click **Enable insecure guest logons** and set it to **Enabled**.
• Apply the changes and restart your computer.

2. Enable Insecure Guest Logins via Registry Editor:

• Press **Win + R**, type regedit, and press Enter to open the Registry Editor.
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters.

• If the AllowInsecureGuestAuth entry does not exist, right-click and select **New** > **DWORD (32-bit) Value**, and name it AllowInsecureGuestAuth.
• Set the value of AllowInsecureGuestAuth to 1.
• Close the Registry Editor and restart your computer.

3. Consider Alternative Security Measures:

• Instead of enabling insecure guest logins, consider setting up password-protected sharing for better security.
• Ensure that all users have appropriate permissions to access the necessary shares.

Best regards,

Rosy

Answer 2

Well, my original intention of my question way back when was to ask if 24H2 would default this behavior as far as the insecure guest login setting, the answer is YES, and that would have been the most correct answer, I don't know how the conversation went where it did but ANYWAYS.

No, this should have nothing to do with insecure guest login setting, especially if it's not shared from a windows computer over USB (which was killed in windows a while ago, unless you are domain joined). If you are using it over the network normally that's not it. I have noticed that some AIO printers fall off because the scanner part is not compatible with 24H2 (brother mainly).

Not really the right place to ask either, you could post your question in a more appropriate forum (don't ask me what one)

For Brother scanning open in windows firewall

inbound/outbound 

Ports UDP -54925,137,161

Answer 3

Well, my original intention of my question way back when was to ask if 24H2 would default this behavior as far as the insecure guest login setting, the answer is YES, and that would have been the most correct answer, I don't know how the conversation went where it did but ANYWAYS.

No, this should have nothing to do with insecure guest login setting, especially if it's not shared from a windows computer over USB (which was killed in windows a while ago, unless you are domain joined). If you are using it over the network normally that's not it. I have noticed that some AIO printers fall off because the scanner part is not compatible with 24H2 (brother mainly).

Not really the right place to ask either, you could post your question in a more appropriate forum (don't ask me what one)

For Brother scanning open in windows firewall

inbound/outbound 

Ports UDP -54925,137,161

Interesting info. I'm not interested in doing that though. If the Brother software can't make the firewall rules properly, it's straight up not supported by Windows 11. I'd rather use the Microsoft Scan app, or scan to SMB instead as a workaround. Otherwise they can get a new one. Not my problem.

Edit
I've done some research, this appears to be the fix for brother (there are a few fixes here)

https://answers.microsoft.com/en-us/windows/forum/all/windows-version-24h2-will-not-allow-brother/c6ac6d53-0d79-4e1a-b3f5-8794bf0a648eI will try this next week. The first person that I set up with SMB scan to folder was scanning to a folder on the network anway, so he's better off doing that. The second person with the problem I'm going to try. It's not a firewall problem in my case, the installer creates the rules correctly.