How to enable insecure guest logons in SMB2 and SMB3

This article describes Server Message Block (SMB) insecure guest logon default behaviors, why you might enable guest access, and how to enable it for the SMB client using Group Policy and PowerShell.

Since Windows 2000, Windows disabled inbound guest access and prevented SMB2 and SMB3 client guest authentication since Windows 10. However, guest credentials may still be required when connecting to a third-party device that doesn't support a username and password. The recommendation is to upgrade or replace any third-party software or devices that only support guest authentication.

Default behaviors

Starting from Windows 10, version 1709 and Windows Server 2019, SMB2 and SMB3 clients no longer allow the following actions by default:

  • Guest account access to a remote server.
  • Fall back to the Guest account after invalid credentials are provided.

SMB2 and SMB3 have the following behavior for different versions of Windows:

  • By default, guest credentials can't be used to connect to a remote share in Windows 10 Enterprise, Windows 10 Pro for Workstations, and Windows 10 Education even if requested by the remote server.

  • The use of guest credentials to connect to a remote share is no longer allowed by default in Windows Server 2019 Datacenter and Standard editions, even if requested by the remote server.

  • Windows 10 Home and Pro editions still allow the use of guest authentication by default, as they did previously.

  • In Windows 11 Pro Insider Preview build 25267, and all subsequent builds, guest credentials can't be used to connect to a remote share by default, even if requested by the remote server.

  • SMB signing is required by default for Windows 11 Insiders, Windows Server 2025 (preview), and later builds which results in compatibility issues with guest authentication if signing doesn't succeed.

Note

This behavior is present in various versions of Windows 10, including 1709, 1803, 1903, 1909, 2004, 20H2, and 21H1, as long as KB5003173 is installed.

Reason for enabling guest logons

Enabling guest logons may be necessary where a user needs to access a resource on a server but the server doesn't provide user accounts, only guest access.

Caution

It's important to note that enabling guest logons can pose a security threat as it permits:

  • An attacker to deceive a user into connecting to a spoofed malicious server without producing credential errors or prompts.
  • Execution of malicious code such as ransomware through the guest logon.
  • Guest logons are vulnerable to adversary-in-the-middle attacks that can expose sensitive data on the network.

As a result, it's recommended to enable guest logons only in specific situations where they are required. Windows disables insecure guest logons by default. We recommend that you don't enable insecure guest logons.

Prerequisites

Before you can begin modifying insecure guest logons for the SMB client, you need the following.

  • An account that's a member of the Administrators group, or equivalent.

  • SMB client running on one of the following operating systems:

    • Windows 10 or later.

    • Windows Server 2019 or later.

If you're planning on to enable auditing for insecure guest logons, the SMB client must be running on one of the following operating systems.

  • Windows 11 Insider Preview Build 25267 or later.
  • Windows Server 2025.

Enable insecure guest logons

Enabling insecure guest logons can be performed through Group Policy or PowerShell.

Note

If you need to modify the Active Directory domain-based group policy, use Group Policy Management (gpmc.msc).

  1. Select Start, type gpedit.msc, and select Edit group policy.
  2. In the left pane under Local Computer Policy, navigate to Computer Configuration\Administrative Templates\Network\Lanman Workstation.
  3. Open Enable insecure guest logons, select Enabled, then select OK.

Both SMB signing, and SMB encryption policies must be disabled in Group Policy in order to use guest logons. Doing so can potentially compromise the security of the client and leave users open to credential theft and relay attacks.

Note

Guest logons don't support standard security features such as SMB signing and SMB encryption even if the SMB client is set to allow guest logons.

Audit insecure guest logons

Once the insecure guest logons policy is enabled, these events are captured in the Event Viewer. To review these logs, perform the following steps:

  1. Right-click on Start, select Event Viewer.
  2. In the left pane, navigate to Applications and Service Logs\Microsoft\Windows\SMBClient\Security.

In the middle pane, you can review the following information concerning these events:

Event ID Output
3023 Log Name: Microsoft-Windows-SmbServer/Security
Source: Microsoft-Windows-SMBServer
Logged: Date/Time
Task Category: InsecureGuestLogon
Level: Informational
Keywords: Authentication
User: SYSTEM
Computer:

Description: The SMB client was logged on as Guest account.
31017 Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Logged: Date/Time
Task Category: RejectedInsecureGuestAuth
Level: Error
Keywords: Authentication
User: NETWORK SERVICE
Computer:

Description: Rejected an insecure guest logon. The machine attempted to connect to the server using an insecure guest logon. The server denied the connection. Ensure that the guest account is enabled on the server and configured to allow access from the network.
31018 Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Logged: Date/Time
Task Category: InsecureGuestAuthEnabled
Level: Warning
Keywords: Authentication
User: NETWORK SERVICE
Computer:

Description: An administrator has enabled AllowInsecureGuestAuth. Clients using insecure guest logons are more vulnerable to attackers-in-the-middle, phishing, and malware.
31022 Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Logged: Date/Time
Task Category: AllowedInsecureGuestAuth
Level: Warning
Keywords: Authentication
User: SYSTEM
Computer:

Description: Allowed an insecure guest logon. This event indicates that the server attempted to log the user on as an unauthenticated guest and was allowed by the client.

Username: nonexistantaccount
Server name: