KB 4480970 and or KB 4480960 breaks SMB2 connections to Windows 7 shares

Solution 1:

Microsoft released the Update KB4487345 to fix the issue:

This update resolves the issue where local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows 7 SP1 and Windows Server 2008 R2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.

So download and install the update by doing a double click on the msu file.

Solution 2:

EDIT 14Jan2019:- please see the new accepted answer instead, it contains the official fix instead of this work-around.

I'm posting an answer in the hope others find it easier to find here than I did on the original site:

Rolling back the updates solves the problem, however I can also confirm that the registry edit below resolved the problem in all cases that I've encountered so far today (7 calls and counting). (source: https://www.computerworld.com/article/3332202/microsoft-windows/patch-tuesday-updates-for-win7-kb-4480970-and-kb-4480960-knock-out-networking.html)

if the Windows 7 user accesses a share, and he is an administrator on the remote system, this should work on the W7 that hosts the share (elevated cmd):

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

A reboot is required after making the change.

EDIT: Additional information for less technically minded people who may trip over this

Run REGEDIT.exe

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

and add a New DWORD named: LocalAccountTokenFilterPolicy

with a value of: 1

EDIT: Additional Information from El Reg as per comment.

The problem apparantly only manifests when attempting to connect to a Windows 7 or Windows 2008 R2 shares using local user accounts that are part of the Administrator group, though my experiance shows you also have to be using SMB2 as it does not affect Windows 10 clients.

Since we're unclear the implications of the registry edit described above a more prudent approach maybe to have remote clients use non-Administrator accounts and specifically give the account permissions on the required shares.. or roll back the update.