[Samba] Windows 24H2 firewall rules

Wed Nov 19 18:27:15 UTC 2025

I have spent the better part of yesterday finding out why a Windows 11
client couldn't connect to a specific SMB2 configured Samba server
while other Windows 11 could.

After a lot of digging and checking the firewall rules on the Windows
side, I found out that Windows 11 had different rules for outbound SMB
depending on what updates that were applied. Applying an "Allow
Outbound SMB for Domain traffic" on the problematic client solved the
problem.

The 2 screenshots on my Gdrive show the difference in firewall rules,
in spite of both being 24H2. The one with no applied exceptions are
newly installed (no recent patches) while the second one has most
exceptions as default. Those systems have been up and running for
approx 6 months so quite a few windows updates has been appliedl

https://drive.google.com/drive/folders/1QaCBAnxY-zJAgYo1apMVK9hnVLi1fm6X?usp=sharing

I found this explanation on Google

Windows 11 24H2 and Windows Server 2025 have different default
outbound SMB firewall rules,
requiring SMB signing by default for improved security, which can
break compatibility with older systems. Previous versions
automatically handled inbound NetBIOS ports 137-139, but 24H2 removes
this, only allowing the minimum ports required for modern SMB2+. You
must manually re-enable older ports like 137-139 or adjust SMB signing
settings if you need to connect to legacy systems.
Key changes in 24H2 for outbound SMB rules

SMB signing is required by default: All outbound SMB connections now
require signing by default, a change from older versions where it was
only required for specific connections like SYSVOL and NETLOGON
shares.
NetBIOS ports removed: The default firewall rules no longer include
ports 137-139, as modern SMB2+ does not use them.
Insecure guest logons disabled: Anonymous or insecure guest access to
shares is blocked by default, which can cause issues with older NAS
devices or servers.

How to address these changes

For legacy compatibility: If you need to connect to older systems that
don't support SMB signing or guest access, you must manually create
firewall rules to allow the necessary ports and adjust the SMB signing
and guest access settings.

Re-enable NetBIOS ports: You may need to manually create an inbound
rule to allow SMB ports 137-139 if a legacy SMB1 server is required.
Adjust SMB signing: The outbound rule exceptions for "Allow the
connection if it is secure" may need to be adjusted in your security
connection rules to accommodate older devices.

Is this "SMB signing" something that should be applied on the Samba
side or is it purely a Windows thing?

-- 
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders Östling
+46 768 716 165 (Mobil)