Windows 11 Insider Canary Channel build 25381 adds security requirements

Microsoft has released Windows 11 Insider build 25381 for the Canary Channel, with one “what’s new” item and one change. First up, the SMB signing requirement changes: Microsoft is going to now require SMB signing by default for all connections for Enterprise editions of the software.

Currently, SMB signing is off by default for all except connections to SYSVOL and NETLOGON shares, but this will change, as “part of a campaign to improve the security of Windows and Windows Server for the modern landscape.” Administrators will have to change 3rd party SMB servers to support SMB singing, although Microsoft apparently offers a workaround while at the same time discouraging it:

Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties.

SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs.

In addition, Canary Channel build 25381 includes a single item under “Changes and Improvements:”

• If a camera streaming issue is detected such as a camera failing to start or a closed camera shutter, a pop-up dialog will appear with the recommendation to launch the automated Get Help troubleshooter to resolve the issue.

You can learn a little more about SMB signing and the Windows Insider Canary Channel by checking out the Windows Insider blog post.