Fix Broken Network Shares & Mapped Drives Due To Windows 11 24H2

Why your network shares suddenly broke in Windows 11 24H2

Starting with Windows 11 24H2, Microsoft tightens SMB client defaults:

• Guest (anonymous) logons are disabled for SMB 2 and SMB 3.
• SMB signing and, when possible, encryption are required.

If a NAS, older Windows box, or embedded device only offers an “Everyone = Full Control” share with no username/password, the 24H2 client now refuses the connection and you see errors like 0x80070035 or “You can’t access this shared folder because your organization’s security policies block unauthenticated guest access.” Microsoft’s documentation calls these insecure guest logons and explains that blocking them protects against credential‑theft and relay attacks.

Run the command below in Command Prompt (and reboot) to bypass this new requirement:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v AllowInsecureGuestAuth /t REG_DWORD /d 1 /f

As soon as the value is in place (and after a reboot or gpupdate /force), the SMB client again accepts anonymous sessions, so legacy shares map successfully and existing drive letters reconnect. Group Policy provides the same switch at Computer Configuration ▸ Administrative Templates ▸ Network ▸ Lanman Workstation ▸ Enable insecure guest logons.

Why this is only a temporary band‑aid

1. No authentication – Anyone on the local network can connect, browse, and modify the share’s contents.
2. No integrity – Without signing, attackers can alter data in transit.
3. No privacy – Traffic is clear‑text unless you add SMB encryption (which guest mode cannot negotiate).

Leaving guest access enabled puts endpoints at the exact risks Microsoft is trying to reduce. Their guidance is explicit: enable guest logons only while you upgrade or reconfigure the file server.

Proper, permanent fixes

First, require credentials on every file server or NAS device. Create named user or group accounts, assign appropriate permissions, and stop advertising shares that allow “Everyone = Full Control.” This basic change blocks drive‑by access and lets you track who touched what and when.

Second, enforce integrity and privacy for the traffic itself. Keep the registry or Group Policy settings that require SMB signing (RequireSecuritySignature = 1 and EnableSecuritySignature = 1). Where the device supports SMB 3.1.1, enable per‑share encryption so data stays unreadable on the wire.

Third, phase out SMB 1 entirely. Remove the SMB 1 client and server features on Windows, and update or replace any firmware or appliances that cannot speak SMB 2 or SMB 3. SMB 1 is slow, insecure, and no longer patched.

Finally, audit before you turn guest logons back off. Use Get-SmbSession, server logs, or NAS monitoring to see which endpoints still connect anonymously. Fix each one, retest, then delete the AllowInsecureGuestAuth value or set it to 0. When every share requires credentials and uses modern SMB with signing (and ideally encryption), your network shares will work reliably and your clients will benefit from stronger security

Allowing insecure guest auth gets your users working again, but it re‑opens the very hole 24H2 closed. Treat it as a short‑term compatibility switch, not a long‑term configuration. Plan a scheduled maintenance window to move all shares to password‑protected SMB 2/3 with signing and, ideally, encryption.