Hello Windows Insiders, today we are releasing Windows 11 Insider Preview Build 25381 to the Canary Channel.
REMINDER: As builds released to the Canary Channel are “hot off the presses,” we will offer limited documentation for builds flighted to the Canary Channel (no known issues for example), but we will not publish a blog post for every flight – only when new features are available in a build. And like the previous Canary Channel build, this build has a few new features and changes to document.
What’s new in Build 25381
SMB signing requirement changes
Beginning with Windows 11 Insider Preview Build 25381 Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape.
All versions of Windows and Windows Server support SMB signing. But a third-party might disable or not support it. If you attempt to connect to a remote share on a third-party SMB server that that does not allow SMB signing, you may receive the one of following error messages:
- The cryptographic signature is invalid.
To resolve this issue, configure your third-party SMB server to support SMB signing. This is Microsoft’s official recommended guidance. Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties.
SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs.
To see the current SMB signing settings, run the following PowerShell commands:
Get-SmbServerConfiguration | fl requiresecuritysignature Get-SmbClientConfiguration | fl requiresecuritysignature
To disable the requirement for SMB signing in client (outbound to other device) connections, run the following PowerShell command as an elevated administrator:
Set-SmbClientConfiguration -RequireSecuritySignature $false
To disable the requirement for SMB signing in server (on Windows 11 Insider Preview Build 25381 and higher with Enterprise edition devices), run the following PowerShell command as an elevated administrator:
Set-SmbServerConfiguration -RequireSecuritySignature $false
No reboot is required but existing SMB connections will still use signing until they are closed.
For more information on this change, visit https://aka.ms/SMBSigningOBD.
Changes and Improvements
- If a camera streaming issue is detected such as a camera failing to start or a closed camera shutter, a pop-up dialog will appear with the recommendation to launch the automated Get Help troubleshooter to resolve the issue.
You can download the latest Windows Insider SDK at aka.ms/windowsinsidersdk.
SDK NuGet packages are now also flighting at NuGet Gallery | WindowsSDK which include:
- .NET TFM packages for use in .NET apps as described at aka.ms/windowsinsidersdk
- C++ packages for Win32 headers and libs per architecture
- BuildTools package when you just need tools like MakeAppx.exe, MakePri.exe, and SignTool.exe
These NuGet packages provide more granular access to the SDK and better integration in CI/CD pipelines.
SDK flights are now published for both the Canary and Dev Channels, so be sure to choose the right version for your Insider Channel.
Remember to use adaptive code when targeting new APIs to make sure your app runs on all customer machines, particularly when building against the Dev Channel SDK. Feature detection is recommended over OS version checks, as OS version checks are unreliable and will not work as expected in all cases.
About the Canary Channel
The Canary Channel is the place to preview platform changes that require longer-lead time before getting released to customers. Some examples of this include major changes to the Windows kernel, new APIs, etc. Builds that we release to the Canary Channel should not be seen as matched to any specific release of Windows and some of the changes we try out in the Canary Channel will never ship, and others could show up in future Windows releases when they’re ready.
The builds that will be flighted to the Canary Channel are “hot off the presses,” flighting very soon after they are built, which means very little validation and documentation will be done before they are offered to Insiders. These builds could include major issues that could result in not being able to use your PC correctly or even in some rare cases require you to reinstall Windows. We will offer limited documentation for the Canary Channel, but we will not publish a blog post for every flight – only when new features are available in a build.
Our Canary Channel won’t receive daily builds; however, we may ramp up releasing builds more frequently in the future.
The desktop watermark you see at the lower right corner of your desktop is normal for these pre-release builds.
Important Insider Links
- You can check out our Windows Insider Program documentation here.
- Check out Flight Hub for a complete look at what build is in which Insider channel.
Amanda & Brandon