Hello Windows Insiders, today we are releasing Windows 11 Insider Preview Build 25951 to the Canary Channel. We are releasing ISOs for this build – they can be downloaded here.
REMINDER: As builds released to the Canary Channel are “hot off the presses,” we will offer limited documentation for builds flighted to the Canary Channel including documenting only the most significant and highly impactful known issues. Please note that we will not publish a blog post for every flight – only when new features are available in a build.
What’s new in Build 25951
SMB NTLM Blocking
Starting with this build (Build 25951), the SMB client now supports blocking NTLM for remote outbound connections. This changes legacy behavior, where Windows SPNEGO would negotiate Kerberos, NTLM, and other mechanisms with the destination server to decide on a supported security package. NTLM in this case refers to all versions of the LAN Manager security package: LM, NTLM, and NTLMv2.
With this new option, an administrator can intentionally block Windows from offering NTLM via SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and cannot brute force, crack, or pass a password, as they will never be sent over the network. This adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. You can configure this option with Group Policy and PowerShell. You can also block the use of NTLM in SMB connections on demand with NET USE and PowerShell.
For more information on configuring and troubleshooting NTLM blocking, review https://aka.ms/SmbNtlmBlock.
SMB Dialect Management
Starting with this build (Build 25951), the SMB server now supports controlling which SMB 2 and 3 dialects it will negotiate. This changes legacy behavior, where Windows SMB always negotiated the highest matched server dialect from SMB 2.0.2 to 3.1.1 clients. Beginning in Windows 10, support was added for controlling SMB client dialects, but not server dialects.
With this new option, an administrator can remove older SMB protocols from usage in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting.
You can configure this option with Group Policy and PowerShell. Both SMB client and server now include complete management support (previously the client support was only manual registry editing).
For more information on understanding and configuring SMB dialects, review https://aka.ms/SmbDialectManage.
Changes and Improvements
- We’ve adjusted the network flyout on the Lock screen to better match the UI of the network flyout from quick settings in system tray on the taskbar.
- Some popular games may not work correctly on the most recent Insider Preview builds in the Canary Channel. Please be sure to submit feedback in Feedback Hub on any issues you see with playing games on these builds.
- [NEW] We’re investigating reports that the print queue is no longer accessible.
You can download the latest Windows Insider SDK at aka.ms/windowsinsidersdk.
SDK NuGet packages are now also flighting at NuGet Gallery | WindowsSDK which include:
- .NET TFM packages for use in .NET apps as described at aka.ms/windowsinsidersdk
- C++ packages for Win32 headers and libs per architecture
- BuildTools package when you just need tools like MakeAppx.exe, MakePri.exe, and SignTool.exe
These NuGet packages provide more granular access to the SDK and better integration in CI/CD pipelines.
SDK flights are now published for both the Canary and Dev Channels, so be sure to choose the right version for your Insider Channel.
Remember to use adaptive code when targeting new APIs to make sure your app runs on all customer machines, particularly when building against the Dev Channel SDK. Feature detection is recommended over OS version checks, as OS version checks are unreliable and will not work as expected in all cases.
About the Canary Channel
The Canary Channel is the place to preview platform changes that require longer-lead time before getting released to customers. Some examples of this include major changes to the Windows kernel, new APIs, etc. Builds that we release to the Canary Channel should not be seen as matched to any specific release of Windows and some of the changes we try out in the Canary Channel will never ship, and others could show up in future Windows releases when they’re ready.
The builds that will be flighted to the Canary Channel are “hot off the presses,” flighting very soon after they are built, which means very little validation and documentation will be done before they are offered to Insiders. These builds could include major issues that could result in not being able to use your PC correctly or even in some rare cases require you to reinstall Windows. We will offer limited documentation for the Canary Channel, but we will not publish a blog post for every flight – only when new features are available in a build.
Our Canary Channel won’t receive daily builds; however, we may ramp up releasing builds more frequently in the future.
The desktop watermark you see at the lower right corner of your desktop is normal for these pre-release builds.
Important Insider Links
- You can check out our Windows Insider Program documentation here.
- Check out Flight Hub for a complete look at what build is in which Insider channel.
Amanda & Brandon