Go through the normal installation process until you get to the sign-in screen Press <Shift> + <F10> to open elevated command prompt
net user "YourUserName" */add
net localgroup administrators "YourUserName" / add
net user "YourUserName" /active:yes
net user "YourUserName" /expires:never
net user "Administrator" /active:no
net user "defaultUser0" /delete
Run net user to ensure that all was done properly. You should see the new user as admin account, and no default user.
Run regedit Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE Delete 3 values: DefaultAccountAction, DefaultAccountSAMName, DefaultAccountSID Rename value LaunceUserOOBE to SkipMachineOOBE and sure value is 1. Case is important. Exit regedit.
Welcome to the official documentation for Winutil, your go-to utility for optimizing and managing your Windows environment. Whether you’re an IT professional, power user, or regular user, Winutil provides a comprehensive set of tools to enhance your Windows experience.
Here’s yet another massively annoying thing about Win 11 – the stupid default behavior Microshit added to the taskbar – “Taskbar Corner Overflow Menu”.
Note: Might be easier to install the admx admin templates to Group Policy Editor. See this post for more info
Office 2019 annoyingly wants you to sign in to either a domain or the cloud. It shares the same registry space as Office 2016, so the procedure is:
Preparation:
1. Note that this must be done on a per-user basis, for anyone who logins into the machine. So 2 users on the same machine = do it twice. Or if that user signs into another machine, do it again.
2. Go into one of the Office apps, go to Account, and select “Sign out” & then click Yes when prompted.
First, close all Office applications:
Word
Excel
PowerPoint
Outlook
etc.
Second, open the Registry Editor: (may need to Run As Admin)
Start > Run > regedit
Third, navigate down the tree:
HKEY_CURRENT_USER
SOFTWARE
Microsoft
Office
16.0
Common
Third, add the SignIn folder:
Right-click on the Common folder
Go to New > Key
Name it “SignIn” (without the quotes)
Fourth, add the registry key to disable the sign-in option:
Right-click on the SignIn folder
Go to New > DWORD (32-bit) VALUE
Name it “SignInOptions” (without the quotes)
Set the value to 3
Fifth, verify that it worked:
Open up Word
It should no longer have the “Sign in” button in the top bar
Under File > Account, all of the sign-in verbage should be gone
If you ever need to add it back in, just delete the SignInOptions reg key!
Could not authenticate to SMB share with correct creds [solved]
I solved this issue but wanted to share the solution.
I had set SMB permissions correctly according to this forum post and this video, but I was never able to access my SMB share.
I was able to see the server and the list of shares, but no matter what I could not actually open a share. No matter what user or group I used, each login from W10 would fail with ‘Access is Denied’ or ‘Incorrect user name or password’ or ‘Check with system admin to verify permissions’.
The first thing I wish I had known off the bat was that samba activity is logged in FreeNAS at /var/log/samba4/log.smbd. Tailing that log, it was obvious there were authentication issues. On each login attempt, I saw:
[2018/04/15 02:10:51.243374, 2] ../source3/param/loadparm.c:2787(lp_do_section)
Processing section "[$fnstorage]"
[2018/04/15 02:10:51.245286, 2] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user msUser
[2018/04/15 02:10:51.245752, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [msUser] -> [msUser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/04/15 02:10:51.245837, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MicrosoftAccount]\[msUser] at [Sun, 15 Apr 2018 02:10:51.245799 PDT] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] workstation [win10-PC] remote host [remoteAddress] mapped to [MicrosoftAccount]\[msUser]. local host [hostAddress]
[2018/04/15 02:10:51.245934, 2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
Now at first glance, what jumps out is NT_STATUS_WRONG_PASSWORD, you might think you’re just typing your password wrong. But that’s not what’s really going on– the real culprit is
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user msUser
You may remember that NTLMv2 is the standard for SMB security, and NTLMv1 authentication is disabled by default in FreeNAS SMB shares.
I figured my PC was using NTLMv1 for some reason. A little research led me to this GPO in Group Policy:
Set this to Send NTLMv2 Only instead of whatever else it is. Mine was set to Use NTLMv2 if negotiated. See Microsoft’s docs for the caveats here.
I’m not sure if the value my PC was using is default, and I’m not sure if FreeNAS should actually negotiate NTLMv2, but this resolved my issue with no impact to other SMB shares on my network.
How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
Article
10 minutes to read
Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.
While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities and we strongly encourage you not to use it.
In Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, disabling SMBv3 deactivates the following functionality:
Transparent Failover – clients reconnect without interruption to cluster nodes during maintenance or failover
Scale Out – concurrent access to shared data on all file cluster nodes
Multichannel – aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
SMB Direct – adds RDMA networking support for high performance, with low latency and low CPU use
Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
Directory Leasing – Improves application response times in branch offices through caching
Performance Optimizations – optimizations for small random read/write I/O
In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:
Request compounding – allows for sending multiple SMBv2 requests as a single network request
Larger reads and writes – better use of faster networks
Caching of folder and file properties – clients keep local copies of folders and files
Durable handles – allow for connection to transparently reconnect to the server if there’s a temporary disconnection
Improved scalability for file sharing – number of users, shares, and open files per server greatly increased
Support for symbolic links
Client oplock leasing model – limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
Large MTU support – for full use of 10 Gigabit Ethernet (GbE)
Improved energy efficiency – clients that have open files to a server can sleep
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. For more information about SMBv2 and SMBv3 capabilities, see the following articles:
Windows Server 2012 Windows Server 2012 R2, Windows Server 2016, Windows Server 2019: Server Manager method
To remove SMBv1 from Windows Server:
On the Server Manager Dashboard of the server where you want to remove SMBv1, under Configure this local server, select Add roles and features.
On the Before you begin page, select Start the Remove Roles and Features Wizard, and then on the following page, select Next.
On the Select destination server page under Server Pool, ensure that the server you want to remove the feature from is selected, and then select Next.
On the Remove server roles page, select Next.
On the Remove features page, clear the check box for SMB 1.0/CIFS File Sharing Support and select Next.
On the Confirm removal selections page, confirm that the feature is listed, and then select Remove.
Windows 8.1 and Windows 10: Add or Remove Programs method
To disable SMBv1 on Windows 8.1 and Windows 10:
In Control Panel, select Programs and Features.
Under Control Panel Home, select Turn Windows features on or off to open the Windows Features box.
In the Windows Features box, scroll down the list, clear the check box for SMB 1.0/CIFS File Sharing Support and select OK.
After Windows applies the change, on the confirmation page, select Restart now.
How to detect status, enable, and disable SMB protocols on the SMB Server
For Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows Server 2019
Windows 8 and Windows Server 2012 introduced the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.
Note
When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.
You don’t have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.
For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.
PowerShell methods
Note
This method requires PowerShell 2.0 or later version of PowerShell.
You must restart the computer after you make these changes.
Registry Editor
Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)
Note
You must restart the computer after you make these changes.
How to detect status, enable, and disable SMB protocols on the SMB Client
Here is how to detect status, enable, and disable SMB protocols on the SMB Client that is running Windows 10, Windows Server 2019, Windows 8.1, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012.
Note
When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.
This procedure disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.
Note
WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.
Important
Be careful when you make these changes on domain controllers on which legacy Windows XP or older Linux and third-party systems (that don’t support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.
Disable SMBv1 client
To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.
This guidance updates and replaces the default values in the following two items in the registry:
These three strings will not have bullets (see the following screen shot).
The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanWorkstation and going from four default values down to just these three values above.
Note
When you use Group Policy Management Console, you don’t have to use quotation marks or commas. Just type each entry on individual lines.
Restart the targeted systems to finish disabling SMB v1.
Auditing SMBv1 usage
To determine which clients are attempting to connect to an SMB server with SMBv1, you can enable auditing on Windows Server 2016, Windows 10, and Windows Server 2019. You can also audit on Windows 7 and Windows Server 2008 R2 if the May 2018 monthly update is installed, and on Windows 8.1 and Windows Server 2012 R2 if the July 2017 monthly update is installed.
When SMBv1 auditing is enabled, event 3000 appears in the “Microsoft-Windows-SMBServer\Audit” event log, identifying each client that attempts to connect with SMBv1.
Summary
If all the settings are in the same GPO, Group Policy Management displays the following settings.
Testing and validation
After completing the configuration steps in this article, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMBv2 and SMBv3 are functioning for all other systems in the environment.
