Last week Microsoft released the January 2019 Patch Tuesday updates and included in the release were two updates that caused problems connecting to ntework shares on Windows 7 and Windows Server 2008 R2. On January 11th, Microsoft has released a a stand-alone update that resolves this issue.
The two updates that caused this problem are KB4480960 and KB4480970 and when installed caused local users who are part of the local “Administrators” group to not be able to connect to remote shares on Windows Server 2008 R2 or Windows 7 Machines. Microsoft added the following information to the update’s release notes:
Local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.
To resolve this issue, on January 11th, 2019 Microsoft released the stand-alone update KB4487345 which makes it so local users who are also in the Administrators group can access remote shares again.
The description of this update is:
This update resolves the issue where local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows 7 SP1 and Windows Server 2008 R2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.
If you have been unable to connect to remote shares since installing the January Patch Tuesday updates, then you should download and install the KB4487345 package.
When users first encountered this bug, it was suggested that they make the following registry changes in order to be able to connect to shares again.
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
This key created an elevated, or administrator security token, which is no longer needed or wanted now that the fix has been released. Therefore, if you added these registry changes, please delete the LocalAccountTokenFilterPolicy or at least change it to 0 so it uses default behavior.