File and Print Sharing Broken After Windows Update — Network Profile Switched to Public
After Windows 10/11 cumulative or feature updates, network adapters may silently switch from Private/Domain to Public profile, which disables file and print sharing by activating the restrictive Public firewall profile that blocks SMB (TCP 445). Affected machines cannot browse network shares, connect to shared printers, or be discovered via Network Discovery. Resolution involves correcting the network profile back to Private or Domain using PowerShell or GUI, then re-enabling sharing settings and firewall rules. This is a recurring L2 ticket pattern following Patch Tuesday deployments.
Indicators
- Unable to access network shares — connection refused or 'resource not found' errors when browsing UNC paths (\\hostname\sharename)
- Shared printers no longer accessible from other machines on the same subnet
- Network profile shown as 'Public' in Settings > Network & Internet despite being on a trusted LAN or domain network
- File and print sharing toggle disabled or greyed out in Network and Sharing Centre
- Other machines cannot ping or discover the affected host via Network Discovery
- Get-NetConnectionProfile returns NetworkCategory: Public for the primary adapter
- SMB connection errors vary by failure type: 'access denied' suggests auth/permission issue; 'network path not found' or timeout suggests firewall or discovery block — helps distinguish root cause
- Net use returns System error 53 (network path not found) or System error 67 (network name cannot be found)
- Event ID 7036 in System log: 'Server' service entered stopped state
- Event ID 7023 in System log: 'Workstation' service terminated with an error
- Event ID 4625 in Security log: logon failure — indicates authentication-level denial rather than firewall/discovery block
- Printer connections fail with 'Windows cannot connect to the printer' or error 0x0000007e / 0x00000709
- SMB negotiation fails with STATUS_NOT_SUPPORTED — client and server have no common SMB dialect
Likely causes
- Windows cumulative or feature update resets the network profile of existing connections to Public, triggering the restrictive Public firewall profile which blocks SMB (TCP 445) and related sharing traffic
- Network profile flipped to Public disables File and Printer Sharing firewall rules that are only active under Private or Domain profiles
- Sharing options (Network Discovery, File and Printer Sharing) disabled in Network and Sharing Centre as a side-effect of the profile change
- Non-domain-joined machines rely on manually set network profiles, making them more vulnerable to profile resets after updates as there is no GPO enforcement to restore the correct category
- SMB1 disabled on server (security hardening) while legacy clients only support SMB1 — connection silently fails
- LanmanServer ('Server') or LanmanWorkstation ('Workstation') service stopped or in a failed state
- Print Spooler service stopped or crashing, preventing printer share enumeration and connection
- Kerberos or NTLM authentication failure due to time skew (>5 min), SPN misconfiguration, or domain trust issues
- SMB signing mismatch — one endpoint requires signing while the other has it disabled
- Group Policy enforcing 'Network access: Restrict anonymous access to Named Pipes and Shares' or related hardening settings unexpectedly blocking access
- Ransomware or endpoint security software blocking SMB traffic as a protective or containment measure
- Incorrect NTFS or share permissions denying access independently of firewall/profile state
Diagnostic steps
-
Check the current network profile for all adapters using PowerShell: Get-NetConnectionProfileConfirms whether any network adapter is set to Public rather than Private or DomainAuthenticated — the root condition causing sharing to break
-
Navigate to Settings > Network & Internet > [Adapter] > Properties and check whether the profile is set to Public or Private. Alternatively, open Control Panel > Network and Sharing Centre and review the active network profile displayed.Provides UI-level confirmation of the network profile state and allows the technician to verify the user-facing symptom
-
Open Control Panel > Network and Sharing Centre > Change advanced sharing settings, and verify whether 'Turn on file and printer sharing' is enabled for the Private (and/or Domain) profile, and whether 'Turn on network discovery' is also enabled.Determines whether sharing options were disabled as a consequence of the profile flip or were separately disabled
-
Run PowerShell command: Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | Select DisplayName, Enabled, ProfileConfirms whether the File and Printer Sharing firewall rules are enabled and which profiles they apply to — rules may be correct but the wrong profile is active
-
Check Windows Update history via Settings > Windows Update > Update History to identify any recent cumulative or feature update that preceded the onset of the issue.Establishes causal link between an update event and the profile/sharing change — useful for scoping the issue across the estate and for escalation to Microsoft if it is a known issue
-
Attempt to access the affected machine's shares from a remote host (e.g., via \\<hostname>\sharename) and note whether the error is 'access denied', 'network path not found', or a timeout.Characterises the failure mode and helps distinguish between a firewall block, a sharing configuration issue, or an authentication/permission problem
-
On domain-joined machines, run 'gpresult /h gpresult.html' in an elevated prompt and review applied GPO settings related to network profile and firewall.Determines if Group Policy is enforcing the Public profile or blocking sharing, which would require a GPO-level fix rather than a local settings change
-
Determine which SMB protocol versions are enabled on the server: Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol, EnableSMB2ProtocolIdentifies whether SMB1, SMB2, or SMB3 is available; SMB1 is commonly disabled by security policy and legacy clients may fail silently with no clear error
-
Enumerate active SMB shares and their share-level permissions on the server: Get-SmbShare | Select-Object Name, Path, Description; Get-SmbShareAccess -Name '<sharename>'Confirms shares exist as expected and reveals share-level permission misconfigurations causing access denials independent of firewall or profile issues
-
Check the state and startup type of LanmanServer and LanmanWorkstation on the server: Get-Service -Name LanmanServer, LanmanWorkstation | Select-Object Name, Status, StartTypeConfirms whether core SMB services are running; a stopped or failed service blocks all share access regardless of firewall and profile configuration
-
For printer sharing failures, verify the Print Spooler service is running and check for spooler crash events: Get-Service -Name Spooler | Select-Object Name, Status; Get-EventLog -LogName System -Source 'Service Control Manager' -Newest 20 | Where-Object { $_.Message -match 'Spooler' }Print Spooler crashes prevent any printer share from being accessible; isolates whether the issue is spooler-specific rather than a general SMB problem
-
Review System and Security event logs on the server for SMB/auth errors: Get-EventLog -LogName System -EntryType Error -Newest 50 | Where-Object { $_.Source -match 'srv|mrxsmb|lanman|spooler' } | Select-Object TimeGenerated, EventID, Message | Format-ListSurfaces specific error events such as service failures (7023, 7036), Kerberos errors, or audit failures (4625) to pinpoint root cause
-
For authentication failures, verify time synchronisation between client and server (w32tm /query /status) and check SPN registration on the server (setspn -L <servername>)Kerberos fails silently when clock skew exceeds 5 minutes or when the server SPN is missing/duplicated — both produce 'access denied' symptoms that resemble permission issues
Resolution path
- 1. Set the network profile back to Private using PowerShell (replace InterfaceIndex as appropriate): Set-NetConnectionProfile -InterfaceIndex <index> -NetworkCategory Private
- 2. If the machine is domain-joined and the profile should be DomainAuthenticated, verify the machine can reach a domain controller (Test-NetConnection <DC> -Port 389) and then re-join or reconnect to the domain network to allow Windows to auto-assign the Domain profile.
- 3. Re-enable File and Printer Sharing in Control Panel > Network and Sharing Centre > Change advanced sharing settings: enable 'Turn on network discovery' and 'Turn on file and printer sharing' for the Private/Domain profile, then click 'Save changes'.
- 4. If firewall rules remain disabled, re-enable them via PowerShell: Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"
- 5. Restart the affected services if sharing still does not work: Restart-Service -Name LanmanServer; Restart-Service -Name LanmanWorkstation
- 5a. If LanmanServer or LanmanWorkstation is stopped, start both and set to Automatic: Start-Service LanmanServer; Start-Service LanmanWorkstation; Set-Service LanmanServer -StartupType Automatic; Set-Service LanmanWorkstation -StartupType Automatic
- 5b. If SMB2 is disabled, re-enable it (do NOT re-enable SMB1 unless legacy requirement is accepted and risk documented): Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force
- 5c. If share-level permissions are incorrect, grant access: Grant-SmbShareAccess -Name '<sharename>' -AccountName '<domain\user or group>' -AccessRight Full -Force — also verify NTFS permissions with icacls '<localpath>'
- 5d. For Kerberos/authentication failures, resync time (w32tm /resync /force) and verify SPN is registered (setspn -L <servername>)
- 5e. For Print Spooler failures, restart the spooler and clear the spool queue: Stop-Service Spooler; Remove-Item -Path 'C:\Windows\System32\spool\PRINTERS\*' -Force -Recurse; Start-Service Spooler
- Rollback — if switching to Private causes unexpected behaviour on a machine intentionally on an untrusted network, revert: Set-NetConnectionProfile -InterfaceAlias '<InterfaceAlias>' -NetworkCategory Public
- Rollback — if firewall rules were modified and a full config backup exists, restore defaults: netsh advfirewall reset (resets all custom rules — use with caution)
- Rollback — if GPO changes were deployed, revert the GPO and run 'gpupdate /force' on affected machines, confirm with 'gpresult /r'
- Rollback — if SMB2 was re-enabled and causes issues, disable again: Set-SmbServerConfiguration -EnableSMB2Protocol $false -Force (this will break access for all modern clients — use with caution)
- Rollback — before modifying NTFS permissions, back up existing ACLs: icacls '<localpath>' /save aclbackup.txt /T — restore with: icacls '<localpath>' /restore aclbackup.txt
Prevention
- Deploy a Group Policy Object (GPO) to enforce the correct network profile on domain-joined machines: configure 'Network List Manager Policies' under Computer Configuration > Windows Settings > Security Settings to set the profile to Private or Domain and prevent users or updates from changing it.
- Monitor network profile changes at scale using a scheduled task or PowerShell script querying Get-NetConnectionProfile across the estate, alerting when any adapter is set to Public on a machine in a known-trusted subnet — run this check post-update as part of the patch deployment verification procedure.
- Include a file and print sharing smoke test (Test-NetConnection on port 445 to a known share host) in the post-update validation checklist run against a representative sample of machines after each Patch Tuesday deployment.
- Deploy a GPO that enforces the 'File and Printer Sharing' firewall rules as enabled on Private/Domain profiles across all client machines, ensuring updates do not disable the rules independently of the profile setting.
- Use Windows Update rings or staged deployment to roll out cumulative/feature updates to a pilot group first, allowing sharing breakage to be detected and remediated before wide estate impact.
- Enforce SMB signing via GPO (Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options: 'Microsoft network server: Digitally sign communications always') to prevent MITM attacks while maintaining SMB2/3 compatibility.
- Monitor LanmanServer, LanmanWorkstation, and Print Spooler services with alerting (SCOM, Datadog, or a custom scheduled task) so service failures are detected before users report outages.
- Regularly back up share and NTFS ACLs using 'icacls /save' as part of server configuration backups so permissions can be rapidly restored after accidental changes.
- Audit and phase out SMB1-dependent legacy systems; replace with SMB2/3-compatible alternatives to eliminate the insecure SMB1 protocol and the client-compatibility failures its removal causes.
Tools
- Get-NetConnectionProfile (PowerShell — check current network profile category)
- Set-NetConnectionProfile (PowerShell — change network profile category)
- Get-NetFirewallRule / Enable-NetFirewallRule (PowerShell — inspect and enable File and Printer Sharing firewall rules)
- Test-NetConnection (PowerShell — verify TCP port reachability for SMB on port 445)
- Network and Sharing Centre (Control Panel UI — change sharing and discovery settings)
- Restart-Service (PowerShell — restart LanmanServer and LanmanWorkstation services)
- gpresult (CLI — review applied Group Policy for network profile and firewall settings)
- gpupdate (CLI — force Group Policy refresh after GPO changes)
- Windows Defender Firewall with Advanced Security (GUI — review and edit inbound sharing rules)
- Get-SmbServerConfiguration / Set-SmbServerConfiguration (PowerShell — SMB dialect version management)
- Get-SmbShare / Get-SmbShareAccess / Grant-SmbShareAccess / Revoke-SmbShareAccess (PowerShell — share enumeration and permission management)
- Get-Service / Start-Service / Set-Service (PowerShell — service state and startup type management)
- Get-EventLog (PowerShell — programmatic event log querying)
- net use (cmd — map and test network share connectivity; exposes error codes 53 and 67)
- icacls (cmd — NTFS permission inspection, modification, save and restore)
- setspn (cmd — SPN registration verification for Kerberos troubleshooting)
- w32tm (cmd — time synchronisation verification and resync for Kerberos)