EC2 Windows Unable to Mount SMB: EDR Interception and Workgroup Authentication
Two EC2 Windows instances in the same VPC fail to access a shared folder via SMB. Security groups and NACLs are open, Windows Firewall is disabled, but net use reports error 1792, and packet capture shows STATUS_NETLOGON_NOT_STARTED. The root cause is not VPC networking — security software is intercepting the SMB authentication flow.
Symptoms
Client access attempt:
\\<server-private-ip>\shareCannot open, and no authentication prompt appears. Command line execution:
net use Z: \\<server-private-ip>\shareReports:
System error 1792 has occurred.
The attempt to logon to the network account failed because the network logon service is not started.Afterward, port 445 connection timeouts and ping failures may even occur.
Troubleshooting Process
1. Rule Out AWS Network Issues First
Confirm:
- Both instances are in the same VPC or have routable connectivity.
- Security group allows TCP 445.
- NACL is not blocking.
- Route table has a local or correct route.
- Windows Defender Firewall policy is not blocking.
2. Packet Capture on Both Ends
Packet capture shows the SMB protocol has already begun negotiation:
SMB2 Negotiate Protocol Request
SMB2 Negotiate Protocol Response
SMB2 Session Setup Request
SMB2 Session Setup Response: STATUS_NETLOGON_NOT_STARTEDThis indicates traffic has reached the server — it is not an AWS underlying network packet drop.
3. Understanding Netlogon
In a Workgroup environment, the Netlogon service not running by default is normal. Local account SMB authentication typically completes through local SAM + NTLM, and should not necessarily fail just because Netlogon is stopped.
If STATUS_NETLOGON_NOT_STARTED is returned and then all traffic is blocked, suspect that security software or EDR is intercepting SMB authentication traffic.
Solution
1. Temporarily Disable EDR to Verify
Temporarily disable security software during a change window to verify whether SMB access is restored. If port 445 and ping both recover after disabling, the root cause is essentially confirmed.
2. Use Explicit Local Account Authentication
In a Workgroup environment, do not rely on implicit credentials. Use a server local account:
net use Z: \\<server-private-ip>\share /user:<server-computer-name>\AdministratorNote that <server-computer-name> must be the server's computer name, not the client's.
3. Adjust EDR Policy
Contact the security software vendor or security team to whitelist normal SMB/NTLM authentication traffic and prevent false positives.
4. Long-Term Recommendation: Join a Domain
If multiple Windows instances frequently share files, consider joining Active Directory and using domain accounts with group-based permissions to reduce the complexity of Workgroup + local account authentication.
Summary
When EC2 Windows SMB access fails, don't only look at security groups. If packet capture already shows SMB protocol negotiation and authentication-stage errors, the issue has moved into the OS or security software layer.
STATUS_NETLOGON_NOT_STARTED in a Workgroup scenario does not necessarily mean Netlogon itself is the root cause. Combined with subsequent traffic being blocked, EDR or security software interception should be a primary investigation focus.