0X000009A6

Fix 0X000009A6: Down-level admin protocol error on Windows

Windows Errors Intermediate 👁 2 views 📅 May 28, 2026

This error pops up when Windows can't connect to a remote admin share over SMB. It's common in mixed environments with older servers. Here's how to fix it fast.

The 30-Second Fix: Enable insecure guest logins

I know this error is infuriating—especially when you're just trying to map a drive or run a remote admin tool. The 0X000009A6 error, also known as NERR_TryDownLevel, means Windows tried and failed to fall back to an older SMB protocol to connect to a remote admin share (like ADMIN$ or C$). This usually happens when the remote machine is running an older OS (Windows 7, Server 2008 R2, or a NAS device) that doesn't support SMB2/3 properly.

The quickest fix? Enable insecure guest logins. Yes, it's not ideal for security, but in a controlled lab or internal network, it works. Here's how:

  1. Press Win + R, type regedit, and hit Enter.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters.
  3. Create a new DWORD (32-bit) value named AllowInsecureGuestAuth.
  4. Set it to 1.
  5. Close regedit and restart your computer.

After the reboot, try your remote admin connection again. If it works? Great, you're done. If not, move to the next fix.

The 5-Minute Fix: Force SMB1 or adjust SMB settings

If the registry tweak didn't do it, the issue is likely that SMB2 or SMB3 is failing negotiation. The error message literally says “try the down-level admin protocol,” so we need to force Windows to use SMB1 (the down-level protocol) for that connection.

Step 1: Check if SMB1 is installed

Open PowerShell as admin and run:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

If it says State : Enabled, you're good. If it's disabled, enable it with:

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -All

You'll need to reboot after this.

Step 2: Disable SMB2/3 temporarily

This is a blunt instrument, but it works. In PowerShell (admin):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB2" -Value 0 -Type DWord

Then restart the Server service:

Restart-Service -Name LanmanServer -Force

Now try your connection. If it works, the problem is SMB2/3 negotiation with that remote host. Important: Once you're done, re-enable SMB2/3 with:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB2" -Value 1 -Type DWord
Restart-Service -Name LanmanServer -Force

Leaving SMB2 disabled makes your system vulnerable to attacks like EternalBlue. Don't do it permanently.

The 15+ Minute Fix: Advanced SMB configuration and network troubleshooting

If you're still seeing the error, something deeper is going on. Here are three things to check:

1. Verify the remote server's SMB configuration

If you have admin access to the remote machine, check its SMB settings. On Windows Server 2008 R2 or older, SMB2 is optional. Make sure the remote server has SMB1 enabled for admin shares. On the remote server (as admin), run:

Get-SmbServerConfiguration | Select EnableSMB1Protocol

If it's false, enable it with:

Set-SmbServerConfiguration -EnableSMB1Protocol $true

Again, only do this if you trust the network. SMB1 is ancient and insecure.

2. Check for firewall or RPC issues

The 0X000009A6 error can also mask a connectivity problem. The remote admin protocol uses RPC (port 135) and SMB (port 445). Run this from your local machine:

Test-NetConnection -ComputerName REMOTE_IP -Port 445
Test-NetConnection -ComputerName REMOTE_IP -Port 135

If either fails, you've got a firewall or network route issue. Check Windows Defender Firewall on both sides for the "File and Printer Sharing" rules.

3. Disable SMB signing on the client (last resort)

Some older servers don't support SMB signing, and Windows 10/11 enforces it by default for security. To disable it temporarily:

  1. Open Local Group Policy Editor (gpedit.msc).
  2. Go to Computer Configuration > Administrative Templates > Network > Lanman Workstation.
  3. Set Enable insecure guest logons to Enabled (yes, again—this is a different policy).
  4. Also set Digitally sign communications (always) to Disabled.
  5. Run gpupdate /force and reboot.

Once you're done, re-enable signing. Leaving it off exposes you to man-in-the-middle attacks.

When to give up and use a different approach

If none of this works, the remote host may simply not support the admin protocol at all. This is common with consumer NAS devices or Linux Samba servers configured without admin shares. In that case:

  • Use a regular SMB share (like \\server\share) instead of admin shares (\\server\C$).
  • Or use PowerShell Remoting (Enter-PSSession) if WinRM is enabled.
  • Or map a drive with explicit credentials in a batch script using net use with the /persistent:no flag.

The 0X000009A6 error is a relic of older Windows networking, but with these steps you can usually squash it in under 10 minutes. Start with the registry tweak, then move through the list. You'll get there.

Was this solution helpful?

0X000009A6 Windows error 0X000009A6 NERR_TryDownLevel down-level admin protocol SMB connection error remote admin API error Windows networking error fix SMB admin share Windows 11 error 0X000009A6 Windows 10 error 0X000009A6 SMB2 down-level fallback remote management error Windows admin share access denied network error 0X000009A6 fix NERR_TryDownLevel