Network and Internet Enable or Disable Require SMB Client Encryption in Windows 11


  • Staff
SMB-Protocol_banner.png

This tutorial will show you how to enable or disable whether the SMB client will require encryption for all users in Windows 11.

Starting with Windows 11 build 25982 (Canary), SMB now supports requiring encryption of all outbound SMB client connections. With this new option, administrators can mandate that all destination servers support SMB 3.x and encryption, and if missing those capabilities, the client won’t connect. This enforces the highest level of network security as well as bringing management parity to SMB signing, which allows both client and server requirements.

SMB Encryption supplies SMB data end-to-end protection from interception attacks and snooping. It first shipped in SMB 3.0 on Windows 8 and Windows Server 2012. Windows 10 and Windows Server 2019 added AES-GCM support for better hardware-accelerated encryption, then Windows 11 and Windows Server 2022 introduced AES-256-GCM cryptographic suites. You can configure SMB encryption on a per share basis, for the entire file server, when mapping drives, or when using UNC Hardening.

You can now also configure the SMB client to always require encryption, no matter what the server, share, UNC hardening, or a mapped drive requires. This means an administrator can globally force a Windows machine to use SMB encryption – and therefore SMB 3.x – on all connections and refuse to connect if the SMB server does not support either.

SMB encryption has performance overhead and compatibility overhead, and you should balance that against SMB signing - which has better performance and tamper protection but no snooping protection – or against no use of encryption or signing at all, which has best performance but no security. SMB encryption supersedes SMB signing and supplies the same level of tamper protection, meaning that if your SMC client requires signing, SMB encryption turns it off; there is no point requiring both because encryption wins.

References:

You must be signed in as an administrator to enable or disable require SMB client encryption.



Contents

  • Option One: Check if Require SMB Client Encryption is Currently Enabled or Disabled
  • Option Two: Turn On or Off Require SMB Client Encryption in PowerShell
  • Option Three: Turn On or Off Require SMB Client Encryption using REG file
  • Option Four: Enable or Disable Require SMB Client Encryption in Local Group Policy Editor
  • Option Five: Enable or Disable Require SMB Client Encryption using REG file




Option One

Check if Require SMB Client Encryption is Currently Enabled or Disabled


1 Open Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below into Windows Terminal, and press Enter. (see screenshots below)

Get-SmbClientConfiguration | FL RequireEncryption

3 You will now get RequireEncryption output as either True (enabled/on) or False (disabled/off)

4 You can now close Windows Terminal if you like.

Get_require_SMB_Encryption_status_command-2.png
Get_require_SMB_Encryption_status_command-1.png





Option Two

Turn On or Off Require SMB Client Encryption in PowerShell


1 Open Windows Terminal (Admin), and select Windows PowerShell.

2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter. (see screenshots below)

(Turn on require SMB client encryption)
Set-SmbClientConfiguration -RequireEncryption $true -Confirm:$false

OR​

(Default - Turn off require SMB client encryption)
Set-SmbClientConfiguration -RequireEncryption $false -Confirm:$false

3 You can now close Windows Terminal (Admin) if you like.

Turn_ON_require_SMB_Encryption_command.png
Turn_OFF_require_SMB_Encryption_command.png





Option Three

Turn On or Off Require SMB Client Encryption using REG file


1 Do step 2 (on) or step 3 (off) below for what you want.

2 Turn On Require SMB Client Encryption

A) Click/tap on the Download button below to download the .reg file below, and go to step 4 below.​

Turn_ON_Require_SMB_Encryption_for_all_users.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireEncryption"=dword:00000001

3 Turn Off Require SMB Client Encryption

This is the default setting.


A) Click/tap on the Download button below to download the .reg file below, and go to step 4 below.​

Turn_OFF_Require_SMB_Encryption_for_all_users.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireEncryption"=dword:00000000

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 You can delete the downloaded .reg file if you like.




Option Four

Enable or Disable Require SMB Client Encryption in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Five to configure the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the location below in the left pane of Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Network > Lanman Workstation

Require_SMB_Encryption_gpedit-1.png

3 In the right pane of Lanman Workstation, double click/tap on the Require Encryption policy to edit it. (see screenshot above)

4 Do step 5 (enable) or step 6 (disable) below for what you want.

5 Enable Require SMB Client Encryption

This will override Option Two and Option Three.


A) Select (dot) Enabled. (see screenshot below)​

B) Click/tap on OK, and go to step 7.​

Require_SMB_Encryption_gpedit-3.png

6 Disable Require SMB Client Encryption

This is the default setting to allow using Option Two and Option Three.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 7.​

Require_SMB_Encryption_gpedit-2.png

7 You can now close the Local Group Policy Editor if you like.




Option Five

Enable or Disable Require SMB Client Encryption using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you want.


 2. Enable Require SMB Client Encryption

This will override Option Two and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_Require_SMB_Encryption_for_all_users.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation]
"RequireEncryption"=dword:00000001


 3. Disable Require SMB Client Encryption

This is the default setting to allow using Option Two and Option Three.

This also includes turning off require SMB client encryption from Option Two and Option Three.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_Require_SMB_Encryption_for_all_users.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation]
"RequireEncryption"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireEncryption"=dword:00000000

4 Save the REG file to your desktop.

5 Double click/tap on the downloaded REG file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink
 

Attachments

  • SMB.jpg
    SMB.jpg
    10.2 KB · Views: 18
  • New Text Document.txt
    223 bytes · Views: 21
  • Turn_OFF_Require_SMB_Encryption_for_all_users.reg
    666 bytes · Views: 50
  • Turn_ON_Require_SMB_Encryption_for_all_users.reg
    666 bytes · Views: 50
  • Disable_Require_SMB_Encryption_for_all_users.reg
    868 bytes · Views: 42
  • Enable_Require_SMB_Encryption_for_all_users.reg
    648 bytes · Views: 51
Last edited:

Latest Tutorials

Back
Top Bottom