This tutorial will show you how to enable or disable whether the SMB client will require encryption for all users in Windows 11.
Starting with Windows 11 build 25982 (Canary), SMB now supports requiring encryption of all outbound SMB client connections. With this new option, administrators can mandate that all destination servers support SMB 3.x and encryption, and if missing those capabilities, the client won’t connect. This enforces the highest level of network security as well as bringing management parity to SMB signing, which allows both client and server requirements.
SMB Encryption supplies SMB data end-to-end protection from interception attacks and snooping. It first shipped in SMB 3.0 on Windows 8 and Windows Server 2012. Windows 10 and Windows Server 2019 added AES-GCM support for better hardware-accelerated encryption, then Windows 11 and Windows Server 2022 introduced AES-256-GCM cryptographic suites. You can configure SMB encryption on a per share basis, for the entire file server, when mapping drives, or when using UNC Hardening.
You can now also configure the SMB client to always require encryption, no matter what the server, share, UNC hardening, or a mapped drive requires. This means an administrator can globally force a Windows machine to use SMB encryption – and therefore SMB 3.x – on all connections and refuse to connect if the SMB server does not support either.
SMB encryption has performance overhead and compatibility overhead, and you should balance that against SMB signing - which has better performance and tamper protection but no snooping protection – or against no use of encryption or signing at all, which has best performance but no security. SMB encryption supersedes SMB signing and supplies the same level of tamper protection, meaning that if your SMC client requires signing, SMB encryption turns it off; there is no point requiring both because encryption wins.
References:
SMB client encryption mandate now supported in Windows Insider
SMB client global encryption option now available to ensure highest security.
techcommunity.microsoft.com
SMB security enhancements
Learn about SMB security enhancements, such as encryption and the new signing algorithm, in Windows Server and Azure Stack HCI, version 21H2.
learn.microsoft.com
You must be signed in as an administrator to enable or disable require SMB client encryption.
Contents
- Option One: Check if Require SMB Client Encryption is Currently Enabled or Disabled
- Option Two: Turn On or Off Require SMB Client Encryption in PowerShell
- Option Three: Turn On or Off Require SMB Client Encryption using REG file
- Option Four: Enable or Disable Require SMB Client Encryption in Local Group Policy Editor
- Option Five: Enable or Disable Require SMB Client Encryption using REG file
1 Open Windows Terminal, and select Windows PowerShell.
2 Copy and paste the command below into Windows Terminal, and press Enter. (see screenshots below)
Get-SmbClientConfiguration | FL RequireEncryption
3 You will now get RequireEncryption output as either True (enabled/on) or False (disabled/off)
4 You can now close Windows Terminal if you like.
1 Open Windows Terminal (Admin), and select Windows PowerShell.
2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter. (see screenshots below)
(Turn on require SMB client encryption)
Set-SmbClientConfiguration -RequireEncryption $true -Confirm:$false
OR
(Default - Turn off require SMB client encryption)
Set-SmbClientConfiguration -RequireEncryption $false -Confirm:$false
3 You can now close Windows Terminal (Admin) if you like.
1 Do step 2 (on) or step 3 (off) below for what you want.
2 Turn On Require SMB Client Encryption
A) Click/tap on the Download button below to download the .reg file below, and go to step 4 below.
Turn_ON_Require_SMB_Encryption_for_all_users.reg
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireEncryption"=dword:00000001
3 Turn Off Require SMB Client Encryption
This is the default setting.
A) Click/tap on the Download button below to download the .reg file below, and go to step 4 below.
Turn_OFF_Require_SMB_Encryption_for_all_users.reg
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireEncryption"=dword:00000000
4 Save the .reg file to your desktop.
5 Double click/tap on the downloaded .reg file to merge it.
6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
7 You can delete the downloaded .reg file if you like.
The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.
All editions can use Option Five to configure the same policy.
1 Open the Local Group Policy Editor (gpedit.msc).
2 Navigate to the location below in the left pane of Local Group Policy Editor. (see screenshot below)
Computer Configuration > Administrative Templates > Network > Lanman Workstation
3 In the right pane of Lanman Workstation, double click/tap on the Require Encryption policy to edit it. (see screenshot above)
4 Do step 5 (enable) or step 6 (disable) below for what you want.
5 Enable Require SMB Client Encryption
This will override Option Two and Option Three.
A) Select (dot) Enabled. (see screenshot below)
B) Click/tap on OK, and go to step 7.
6 Disable Require SMB Client Encryption
This is the default setting to allow using Option Two and Option Three.
A) Select (dot) Not Configured. (see screenshot below)
B) Click/tap on OK, and go to step 7.
7 You can now close the Local Group Policy Editor if you like.
1 Do step 2 (enable) or step 3 (disable) below for what you want.
2. Enable Require SMB Client Encryption
This will override Option Two and Option Three.
A) Click/tap on the Download button below to download the file below, and go to step 4 below.
Enable_Require_SMB_Encryption_for_all_users.reg
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation]
"RequireEncryption"=dword:00000001
3. Disable Require SMB Client Encryption
This is the default setting to allow using Option Two and Option Three.
This also includes turning off require SMB client encryption from Option Two and Option Three.
A) Click/tap on the Download button below to download the file below, and go to step 4 below.
Disable_Require_SMB_Encryption_for_all_users.reg
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation]
"RequireEncryption"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireEncryption"=dword:00000000
4 Save the REG file to your desktop.
5 Double click/tap on the downloaded REG file to merge it.
6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
7 You can now delete the downloaded REG file if you like.
That's it,
Shawn Brink
Attachments
-
SMB.jpg10.2 KB · Views: 23
-
New Text Document.txt223 bytes · Views: 24
-
Turn_OFF_Require_SMB_Encryption_for_all_users.reg666 bytes · Views: 57
-
Turn_ON_Require_SMB_Encryption_for_all_users.reg666 bytes · Views: 59
-
Disable_Require_SMB_Encryption_for_all_users.reg868 bytes · Views: 49
-
Enable_Require_SMB_Encryption_for_all_users.reg648 bytes · Views: 61
Last edited: