Geek Rewind

Enable SMB Client Encryption in Windows 11

Richard

·

The article provides a guide on how to enable or disable the ‘Require SMB client encryption’ in Windows 11. SMB encryption secures data sent over the Server Message Block protocol, protecting against cyberattacks. In Windows 11 Insider Preview Build 25982, administrators can require all destination servers to support SMB 3.x and encryption. Mandating SMB client…

This article explains enabling or disabling “Require SMB client encryption” in Windows 11.

SMB encryption is a security feature that encrypts data sent over the Server Message Block (SMB) protocol, which is used for file and printer sharing on a network. It supplies SMB data end-to-end protection from interception attacks and snooping.

Beginning in Windows 11 Insider Preview Build 25982  (Canary Channel), SMB now supports requiring Encryption of all outbound SMB client connections. With this new option, administrators can mandate that all destination servers support SMB 3.x and Encryption, and if missing those capabilities, the client won’t connect.

You can now configure the SMB client always to require Encryption, no matter what the server, share, UNC hardening, or mapped drive requires.

You can configure this new option with both Group Policy and PowerShell.

Mandating SMB client encryption in Windows 11 is important because it provides your network an extra layer of security. Encrypting data sent over the Server Message Block (SMB) protocol protects you against interception attacks and snooping.

If missing those capabilities, the client won’t connect. This helps to prevent data breaches and unauthorized access to sensitive information.

Turn SMB client encryption mandate on or off

As mentioned above, beginning in Windows 11 Insider Preview Build 25982  (Canary Channel), you can now mandate Windows clients use SMB encryption to provide your network an extra layer of security.

Here’s how to do it.

First, open Windows Terminal as administrator, and select Windows PowerShell tab.

Then, run the command below to check whether the required SMB client encryption mandate is enforced.

Get-SmbClientConfiguration | FL RequireEncryption

If the result is listed below, then client SMB encryption isn’t enforced.

RequireEncryption : False

To enforce the SMB client encryption mandate and enable it, run the command below.

Set-SmbClientConfiguration -RequireEncryption $true -Confirm:$false

Run the command below to disable the SMB client encryption requirement and turn it off.

Set-SmbClientConfiguration -RequireEncryption $false -Confirm:$false

Turn SMB client encryption mandate on or off using Windows Registry Editor

Another way to control SMB client encryption mandate is to use Windows Registry Editor.

First, open Windows Registry Editor.

Then, navigate to the registry key below.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

Next, double-click the RequireEncryption (REG_DWORD) name on the Explorer key’s right pane to open it. Then, enter a value 1 to enable client SMB encryption.

To disable it, enter a value of 0.

If you do not see the ‘RequireEncryption‘ item, simply right-click a blank area and create a new DWORD (32-bit) Value. Then, enter the name ‘RequireEncryption‘.

Windows 11 client SMB mandate via registry

You may have to restart your computer to apply the changes.

Change SMB client encryption mandate using Local Group Policy Editor

Yet another way to manage SMB client encryption mandate is to use the Local Group Policy editor.

First, open the Local Group Policy Editor. (Search for ‘Edit group policy‘) on the Start menu.

Then, navigate the folders below:

Computer Configuration -> Administrative Templates -> Network -> Lanman Workstation

Then, in the Lanman Workstation details pane on the right, locate and double-click the setting “Require Encryption. “

Windows 11 client SMB mandate via group policy

On the Require Encryption window, set the option to Not ConfigureEnabled, or Disabled.

  • Not Configured (default)
  • Enabled  – The SMB client will require the SMB server to support Encryption and encrypt the data.
  • Disabled – Same as Not Configured – The SMB client will not require Encryption.
Windows 11 client SMB mandate via group policy options

Click OK to save your changes and restart.

Reference:

Microsoft

Conclusion:

  • Enabling or disabling the “Require SMB client encryption” feature in Windows 11 provides your network an extra layer of security by encrypting data sent over the Server Message Block (SMB) protocol.
  • This security feature protects against interception attacks and snooping, preventing data breaches and unauthorized access to sensitive information.
  • The ability to enforce SMB encryption mandate is available through various methods, including Group Policy, PowerShell commands, Windows Registry Editor, and Local Group Policy Editor.
  • Administrators can now mandate that all destination servers support SMB 3.x and Encryption, ensuring that client connections are only established with servers that meet these encryption requirements.
  • Following the outlined procedures, users can configure the SMB client always to require encryption, regardless of the server, share, UNC hardening, or mapped drive requirements.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *