How to Enable or Disable Require SMB Encryption in Windows 11

|

|

The article provides a guide on how to enable or disable the ‘Require SMB client encryption’ in Windows 11. SMB encryption secures data sent over the Server Message Block protocol, protecting against cyberattacks. In Windows 11 Insider Preview Build 25982, administrators can require all destination servers to support SMB 3.x and encryption. Mandating SMB client…

This article explains how to enable or disable “Require SMB client encryption” in Windows 11.

SMB encryption is a security feature that encrypts data sent over the Server Message Block (SMB) protocol, which is used for file and printer sharing on a network. It supplies SMB data end-to-end protection from interception attacks and snooping.

Beginning in Windows 11 Insider Preview Build 25982  (Canary Channel), SMB now supports requiring Encryption of all outbound SMB client connections. With this new option, administrators can mandate that all destination servers support SMB 3.x and Encryption, and if missing those capabilities, the client won’t connect.

You can now configure the SMB client always to require Encryption, no matter what the server, share, UNC hardening, or mapped drive requires.

You can configure this new option with both Group Policy and PowerShell.

Mandating SMB client encryption in Windows 11 is important because it provides an extra layer of security to your network. By encrypting data sent over the Server Message Block (SMB) protocol, you can protect against interception attacks and snooping.

If missing those capabilities, the client won’t connect. This helps to prevent data breaches and unauthorized access to sensitive information.

Turn SMB client encryption mandate on or off

As mentioned above, beginning in Windows 11 Insider Preview Build 25982  (Canary Channel), you can now mandate Windows clients use SMB encryption to provide an extra layer of security to your network.

Here’s how to do it.

First, open Windows Terminal as administrator, and select Windows PowerShell tab.

Then, run the command below to check whether the required SMB client encryption mandate is enforced.

Get-SmbClientConfiguration | FL RequireEncryption

If the result is listed below, then client SMB encryption isn’t enforced.

RequireEncryption : False

To enforce the SMB client encryption mandate and enable it, run the command below.

Set-SmbClientConfiguration -RequireEncryption $true -Confirm:$false

To disable the SMB client encryption requirement and turn it off, run the command below.

Set-SmbClientConfiguration -RequireEncryption $false -Confirm:$false

Turn SMB client encryption mandate on or off using Windows Registry Editor

Another way to control SMB client encryption mandate is to use Windows Registry Editor.

First, open Windows Registry Editor.

Then, navigate to the registry key below.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

Next, double-click the RequireEncryption (REG_DWORD) name on the Explorer key’s right pane to open it. Then, enter a value 1 to enable client SMB encryption.

To disable it, enter a value of 0.

If you do not see the ‘RequireEncryption‘ item, simply right-click a blank area and create a new DWORD (32-bit) Value. Then, enter the name ‘RequireEncryption‘.

Windows 11 client SMB mandate via registry

You may have to restart your computer for the changes to apply.

Change SMB client encryption mandate using Local Group Policy Editor

Yet another way to manage SMB client encryption mandate is to use the Local Group Policy editor.

First, open the Local Group Policy Editor. (Search for ‘Edit group policy‘) on the Start menu.

Then, navigate the folders below:

Computer Configuration -> Administrative Templates -> Network -> Lanman Workstation

Then, in the Lanman Workstation details pane on the right, locate and double-click the setting “Require Encryption. “

Windows 11 client SMB mandate via group policy

On the Require Encryption window, set the option to Not ConfigureEnabled, or Disabled.

  • Not Configured (default)
  • Enabled  – The SMB client will require the SMB server to support Encryption and encrypt the data.
  • Disabled – Same as Not Configured – The SMB client will not require Encryption.
Windows 11 client SMB mandate via group policy options

Click OK to save your changes and restart.

Reference:

Microsoft

Conclusion:

This post showed you how to turn “Require SMB client encryption” on or off in Windows 11. If you find errors or have something to add, please use the comments form below.

Like this:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.