This article explains how to enable or disable “Require SMB client encryption” in Windows 11.
SMB encryption is a security feature that encrypts data sent over the Server Message Block (SMB) protocol, which is used for file and printer sharing on a network. It supplies SMB data end-to-end protection from interception attacks and snooping.
Beginning in Windows 11 Insider Preview Build 25982 (Canary Channel), SMB now supports requiring Encryption of all outbound SMB client connections. With this new option, administrators can mandate that all destination servers support SMB 3.x and Encryption, and if missing those capabilities, the client won’t connect.
You can now configure the SMB client always to require Encryption, no matter what the server, share, UNC hardening, or mapped drive requires.
You can configure this new option with both Group Policy and PowerShell.
Mandating SMB client encryption in Windows 11 is important because it provides an extra layer of security to your network. By encrypting data sent over the Server Message Block (SMB) protocol, you can protect against interception attacks and snooping.
If missing those capabilities, the client won’t connect. This helps to prevent data breaches and unauthorized access to sensitive information.
Turn SMB client encryption mandate on or off
As mentioned above, beginning in Windows 11 Insider Preview Build 25982 (Canary Channel), you can now mandate Windows clients use SMB encryption to provide an extra layer of security to your network.
Here’s how to do it.
First, open Windows Terminal as administrator, and select Windows PowerShell tab.
Then, run the command below to check whether the required SMB client encryption mandate is enforced.
Get-SmbClientConfiguration | FL RequireEncryption
If the result is listed below, then client SMB encryption isn’t enforced.
RequireEncryption : False
To enforce the SMB client encryption mandate and enable it, run the command below.
Set-SmbClientConfiguration -RequireEncryption $true -Confirm:$false
To disable the SMB client encryption requirement and turn it off, run the command below.
Set-SmbClientConfiguration -RequireEncryption $false -Confirm:$false
Turn SMB client encryption mandate on or off using Windows Registry Editor
Another way to control SMB client encryption mandate is to use Windows Registry Editor.
First, open Windows Registry Editor.
Then, navigate to the registry key below.
Next, double-click the RequireEncryption (REG_DWORD) name on the Explorer key’s right pane to open it. Then, enter a value
1 to enable client SMB encryption.
To disable it, enter a value of
If you do not see the ‘RequireEncryption‘ item, simply right-click a blank area and create a new DWORD (32-bit) Value. Then, enter the name ‘RequireEncryption‘.
You may have to restart your computer for the changes to apply.
Change SMB client encryption mandate using Local Group Policy Editor
Yet another way to manage SMB client encryption mandate is to use the Local Group Policy editor.
First, open the Local Group Policy Editor. (Search for ‘Edit group policy‘) on the Start menu.
Then, navigate the folders below:
Computer Configuration -> Administrative Templates -> Network -> Lanman Workstation
Then, in the Lanman Workstation details pane on the right, locate and double-click the setting “Require Encryption. “
On the Require Encryption window, set the option to Not Configure, Enabled, or Disabled.
- Not Configured (default)
- Enabled – The SMB client will require the SMB server to support Encryption and encrypt the data.
- Disabled – Same as Not Configured – The SMB client will not require Encryption.
Click OK to save your changes and restart.
This post showed you how to turn “Require SMB client encryption” on or off in Windows 11. If you find errors or have something to add, please use the comments form below.