Upcoming Webinar > How to Build a Strategic Technology Plan
  • Tuesday, April 8, 2025
Contact

How SMB Client Encryption Makes Windows 11 More Secure

For most modern businesses, the exchange of files, data, and valuable resources is at the heart of efficient collaboration and seamless operations. To further ensure the security of these shared assets, Microsoft has integrated a robust safeguard in Windows 11 — support for SMB encryption mandates. Below, we’ll explore how requiring SMB encryption contributes to fortifying Windows security as well as bringing peace of mind to businesses relying on collaborative data exchange. Here’s what you should know!

What Is SMB (Server Message Block)?

Server Message Block (SMB) is a communication protocol that allows computers to share files, printers, and other resources on a network. It’s widely used in Windows operating systems and is essential for collaborative work environments. As with any other processes that involve file sharing, using SMB can pose security risks. There’s a chance of unauthorized access and data interception if the system isn’t set up securely.

One feature that boosts the security of Windows systems is SMB client encryption. It supplies SMB data with end-to-end protection from cyber threats like snooping and interception. SMB encryption debuted with SMB 3.0 on Windows 8 and Windows Server 2012. This encryption technique was further improved with the addition of cryptographic suites like AES-GCM and AES-256-GCM in Windows 11 and Windows Server 2022.

Mandatory SMB Client Encryption in Windows 11

Microsoft continuously reinforces advanced network security in Windows 11. That’s why this past year, the company has been busy with data encryption enhancements for SMB. SMB signing, or the process of requiring digital signatures for SMB communication, became a default function for Windows Enterprise earlier in May. About a month later, they provided updates on the SMB authentication methodology.

With the release of the Windows 11 Canary build 25982 just last October, Microsoft announced mandatory SMB client encryption for all outbound connections. This means that administrators can mandate that all destination servers support SMB 3.x and encryption. If the server does not support either, the client won’t connect. Admins can also configure the SMB client to always require encryption, no matter the server or specific requirements.

How SMB Encryption Enhances Security

First rolled out with Windows 11 Insider Preview Build 25982, the goal of SMB client encryption mandates is to enforce the highest level of network security and bring management parity to SMB signing. So how can this feature boost your overall cybersecurity strategy? Here are the key ways:

  • Consistent Security Policies: Since an admin can globally force a Microsoft Windows machine to use SMB encryption, it ensures a uniform and robust security policy across the network. This consistency minimizes the risk of vulnerabilities and unauthorized access.
  • Preventing Unintended Misconfigurations: Requiring destination servers to support SMB 3.x and encryption allows admins to reduce the risk of unintended misconfigurations that could leave sensitive data exposed. Supporting encrypted protocols also minimizes the chances of oversight by individual users.
  • Flexibility in Prioritization: With the ability to set up encryption on a per-share basis, for the entire file server, when mapping drives, or when using UNC Hardening, your business gains granular control over where and how encryption is applied. This allows you to tailor SMB security measures based on specific needs and priorities within your network, enhancing security where it matters most.
  • Supporting Data Governance: Mandating SMB encryption provides a way to uphold proper data management practices. By ensuring that data shared across the network is encrypted, you establish a protective measure that aligns with data governance principles. This contributes to a secure and well-managed data environment for your business.
  • Protection Against Insider Threats: Requiring encryption of all outbound data serves as a valuable defense against insider threats. This helps ensure that even if someone with authorized access attempts to misuse or access sensitive information improperly, the encrypted nature of the data provides an additional barrier.

Steps to Enable or Disable Require SMB Encryption

You can configure SMB encryption using Windows Registry Editor, Group Policy or PowerShell. Here’s an overview of the steps:

A. Using PowerShell

  1. Open Windows Terminal as administrator then select Windows PowerShell tab.
  2. Check if the required SMB client encryption mandate is enabled. To do so, run this command: Get-SmbClientConfiguration | FL RequireEncryption
  3. You’ll see the result as a RequireEncryption output. If it indicates True, then the SMB client encryption is on or enabled. If it’s False, then it’s off or disabled.
  4. If you want to enable the SMB client encryption mandate, run this command: Set-SmbClientConfiguration -RequireEncryption $true -Confirm:$false

If you want to disable the SMB client encryption requirement instead, run this command: Set-SmbClientConfiguration -RequireEncryption $false -Confirm:$false

B. Using Group Policy

  1. Open the Local Group Policy Editor.
  2. Navigate to the folder location below:
    Computer Configuration -> Administrative Templates -> Network -> Lanman Workstation
  3. In the Lanman Workstation pane on the right, find and choose ‘Require Encryption’.
  4. Choose between ‘Not Configured’, ‘Enabled’, or ‘Disabled’ on the Require Encryption Window.
  5. Click OK and restart.

C. Using Windows Registry Editor

  1. Open Windows Registry Editor.
  2. Navigate to this registry key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
  3. Open the ‘RequireEncryption (REG_DWORD)’ name on the right pane.
  4. Enter a value of ‘1’ to enable encryption. Enter a value of ‘0’ to disable it.
  5. Restart your computer to apply the changes.

Does Requiring Encryption Affect System Performance?

SMB 3.0 won’t work on legacy SMB servers. While older versions of third-party SMB servers might support SMB 3.0, encryption might not be possible. This means IT teams should be careful when deploying SMB encryption through group policy to a heterogeneous fleet. Should there be compatibility issues, SMB signing can serve as an alternative measure. It offers better performance and tamper protection, but no defense against snooping. The best choice between the two will depend on your needs and specific network infrastructure. Just keep in mind that SMB encryption supersedes SMB signing, so you won’t need both.

Take Advantage of Data Encryption Measures

The introduction of mandatory SMB client encryption reflects Microsoft’s commitment to secure Windows and Windows Server for the modern digital landscape. This feature can help your business set up a strong defense against potential security threats. It also ensures that your sensitive data remains confidential and protected. As technology evolves, taking advantage of encryption measures is more than just a necessity. It’s a strategic step towards a safer operations environment that propels your business ahead of the competition.