SMB (Server Message Block) is a core protocol used by Windows systems to share files, printers, and serial ports over a network. Essentially, it’s a client-server protocol where you (the client) request access to files or other resources on a server, and the server responds by providing the requested access.
As you can imagine, this may be a security vulnerability, especially in managed IT environments. The SMB Encrypt Required setting in Windows 11 enforces encryption for all outbound SMB client connections. This feature allows IT admins to guarantee that sensitive data is protected from snooping and interception, particularly on untrusted or public networks.
📌 Recommended deployment strategies:
|
Click to Choose a Method |
💻 Best for Individual Users |
💻💻💻 Best for Enterprises |
| Method 1: Using PowerShell | ✓ | ✓ |
| Method 2: Using Group Policy | ✓ | |
| Method 3: Using Registry Editor | ✓ | ✓ |
| Method 4: .reg file example | ✓ | ✓ |
Methods on How to configure SMB encryption
Method 1: Using PowerShell (recommended)
📌 Use Cases: Ideal for scripted deployments, manual configurations, or remote administration
📌 Prerequisites:
- You must have admin privileges.
- This requires SMB v.3.0+ versions on both client and server.
- PowerShell execution policy must allow running commands/scripts.
- Restart is not typically required, but it is a good practice after a change.
- We recommend signing up for this free crash course, PowerShell for IT Ninjas.
Steps:
- Open an elevated PowerShell.
- Execute the following commands:
To enable required SMB client encryption:
Set-SmbClientConfiguration -RequireSecuritySignature $true -RequireEncryption $true
To disable required SMB client encryption:
Set-SmbClientConfiguration -RequireEncryption $false
To verify your current configuration:
Get-SmbClientConfiguration
Look for the RequireEncryption field in the output to confirm whether encryption is currently required.
Method 2: Using Group Policy (enterprise deployment)
📌 Use Cases: Best for enterprise-scale deployments across multiple domain-joined systems.
📌 Prerequisites:
- Domain-joined machine.
- Admin access to Group Policy Editor.
- Systems must support Group Policy enforcement.
- SMB v.3.0+ required.
Steps:
- Press Win + R, type gpedit.msc, and click Enter.
- Go to: Computer Configuration > Administrative Templates > Network > Lanman Workstation
- (Optional) Double-click Enable insecure guest logons and set it to Disabled to harden SMB security.
- Then, locate Encrypt all SMB client connections and double-click it.
- Set it to Enabled to enforce encryption for all client connections.
- Set it to Disabled or Not Configured to allow unencrypted connections.
- Click Ok and apply the changes.
- Open an elevated Command Prompt and run gpudate /force for the policy to take effect immediately. Alternatively, you can restart your computer.
Method 3: Using Registry Editor
📌 Use Cases: Suitable for manual overrides, offline environments, or environments without Group Policy access.
📌 Prerequisites:
- You must have admin privileges.
- It’s preferable if you have Registry Editing experience.
- SMB version 3.0+
- We recommend backing up your registry before proceeding. Incorrect configurations can lead to system instability.
Steps:
- Press Win + R, type regedit, and click Enter.
- Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
- Create or modify the RequireEncryption DWORD (32-bit) value:
- Set the value to 1 to require encryption.
- Set the value to 0 to disable the requirement (default).
- To apply the changes, restart your computer.
Method 4: .reg file example
📌 Use Cases: Ideal for simple deployments where scripting is not required but automation is still beneficial.
📌 Prerequisites:
- Requires admin privileges.
- The user must have permission to merge .reg files.
- Manula restart or sign-out/in is needed to apply changes.
- We recommend backing up your registry before proceeding. Incorrect configurations can lead to system instability.
Steps:
Enable encryption
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
“RequireEncryption”=dword:00000001
Disable encryption
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
“RequireEncryption”=dword:00000000
Additional consideration when modifying the SMB encryption required setting
- Compatibility: Enabling the RequireEncryption setting means that any SMB server without encryption support will be rejected. This may affect legacy systems.
- Performance: Encryption introduces some overhead, particularly in high-throughput environments. Test the impact in performance-critical scenarios before large-scale deployments.
- SMB signing: While SMB signing verifies data integrity, encryption also protects against eavesdropping. Enabling encryption effectively overrides the need for signing.
- SMB v1: This legacy protocol does not support encryption and is deprecated. It should be disabled in all modern environments for security reasons. (See How to Enable or Disable SMB1 File Sharing Protocol in Windows for more information. )
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Enabling encryption on clients where the server doesn’t support it | Connection failures; inability to access SMB shares | Disable RequireEncryption via PowerShell, Group Policy, or Registry |
| Using Group Policy in mixed OS environments | The policy may not apply correctly or could even break connections with unsupported clients. | Revert GPO setting to Not Configured or Disabled and run gpudate /force in an elevated Command Prompt. |
| Modifying the Registry incorrectly | Could lead to system instability or break file sharing | Back up the registry before proceeding.
If this happens afterwards, try restoring the backup or resetting the DWORD to 0. |
| Enforcing encryption on legacy networks | May break compatibility with older NAS or Windows systems. | Consider staged rollouts or exceptions where needed. |
Improve data security with SMB encryption
Enforcing SMB client encryption is an effective way to secure network file sharing in Windows 11 environments. Whether you’re managing a single endpoint or deploying policies across an enterprise, requiring encryption strengthens data security and helps enforce compliance.
Related topics:
- What Is SMB (Server Message Block)?
- What Is File Encryption?
- How to Disable SMBv1 (Server Message Block Protocol) with PowerShell
Quick-Start Guide
In Windows 11, you can enable or disable SMB client encryption using Group Policy or Registry settings. Here’s how you can do it:
1. Via Group Policy:
– Open Group Policy Editor
– Navigate to: Computer Configuration > Administrative Templates > Network > Lanman Workstation
– Find and configure the “Enable insecure guest logons” and “Enable SMB encryption” policies
2. Via Registry (which could be done through a NinjaOne script):
REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” /v “RequireSmb2Encryption” /t REG_DWORD /d 1 (to enable)
REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” /v “RequireSmb2Encryption” /t REG_DWORD /d 0 (to disable)
For the most precise configuration, we recommend consulting your specific security requirements and testing in a controlled environment.
