How to Enable or Disable the SMB Client Encryption Requirement in Windows 11

SMB, short for Server Message Block, is a core protocol used by Windows systems to share files, printers, and serial ports over a network. Essentially, it’s a client–server protocol where you (the client) request access to files or other resources on a server, and the server responds by providing the requested access.

As you can imagine, this may be a security vulnerability, especially in managed IT environments. The SMB client encryption requirement setting in Windows 11 (version 24H2 or later) enforces encryption for all outbound SMB client connections. This feature allows IT admins to guarantee that sensitive data is protected from snooping and interception, particularly on untrusted or public networks.

📌 Recommended deployment strategies:

How to configure the SMB client encryption requirement in Windows 11

Method 1: Using PowerShell (recommended)

📌 Use Cases: Ideal for scripted deployments, manual configurations, or remote administration

📌 Prerequisites: 

• You must have admin privileges.
• This requires SMB v.3.0+ versions on both the client and the server.
• PowerShell execution policy must allow running commands/scripts.
• Restart isn’t typically required, but it’s a good practice after a change.
• We recommend signing up for this free crash course: PowerShell for IT Ninjas.

Steps: 

1. Open an elevated PowerShell.
2. Execute any of the following commands.

To enable required SMB client encryption:

Set-SmbClientConfiguration -RequireEncryption $true

To disable required SMB client encryption:

Set-SmbClientConfiguration -RequireEncryption $false

To verify your current configuration:

Get-SmbClientConfiguration

Look for the RequireEncryption field in the output to confirm whether encryption is currently required. Alternatively, you can run either of the following commands directly:

Get-SmbClientConfiguration | Format-List -Property RequireEncryption

Method 2: Using Group Policy (enterprise deployment)

📌 Use Cases: Best for enterprise-scale deployments across multiple domain-joined systems.

📌 Prerequisites: 

• You’ll need a domain-joined machine.
• Admin access to Group Policy Editor is required.
• Systems must support Group Policy enforcement.
• SMB v.3.0+ is also required.

Steps:

1. Press Win + R, type gpedit.msc, and click Enter.
2. Go to Computer Configuration > Administrative Templates > Network > Lanman Workstation.
3. Locate Encrypt all SMB client connections or Require Encryption (depending on your Windows 11 build) and double-click it.
   • Set it to Enabled to enforce encryption for all client connections.
   • Set it to Disabled or Not Configured to allow unencrypted connections.
4. Click OK and apply the changes.
5. Open an elevated Command Prompt and run gpupdate /force for the policy to take effect immediately. Alternatively, you can restart your computer.

Method 3: Using Registry Editor

📌 Use Cases: Suitable for manual overrides, offline environments, or environments without Group Policy access.

📌 Prerequisites: 

• You must have admin privileges.
• It’s preferable if you have registry editing experience.
• SMB version 3.0+ is needed.
• We recommend backing up your registry before proceeding. Incorrect configurations can lead to system instability.

Steps: 

1. Press Win + R, type regedit, and click Enter.
2. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
3. Create or modify the RequireEncryption DWORD (32-bit) value:
   • Set the value to 1 to require encryption.
   • Set the value to 0 to disable the requirement (default).
4. To apply the changes, restart your computer.

Method 4: .reg file example

📌 Use Cases: Ideal for simple deployments where scripting is not required but automation is still beneficial.

📌 Prerequisites: 

• This method requires admin privileges.
• The user must have permission to merge .reg files.
• Manula restart or sign-out/in is needed to apply changes.
• We recommend backing up your registry before proceeding. Incorrect configurations can lead to system instability.

Steps:

To enable encryption:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]

“RequireEncryption”=dword:00000001

To disable encryption:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]

“RequireEncryption”=dword:00000000

Additional considerations when modifying the SMB encryption requirement setting

• Compatibility: Enabling the RequireEncryption setting means that any SMB server without encryption support will be rejected. This may affect legacy systems.
• Performance: Encryption introduces some overhead, particularly in high-throughput environments. Test the impact in performance-critical scenarios before large-scale deployments.
• SMB signing: While SMB signing verifies data integrity, encryption also protects against eavesdropping. Enabling encryption effectively overrides the need for signing. That said, it’s important to note that Windows 11 (version 24H2) Enterprise, Pro, and Education now require both outbound and inbound SMB signing by default.
• SMB v1: This legacy protocol doesn’t support encryption and is deprecated. It should be disabled in all modern environments for security reasons. (See How to Enable or Disable SMB1 File Sharing Protocol in Windows for more information.)

⚠️ Things to look out for

Improve data security with SMB client encryption

Enforcing SMB client encryption is an effective way to secure network file sharing in Windows 11 environments. Whether you’re managing a single endpoint or deploying policies across an enterprise, requiring encryption strengthens data security and helps enforce compliance.

Related topics:

• What Is SMB (Server Message Block)?
• What Is File Encryption?
• How to Disable SMBv1 (Server Message Block Protocol) with PowerShell