Microsoft is introducing new features in the next version of Windows 11 which should make it a lot more secure for some users.
In an update posted on the Microsoft blog, Microsoft Principal Program Manager Ned Pyle announced that Windows 11 will let admins mandate SMB client encryption for all outbound connections. That means admins can mandate that all destination servers support SMB 3.x and encryption, and if those are missing, the client won’t connect.
“This enforces the highest level of network security as well as bringing management parity to SMB signing, which allows both client and server requirements,” Pyle explained. SMB encryption makes data encrypted end-to-end, a feature that prevents potential eavesdropping.
Caution is advised
The new feature is already rolling out with Windows 11 Insider Preview Build 25982 to Insiders in the Canary Channel.
“You can now also configure the SMB client to always require encryption, no matter what the server, share, UNC hardening, or a mapped drive requires,” Pyle added.
“This means an administrator can globally force a Windows machine to use SMB encryption – and therefore SMB 3.x – on all connections and refuse to connect if the SMB server does not support either.”
Admins can configure the new feature via PowerShell or the “Require encryption” group policy that can be found under Computer Configuration \ Administrative Templates \ Network \Lanman Workstation.
Obviously, disabling the policy removes the encryption requirement. Pyle also cautioned IT teams when deploying SMB encryption through group policy to a heterogenous fleet, as any legacy SMB servers (think Windows Server 2008 R2) won’t support SMB 3.0. “Older third-party SMB servers might support SMB 3.0 but not encryption,” he added.
The changes are part of Microsoft’s campaign to boost the security of both Windows and Windows Server for the modern threat landscape, Pyle concluded.
