Microsoft is set to bolster the security of Windows 11 with new features in the upcoming version, providing enhanced protection for some users.
In a recent update shared on the official Microsoft blog, Ned Pyle, Principal Program Manager at Microsoft, unveiled a significant security enhancement for Windows 11. This upcoming version will empower administrators to enforce Server Message Block (SMB) client encryption for all outbound connections. This means administrators can require that all destination servers support SMB 3.x and encryption. If these criteria are not met, the client will be unable to establish a connection.
Ned Pyle highlighted the significance of this feature, stating, “This enforces the highest level of network security as well as bringing management parity to SMB signing, which allows both client and server requirements.” SMB encryption ensures that data is encrypted end-to-end, providing a vital defense against potential eavesdropping and unauthorized access.
The rollout of this new capability has already commenced with the introduction of Windows 11 Insider Preview Build 25982 for Insiders in the Canary Channel.
Pyle further noted that administrators can configure the SMB client to consistently demand encryption, regardless of the server, share, UNC hardening, or mapped drive requirements. This empowers administrators to enforce the use of SMB encryption, particularly SMB 3.x, across all connections, and to refuse connection if the SMB server does not support these encryption standards.
To implement this new feature, administrators have the flexibility to configure it through PowerShell or the “Require encryption” group policy, which can be found under Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation.
However, it is essential to bear in mind that disabling this policy will remove the encryption requirement. Pyle offered a word of caution to IT teams deploying SMB encryption through group policy to a diverse fleet. Legacy SMB servers, such as Windows Server 2008 R2, may not support SMB 3.0. Additionally, certain older third-party SMB servers may support SMB 3.0 but not encryption.
These changes align with Microsoft’s broader initiative to enhance the security of both Windows and Windows Server, addressing the evolving challenges posed by the modern threat landscape.
