Require Encryption

Supported OS tags: Windows11, WindowsServer2022

This policy controls whether the SMB client will require encryption. If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data. If you disable or do not configure this policy setting, the SMB client will not require encryption. However, SMB encryption may still be required; see notes below. Note: This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption. Important: SMB encryption requires SMB 3.0 or later

This policy has no additional user input fields.

• Computer
  Alternative Port Mappings

  At least Windows Server 2025, Windows 11
• Computer
  Audit insecure guest logon

  At least Windows Server 2025, Windows 11
• Computer
  Audit server does not support encryption

  At least Windows Server 2025, Windows 11
• Computer
  Audit server does not support signing

  At least Windows Server 2025, Windows 11
• Computer
  Block NTLM (LM, NTLM, NTLMv2)

  At least Windows Server 2025, Windows 11
• Computer
  Block NTLM Server Exception List

  At least Windows Server 2025, Windows 11
• Computer
  Cipher suite order

  At least Windows Server 2016, Windows 10
• Computer
  Disable SMB compression

  At least Windows Server 2022, Windows 11
• Computer
  Disabled SMB over QUIC Server Exception List

  At least Windows Server 2025, Windows 11
• Computer
  Enable Alternative Ports

  At least Windows Server 2025, Windows 11
• Computer
  Enable insecure guest logons

  At least Windows Server 2016, Windows 10
• Computer
  Enable remote mailslots

  At least Windows Server 2025, Windows 11