Microsoft to Enable SMB Signing By Default to Boost Security on Windows 11

Windows 11 approved hero 1

Microsoft has announced some important changes coming to Server Message Block (SMB) signing on Windows 11 Enterprise edition. Starting with the latest Windows 11 Insider Canary Build, SMB signing is now required by default for all connections.

Server Message Block is a client-server communication protocol that allows users to share access to resources such as files, printers, and serial ports on a network or remote servers. Meanwhile, SMB signing is a security feature in Windows that adds a digital signature to authenticate communication between the client and server.

Microsoft explained that the SMB signing requirement changes should help to protect Windows 11 users against NTLM relay attacks. The SMB signing feature is designed to prevent threat actors from tempering SMB packets during data transmission.

“This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape,” explained Microsoft Principal Program Manager Ned Pyle.

Microsoft to Enable SMB Signing By Default to Boost Security on Windows 11
Source: Microsoft

SMB signing requirement changes could impact performance

Microsoft notes that the upcoming changes could potentially impact the performance of SMB copy operations on Windows 11 PCs. Users will be able to address the problem by buying a faster CPU or adding more CPU cores/virtual CPUs.

Additionally, Microsoft warned that users might encounter errors (such as 0xc000a000 and -1073700864) while connecting to a remote share on a third-party SMB server that lacks support for the SMB signing capability. The company recommends customers to configure the feature on the third-party SMB server.

IT Pros can disable SMB signing on Windows 11

However, it will be up to the IT admins to turn off the SMB signing requirement in server and client connectors. To do this, they will need to run the following PowerShell commands:

  • Set-SmbClientConfiguration -RequireSecuritySignature $false
  • Set-SmbServerConfiguration -RequireSecuritySignature $false

Microsoft plans to roll out the new default change for SMB signing to Windows 11 Education, Pro, and other editions as well as Windows Server later this year. “Depending on how things go in Insiders, it will then start to appear in major releases,” Pyle added. You can find more details about the change on Microsoft’s support page.