Security News > 2023 > October > Windows 11 to let admins mandate SMB encryption for outbound connections
Windows 11 will let admins mandate SMB client encryption for all outbound connections, starting with today's Windows 11 Insider Preview Build 25982 rolling out to Insiders in the Canary Channel.
SMB encryption provides data end-to-end encryption and can be enabled on a per-share basis for the entire file server or when mapping drives using Windows Admin Center, Windows PowerShell, or UNC Hardening.
This capability was first included with SMB 3.0 on Windows 8 and Windows Server 2012, and it introduced support for AES-256-GCM cryptographic suites with Windows 11 and Windows Server 2022.
"This means an administrator can globally force a Windows machine to use SMB encryption - and therefore SMB 3.x - on all connections and refuse to connect if the SMB server does not support either."
Starting with Windows 11 Insider Preview Build 25951, admins can configure Windows systems to automatically block sending NTLM data over SMB on remote outbound connections to fend off pass-the-hash, NTLM relay, or password-cracking attacks.
SMB signing, introduced in Windows 98 and 2000, has been updated in Windows 11 and Windows Server 2022 to enhance protection and performance by significantly increasing data encryption speeds.