Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to enable SMB encryption on Windows Server

·378 words·2 mins· 100 views · 5 likes ·
Get-SmbConnection Get-SmbServerConfiguration Get-SmbShare Microsoft

Since Windows Server 2012 and Windows 8, we have version 3.0 of the SMB protocol. This version includes several SMB security enhancements, one of which is encryption. Implementation of this enhancement enables us to encrypt data transferred over the network between the SMB file server and the client. In this post, I want to show you how to enable SMB encryption for the entire file server or only for specific file shares using PowerShell.

Important: If a client that does not support SMB 3.0 tries to access an encrypted shared repository, the event will be logged on the file server with ID: 1003 and the client receives an access denied error message.

PowerShell Workaround>

PowerShell Workaround #

First, we must check the current configuration of the SMB server by executing the following command.

Get-SmbServerConfiguration

Get-SmbServerConfiguration
And then we must check the protocol version used by the clients that connect to the file server. To obtain the version of the SMB protocol used by the clients. You should use the Get-SmbConnection cmdlet with the following syntax.

Get-SmbConnection

Get-SmbConnection
If you want to force encryption of all SMB sessions on a file server, you must use Set-SmbServerConfiguration with the following syntax.

Set-SmbServerConfiguration `
    -EncryptData $true

SMB Encryption
If instead, you only want to enable SMB encryption on a specific file share, you must use the Set-SmbShare cmdlet with the following syntax.

Set-SmbShare `
    -Name MyShared `
    -EncryptData $true

Get-SmbShare `
    -Name MyShared `
    | Format-List -Property *

SMB Encrytion
You can also enable SMB encryption when you define the share instead. To do this, you should use the New-SmbShare with the following syntax.

New-SmbShare `
    -Name MyShared `
    -Path c:\Shared `
    -EncryptData $true

Get-SmbShare `
    -Name MyShared `
    | Format-List -Property *

New-SmbShare
Once encryption is enabled, another SMB server configuration option that you should consider is to prevent clients that do not support SMB encryption from connecting to encrypted shares. To do this, use the following command.

Set-SmbServerConfiguration `
    -RejectUnencryptedAccess $true

However, in some circumstances, you may need to allow unencrypted access to clients that do not support SMB 3.0. To do this, use the following command.

Set-SmbServerConfiguration `
    -RejectUnencryptedAccess $false

Thanks for reading my post. I hope you find it useful.

If you want to know more about SMB security enhancements, check out this link.