Windows 11 is introducing enhanced security measures for SMB (Server Message Block) encryption, providing data end-to-end encryption for outbound connections. Administrators can now mandate SMB client encryption, regardless of server settings, share configurations, UNC hardening, or mapped drives.
Furthermore, this critical feature aims to safeguard data by ensuring that all destination servers support SMB 3.x and encryption, thus protecting against eavesdropping and interception attacks. Windows 11’s new option can be configured using PowerShell or group policy settings under Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation.
Moreover, administrators can now automatically block the transmission of NTLM data over SMB for remote outbound connections to prevent pass-the-hash, NTLM relay, and password-cracking attacks. By doing so, it thwarts attackers from intercepting a user’s hashed password sent to remote servers, reinforcing Windows 11’s security posture. In addition, Windows 11 has begun requiring SMB signing
