SMB signing adds a digital signature to every Server Message Block packet exchanged between your Windows 11 computer and a remote file server. Without signing, an attacker on the same network can inject malicious packets into your SMB session, modify files as they travel, or steal credentials. This attack vector, known as an SMB relay attack, can compromise your entire network. This article explains how to enable SMB signing for all outbound connections on Windows 11, why it matters, and what to watch out for after you flip the setting.
Key Takeaways: Enforcing SMB Signing on Outbound Connections
- Group Policy > Computer Configuration > Administrative Templates > Network > Lanman Workstation > Enable insecure guest logons: Disabling this prevents unsigned guest access to file shares.
- Group Policy > Computer Configuration > Administrative Templates > Network > Lanman Workstation > Digitally sign communications (always): Enabling this requires SMB signing for every outbound connection, blocking non-signing servers.
- PowerShell command Set-SmbClientConfiguration -RequireSecuritySignature $true: Applies the same signing requirement without needing Group Policy, ideal for standalone PCs.
What SMB Signing Does and Why You Need It
SMB signing stamps each packet in an SMB session with a cryptographic signature generated using the session key. The receiving end validates this signature before accepting the packet. If the packet was tampered with during transit, the signature check fails and the connection drops.
Without signing, an attacker with access to the network can intercept an SMB connection, modify data in flight, or relay authentication to another server. This is the core of SMB relay attacks, which Microsoft has been hardening against for years. Enabling signing on the client side forces your Windows 11 PC to reject any server that does not support or require signing.
Prerequisites for Enforcing SMB Signing
Before you enable this setting, confirm the following:
- Your file servers must support SMB 2.0 or higher. SMB 1.0 is deprecated and should be disabled on all systems.
- Servers must have SMB signing enabled on their end. If a server does not support signing, your Windows 11 client will not be able to connect to it after you require signing.
- You need administrative privileges on the Windows 11 machine to change the policy or run the PowerShell command.
- Some older network appliances, such as NAS devices with outdated firmware, may not support SMB signing. Verify compatibility beforehand.
Two Methods to Require SMB Signing for Outbound Connections
You can enforce SMB signing via Group Policy on domain-joined computers or via PowerShell on any edition of Windows 11. Both methods achieve the same result. Choose the one that fits your environment.
Method 1: Using Group Policy for Domain-Joined PCs
If your Windows 11 computer is joined to an Active Directory domain, use the Local Group Policy Editor or configure a domain-wide Group Policy Object. The setting is under the Lanman Workstation node.
- Open Local Group Policy Editor
Press Win + R, type gpedit.msc, and press Enter. If you manage multiple computers, open Group Policy Management Console on a domain controller instead. - Navigate to the Lanman Workstation folder
Go to Computer Configuration > Administrative Templates > Network > Lanman Workstation. This folder contains all SMB client settings. - Enable the signing policy
Double-click Digitally sign communications (always). Set it to Enabled. Click OK. This setting forces the SMB client to require signing on every outbound connection. - Disable insecure guest logons
Double-click Enable insecure guest logons. Set it to Disabled. Click OK. This prevents your PC from connecting to file servers that allow guest access without signing. - Apply the policy
Open a Command Prompt as administrator and run gpupdate /force. The new settings take effect immediately for new SMB connections.
Method 2: Using PowerShell for Standalone PCs
For computers not joined to a domain, use the Set-SmbClientConfiguration cmdlet to configure SMB signing directly. This method works on Windows 11 Pro, Enterprise, and even Home editions.
- Open PowerShell as administrator
Right-click the Start button and select Windows Terminal (Admin) or PowerShell (Admin). Confirm the User Account Control prompt. - Check the current signing configuration
Run Get-SmbClientConfiguration | Select-Object RequireSecuritySignature, EnableInsecureGuestLogon. Note the current values. By default, RequireSecuritySignature is false on most systems. - Require SMB signing for all outbound connections
Run Set-SmbClientConfiguration -RequireSecuritySignature $true -Force. The -Force parameter suppresses the confirmation prompt. - Disable insecure guest logons
Run Set-SmbClientConfiguration -EnableInsecureGuestLogon $false -Force. This blocks connections to file servers that do not support signing. - Verify the changes
Run Get-SmbClientConfiguration | Select-Object RequireSecuritySignature, EnableInsecureGuestLogon again. Both values should now show True and False respectively.
Common Issues After Enforcing SMB Signing
Cannot connect to a network share after enabling signing
If you suddenly cannot access a file server, the server likely does not support SMB signing or has it disabled. Check the server’s SMB signing configuration. On a Windows Server, navigate to Server Manager > Tools > Group Policy Management and look for the policy under Computer Configuration > Administrative Templates > Network > Lanman Server > Digitally sign communications (always). Enable it on the server side as well. For third-party NAS devices, consult the vendor documentation to enable SMB signing in the device’s web interface.
Error 0x80070035 when trying to map a drive
This error indicates a network path was not found. It often appears when the SMB signing requirement blocks the connection. Confirm that the target server is reachable by pinging its IP address. If the server is reachable but the connection fails, the server is rejecting signed connections or does not support them. Temporarily disable the signing requirement on the client to test: run Set-SmbClientConfiguration -RequireSecuritySignature $false -Force. If the connection works after disabling, the server needs signing enabled.
Performance degradation on high-latency links
SMB signing adds a small computational overhead because each packet must be signed and verified. On local area networks with low latency, the performance impact is negligible. On high-latency or low-bandwidth connections, such as VPNs or satellite links, you may notice slower file transfers. If performance becomes a problem, consider using SMB over QUIC or a dedicated VPN tunnel instead of disabling signing.
SMB Signing Settings: Client vs Server Comparison
| Item | Client Side (Outbound) | Server Side (Inbound) |
|---|---|---|
| Description | Requires signing for all outbound SMB connections | Requires signing for all inbound SMB connections |
| Default value | Disabled (RequireSecuritySignature = false) | Disabled on most editions |
| Configuration tool | Group Policy or Set-SmbClientConfiguration | Group Policy or Set-SmbServerConfiguration |
| PowerShell cmdlet | Set-SmbClientConfiguration | Set-SmbServerConfiguration |
| Effect on connection | Client rejects servers that do not sign | Server rejects clients that do not sign |
For the strongest security posture, enable signing on both client and server sides. This ensures that no SMB traffic can travel unsigned in either direction.
You now know how to require SMB signing for all outbound connections on Windows 11 using either Group Policy or PowerShell. Test the configuration by connecting to a file share and verifying that no unsigned traffic passes between your PC and the server. As a next step, enable SMB signing on your file servers using the Set-SmbServerConfiguration cmdlet with the -RequireSecuritySignature $true parameter. For advanced protection, combine this with SMB encryption, which encrypts the entire SMB payload in addition to signing each packet.