Control SMB signing behavior

How SMB signing works

Server Message Block (SMB) signing is a security feature that uses the session key and cipher suite to add a signature to a message going across a connection. This signature contains a hash of the entire message in the SMB header. If someone tampers with the message in transit, the data in the tampered message doesn't match the hash in the signature. The hash also includes the identities of the original sender and the intended recipient. Signature mismatches alert users to possible foul play, helping them protect their deployments from relay and spoofing attacks.

SMB signing requirements can involve both outbound signing, which covers traffic from the SMB client, and inbound signing, which covers traffic to the server. Windows and Windows Server can require outbound signing only, inbound signing only, both, or neither. For example:

  • Windows 11, version 24H2 Enterprise, Pro, and Education require both outbound and inbound SMB signing.

  • Windows Server 2025 requires outbound SMB signing only.

  • Windows 11, version 24H2 Home edition doesn't require outbound or inbound SMB signing.

SMB signing behavior

Although all versions of Windows and Windows Server support SMB signing, a third-party may opt to disable or not support it. If you try to connect to a remote share on a third-party SMB server that doesn't allow SMB signing, you may encounter one of the following error messages:

0xc000a000
-1073700864
STATUS_INVALID_SIGNATURE                                      
The cryptographic signature is invalid.

To resolve this issue, adjust the settings on your third-party SMB server to allow (enable) SMB signing.

When you try to connect to third-party devices that use guest accounts to simplify access, you may receive one of these error messages:

You can't access this shared folder because your organization's security policies block
unauthenticated guest access. These policies help protect your PC from unsafe or malicious
devices on the network.
Error code: 0x80070035
The network path was not found.
System error 3227320323 has occurred.

Disabling SMB signing may be necessary if you're unable to disable guest usage for your third-party. However, this means that you're using guest access and preventing your client from ensuring signing to a trusted device.

Caution

We don't recommend disabling SMB signing as a workaround for third-party servers. We also don't recommend trying to sign with guest accounts.

Prerequisites

In order to control SMB signing behavior and maximize its capabilities, your system must be running one of the following two operating systems:

  • Windows 11, version 24H2 or later
  • Windows Server 2025 or later

You should also follow these recommendations to ensure your SMB signatures are effective at securing your data:

  • Use Kerberos instead of NTLMv2.
  • Don't connect to shares using IP addresses.
  • Don't use CNAME DNS records. Instead, assign alternate computer names with NETDOM.EXE.

Disable SMB signing

SMB signing is required by default on the latest Insider Preview builds of Windows 11 and Windows Server 2025. All Windows environments support SMB signing. However, if your environment uses third-party servers and the third-party server doesn't support SMB signing, you can't connect to the remote share.

Requiring SMB signing also disables guest access to shares. In these cases, you must disable SMB signing manually to restore access for guest accounts. You can manually disable SMB signing through Group Policy, PowerShell, and Windows Admin Center.

Note

If you need to modify the Active Directory domain-based group policy, use Group Policy Management (gpmc.msc).

To disable SMB signing in Group Policy, perform the following steps:

  1. Select Start, type gpedit.msc, then hit Enter.

  2. In the Local Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

  3. Open Microsoft network client: Digitally sign communications (always), select Disabled, then select OK.

Enable SMB signing

SMB signing ensures data integrity by verifying that data isn't tampered with during transmission. Additionally, SMB signing provides authentication by verifying the identity of the server and client, which helps prevent adversary-in-the-middle attacks.

To enable SMB signing in Group Policy, perform the following steps:

  1. Select Start, type gpedit.msc, then hit Enter.

  2. In the Local Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

  3. Open Microsoft network client: Digitally sign communications (always), select Enabled, then select OK.

Verify SMB signing status

To check if SMB signing is enabled or disabled on your SMB client or SMB server, run the following command:

Get-SmbClientConfiguration | FL RequireSecuritySignature
Get-SmbServerConfiguration | FL RequireSecuritySignature

If the returned information is True, then SMB signing is enabled, otherwise, if the returned information is False, then SMB signing is disabled.