This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Heya folks, Ned here again. We continue to make SMB changes to Windows vNext and Windows Server 2025 based on customer feedback and last mile work. With the release of Windows 11 Insider Preview Build 26090 (Canary and Dev Channels), we have a few more small ones. Some of these were based on Insider feedback from customers - your opinions really do matter to us!
SMB over QUIC client disable: Administrators can now disable the SMB over QUIC client with Group Policy and PowerShell. To disable SMB over QUIC using PowerShell, run the following command in an elevated console:
Set-SmbClientConfiguration -EnableSMBQUIC $false
To disable SMB over QUIC using Group Policy, use GPMC.MSC or GPEDIT.MSC to configure the following setting:
- Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Enable SMB over QUIC
This option already exists for the SMB over QUIC server in two ways: either you can actively disable it with group policy and PowerShell, or you can simply not configure SMB over QUIC with a certificate, which accomplishes the same thing and is the out of box experience, obviously.
SMB over QUIC client connection auditing: Successful SMB over QUIC client connection events are now written to the event log to include the QUIC transport. You can view these events using EVENTVWR.MSC under the following path:
- Applications and Services Logs \ Microsoft \ Windows\ SMBClient \ Connectivity (Event ID: 30832)
SMB signing and encryption auditing: Administrators can now enable auditing of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn’t support SMB encryption or signing. If your third-party device or software claims to support SMB 3.1.1 but doesn't support SMB signing, you need to get your money back, as that breaks the strict pre-authentication integrity protocol requirement, and they are only using SMB 3.0.2 or older!
You can configure these settings with PowerShell and Group Policy.
To configure SMB client or server signing or encryption auditing using Group Policy, use GPMC.MSC or GPEDIT.MSC to configure the following settings:
- Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Audit server does not support encryption
- Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Audit server does not support signing
- Computer Configuration \ Administrative Templates \ Network \ Lanman Server \ Audit client does not support encryption
- Computer Configuration \ Administrative Templates \ Network \ Lanman Server \ Audit client does not support signing
To disable SMB over QUIC using PowerShell, run the following command in an elevated console:
Set-SmbClientConfiguration -AuditServerDoesNotSupportEncryption $true
Set-SmbClientConfiguration -AuditServerDoesNotSupportSigning $true
Set-SmbServerConfiguration -AuditClientDoesNotSupportEncryption $true
Set-SmbServerConfiguration -AuditClientDoesNotSupportSigning $true
You can view these events using EVENTVWR.MSC under the following paths:
- Applications and Services Logs \ Microsoft \ Windows\ SMBClient \ Audit (Event ID: 31998 and Event ID: 31999)
- Applications and Services Logs \ Microsoft \ Windows\ SMBServer \ Audit (Event ID: 3021 and Event ID: 3022)
For more information on SMB over QUIC in Windows and Windows Server Insider Preview builds, review https://aka.ms/SMBoverQUICServer and https://aka.ms/SmbOverQuicCAC.
For more information on SMB signing and encryption in Windows and Windows Server Insider Preview builds, review https://aka.ms/SmbSigningRequired and https://aka.ms/SmbClientEncrypt.
The changes will keep coming, our work is never done. Keep checking back here for news and new things to try out in Windows and Windows Server Insider.
Until next time,
Ned Pyle