How to Require SMB Encryption on Windows Devices with Microsoft Intune
SMB (Server Message Block) encryption ensures that all file-sharing data transferred between Windows devices and servers is protected from eavesdropping or tampering. When enabled, only servers that support encryption can connect—providing a secure layer against unauthorized access and data leaks.
This guide explains, in detail, how to configure and verify SMB encryption using Microsoft Intune, including prerequisites, deployment steps, and validation.
Why SMB Encryption Matters
SMB encryption is crucial for organizations handling sensitive data such as financial records, HR documents, or confidential projects.
It helps:
- Prevent data interception on local or remote networks.
- Ensure compliance with internal and external security standards (like ISO or NIST).
- Protect devices connecting across untrusted networks, such as VPNs or remote branches.
By enforcing this setting through Intune, administrators can apply encryption rules consistently across all managed Windows devices without manual intervention.
Before You Begin
Check these prerequisites before creating the policy:
- Microsoft Intune setup: Ensure your Intune tenant is active and devices are enrolled (MDM-managed).
- Supported OS: Windows 10 (version 22H2 and later) or Windows 11 (24H2 and later).
- Permissions: You need Intune Administrator or Policy and Profile Manager role.
- Device type: Works for both Azure AD joined and Hybrid joined Windows devices.
Step-by-Step Configuration Guide
1. Sign In
Go to the Microsoft Intune Admin Center and sign in with your admin credentials.
2. Create a New Policy
- Go to Devices → Configuration profiles.
- Click + Create profile → New Policy.
3. Choose the Platform
- Platform: Windows 10 and later
- Profile Type: Settings catalog
Click Create to continue.
4. Name the Policy
Enter a descriptive name, for example:
SMB Encryption Enforcement – Windows 11 Devices
Add a short description if needed. Click Next.
5. Add the Encryption Setting
- Select + Add settings.
- In the Category dropdown, expand Lanman Workstation.
- Find Require Encryption and check it.
This setting enforces SMB-level encryption for all outgoing connections.
6. Configure the Setting
Under Require Encryption, choose:
- Enabled: Enforces SMB encryption. The client will not connect to unencrypted servers.
- Disabled: Turns off encryption enforcement (use only for testing or performance-sensitive networks).
Click Next to proceed.
7. Scope Tags (Optional)
You can use scope tags to limit who manages or views this policy, typically by department or region. Skip this if you’re managing all devices globally.
8. Assign to Groups
- Under Assignments, select Add groups.
- Choose the Azure AD device or user groups that should receive the policy.
- Examples: Finance Devices, Remote Workers, Windows 11 Fleet.
Click Next when done.
9. Review & Create
Double-check all settings:
- Platform and profile type
- Setting status (Enabled)
- Assigned groups
If everything is correct, click Create. Intune will push this configuration to assigned devices during the next sync.
Monitoring and Verification
10. Monitor Deployment
- Go to Devices → Configuration profiles → [Your SMB Encryption Policy] → Device Status.
- Confirm that the Status is Succeeded for all targeted devices.
- If some show Error or Pending, trigger a manual sync from the device or review logs.
11. Verify on Windows Device
On a managed Windows device:
- Open Event Viewer.
- Navigate to:
Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin - Look for entries referencing RequireEncryption to confirm enforcement.
You can also verify via PowerShell:
Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation" | Select-Object RequireEncryption
If the value is 1, encryption is required.
Removing or Deleting the Policy
- To unassign groups:
Open the policy in Intune → Assignments → Remove assigned groups. - To delete the policy entirely:
Go to Devices → Configuration profiles, select your policy, and choose Delete.
After deletion, affected devices revert to their default SMB encryption behavior.
Technical Details
| Item | Description |
|---|---|
| Registry Path | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value | RequireEncryption |
| Value Type | DWORD (1 = Enabled, 0 = Disabled) |
| Policy Area | Lanman Workstation |
| Introduced In | Windows 11 version 24H2 |
| Managed By | Microsoft Intune (Settings Catalog) |
Best Practices and Notes
- Test first: Apply the policy to a pilot group before wide rollout to ensure compatibility.
- Server support: SMB encryption requires both client and server support. Verify that your file servers (Windows Server 2012 or later) have SMB encryption enabled.
- Performance: Encryption adds overhead, so assess impact on older or low-powered hardware.
- Compliance alignment: This setting supports data protection requirements for regulations like GDPR and HIPAA.
Summary
Requiring SMB encryption through Microsoft Intune is a straightforward way to ensure your organization’s data remains protected in transit. Once enforced, devices will only communicate with servers that support encrypted SMB sessions—blocking unsecure connections automatically.
It’s a simple but effective policy that strengthens your organization’s security baseline and aligns with Zero Trust principles.
