In the recently released Windows Server 2025 and Windows 11 24H2, several network protocols have been reconfigured to be more secure by default. One of the affected protocols is the Server Message Block (SMB), where message signing is now required under most circumstances. These changes eliminate some NTLM Relay Attack vectors, but do not mitigate this hacking technique completely.

The following table summarizes the old and new SMB signing enforcement defaults:

Operating System SMB Client SMB Server
Windows Server 2022 DC ❌*
Windows Server 2022 Member ❌*
Windows 11 23H2 ❌*
Windows Server 2025 DC
Windows Server 2025 Member
Windows 11 24H2

Legend:

✅ SMB signing is required.

❌ SMB signing is not required.

❌* SMB signing is only mandated when connecting to SYSVOL and NETLOGON shares that contain Group Policy Objects (GPOs) and logon scripts.