Changes to SMB Signing Enforcement Defaults in Windows 24H2
In the recently released Windows Server 2025 and Windows 11 24H2, several network protocols have been reconfigured to be more secure by default. One of the affected protocols is the Server Message Block (SMB), where message signing is now required under most circumstances. These changes eliminate some NTLM Relay Attack vectors, but do not mitigate this hacking technique completely.
The following table summarizes the old and new SMB signing enforcement defaults:
Operating System | SMB Client | SMB Server |
---|---|---|
Windows Server 2022 DC | ❌* | ✅ |
Windows Server 2022 Member | ❌* | ❌ |
Windows 11 23H2 | ❌* | ❌ |
Windows Server 2025 DC | ✅ | ✅ |
Windows Server 2025 Member | ✅ | ❌ |
Windows 11 24H2 | ✅ | ✅ |
Legend:
✅ SMB signing is required.
❌ SMB signing is not required.
❌* SMB signing is only mandated when connecting to SYSVOL
and NETLOGON
shares
that contain Group Policy Objects (GPOs) and logon scripts.