Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.
AuditInsecureGuestLogon
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditInsecureGuestLogon
This policy controls whether the SMB client will enable the audit event when the client is logged-on as guest account.
If you enable this policy setting, the SMB client will log the event when the client is logged-on as guest account.
If you disable or don't configure this policy setting, the SMB client won't log the event.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_AuditInsecureGuestLogon |
| Friendly Name | Audit insecure guest logon |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditInsecureGuestLogon |
| ADMX File Name | LanmanWorkstation.admx |
AuditServerDoesNotSupportEncryption
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportEncryption
This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support encryption.
If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support encryption.
If you disable or don't configure this policy setting, the SMB client won't log the event.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_AuditServerDoesNotSupportEncryption |
| Friendly Name | Audit server does not support encryption |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditServerDoesNotSupportEncryption |
| ADMX File Name | LanmanWorkstation.admx |
AuditServerDoesNotSupportSigning
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportSigning
This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support signing.
If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support signing.
If you disable or don't configure this policy setting, the SMB client won't log the event.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_AuditServerDoesNotSupportSigning |
| Friendly Name | Audit server does not support signing |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditServerDoesNotSupportSigning |
| ADMX File Name | LanmanWorkstation.admx |
EnableInsecureGuestLogons
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest logons.
If you disable this policy setting, the SMB client will reject insecure guest logons.
If you enable signing, the SMB client will reject insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access".
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_EnableInsecureGuestLogons |
| Friendly Name | Enable insecure guest logons |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AllowInsecureGuestAuth |
| ADMX File Name | LanmanWorkstation.admx |
EnableMailslots
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableMailslots
This policy controls whether the SMB client will enable or disable remote mailslots over MUP.
If you disable this policy setting, remote mailslots won't function over MUP, hence they won't go through the SMB client redirector.
If you don't configure this policy setting, remote mailslots may be allowed through MUP.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_EnableMailslots |
| Friendly Name | Enable remote mailslots |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider |
| Registry Value Name | EnableMailslots |
| ADMX File Name | LanmanWorkstation.admx |
MaxSmb2Dialect
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MaxSmb2Dialect
This policy controls the maximum version of SMB protocol.
Note
This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 785 |
Allowed values:
| Value | Description |
|---|---|
| 514 | SMB 2.0.2. |
| 528 | SMB 2.1.0. |
| 768 | SMB 3.0.0. |
| 770 | SMB 3.0.2. |
| 785 (Default) | SMB 3.1.1. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_MaxSmb2Dialect |
| Friendly Name | Mandate the maximum version of SMB |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| ADMX File Name | LanmanWorkstation.admx |
MinSmb2Dialect
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MinSmb2Dialect
This policy controls the minimum version of SMB protocol.
Note
This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 514 |
Allowed values:
| Value | Description |
|---|---|
| 514 (Default) | SMB 2.0.2. |
| 528 | SMB 2.1.0. |
| 768 | SMB 3.0.0. |
| 770 | SMB 3.0.2. |
| 785 | SMB 3.1.1. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_MinSmb2Dialect |
| Friendly Name | Mandate the minimum version of SMB |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| ADMX File Name | LanmanWorkstation.admx |
RequireEncryption
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100.3613] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/RequireEncryption
This policy controls whether the SMB client will require encryption.
If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data.
If you disable or don't configure this policy setting, the SMB client won't require encryption. However, SMB encryption may still be required; see notes below.
Note
This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption.
Important
SMB encryption requires SMB 3.0 or later.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | Pol_RequireEncryption |
| Friendly Name | Require Encryption |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | RequireEncryption |
| ADMX File Name | LanmanWorkstation.admx |