Hi
Here is a blog article about using power shell to configure Encryption in SMB3
Encryption configuration is offered at two levels; global (session) and share. Global level encryption is for all the shares that are accessed under an encrypted session. On the other hand, it is possible to enable encryption at a share level and encryption will be enforced when the encrypted share is accessed, when the session in not encrypted.
To configure global level encryption, set the following parameter using Power Shell cmdlets that are specifically written for this new version of SMB.
http://blogs.msdn.com/b/openspecification/archive/2012/06/08/encryption-in-smb3.aspx
For the group policy, we have 3 relevant policy for SMB client/server
Digitally sign communications (always)
Digitally sign communications (if server agrees)
Send unencrypted password to third-party SMB servers
Windows operating systems include both a server SMB component and a client SMB component, and these are configured separately. Thus a computer can be configured to require packet signing when acting as an SMB server but not when acting as an SMB client.
Navigate in the left panes tree to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
If you prefer to make changes via the registry, in your registry editor navigate to the following keys:
For the SMB client:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\
Parameters
For the SMB server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\
Parameters
Regards,
D. Wu
Windows operating systems include both a server SMB component and a client SMB component, and these are configured separately. Thus a computer can be configured to require packet signing when acting as an SMB server but not when acting as an SMB client.
Thanks for the reply (didn't get notified and forgot about it). That's what I thought, it is not possible. I have since upgraded to Windows 10 client, and will guess Microsoft has not changed anything regarding this. Is there a flaw in SMB protocol that encryption can only be used when all clients support it? I don't understand why the server has the apparently useless 'Auto' encryption mode, since as you say only server can turn this on (i.e 'Force'). That said, the server in question is not running Windows OS, maybe the other OS has a better SMB implementation than Microsoft, where a client indeed can enable encrypted communications when for server it is optional.