Stop using SMB1

NedPyle I've done all the hard work and SMB1 is dead to me. Now I want to kill off SMB2 and force SMB3 with the goal of blocking man-in-the-middle attacks (stupid auditors and their poisoned ARP tables). Is there a way I can force my Windows 10 clients to only use SMB3 and not give up hashed creds? My pen testers keep poisoning the ARP table and tricking my workstations to try to attach to them with SMB2. So far they haven't guessed the passwords yet but they keep telling me I need to block this activity. My passwords are secured using Azure Password Protection and I know I can enable Dynamic ARP inspection on the switches but I would prefer to do this from the clients instead of at the switch level. Any suggestion would be helpful.