Blog Post

Storage at Microsoft
3 MIN READ

SMB dialect management now supported in Windows Insider

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Sep 13, 2023

Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25951 (Canary) and Windows Server Insider Preview Build 25951, the SMB server now supports controlling which SMB 2 and 3 dialects it will negotiate. This changes legacy behavior, where Windows SMB server always negotiated the highest matched server dialect from SMB 2.0.2 to 3.1.1 clients. Beginning in Windows 10, support was added for controlling SMB client dialects, but not server dialects.

 

With this new option, an administrator can remove specific SMB protocols from usage in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, they can specify only the use of SMB 3.1.1, the most secure dialect of the protocol. 

 

Configuring SMB dialect min and max

You can configure this option with Group Policy and PowerShell. Both SMB client and server now include complete management support (previously the client support was only manual registry editing). 

 

Group Policy (SMB Server)

To configure SMB dialect minimum and maximum for the SMB server (i.e. for inbound connection), enable the group policy under:

 

Computer Configuration \ Administrative Templates \ Network \ Lanman Server \ Mandate the minimum version of SMB

 

Computer Configuration \ Administrative Templates \ Network \ Lanman Server \ Mandate the Maximum version of SMB

 

gpedit view of the policy

 

Select the minimum and maximum version of the dialects using a dropdown menu when the policy is enabled.

 

gpedit view of the policy dropdown

 

Group Policy (SMB client)

To configure SMB dialect minimum and maximum for the SMB client (i.e. for outbound connection), enable the group policy under:

 

Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation\ Mandate the minimum version of SMB

 

Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Mandate the Maximum version of SMB

 

Select the minimum and maximum version of the dialects using a dropdown menu when the policy is enabled.

 

PowerShell (SMB server)

To configure SMB dialect minimum and maximum for the SMB server service (i.e. for inbound connections) with PowerShell, set with the following syntax:

 

Set-SmbServerConfiguration -Smb2DialectMax {SMB202 | SMB210 |
SMB300 | SMB302 | SMB311 | None} -Smb2DialectMin {None | SMB202 | SMB210 | SMB300 | SMB302 | SMB311}

 

PowerShell (SMB client)

To configure SMB dialect minimum and maximum for the SMB client service (i.e. for outbound connections) with PowerShell, set with the following syntax:

 

Set-SmbClientConfiguration -Smb2DialectMax {SMB202 | SMB210 |
SMB300 | SMB302 | SMB311 | None} -Smb2DialectMin {None | SMB202 | SMB210 | SMB300 | SMB302 | SMB311}

 

Final notes

To see this new behavior in action, use a network capture tool like Wireshark and examine the client and server responses for the SMB2 Negotiate Protocol. For instance, here the client requests only SMB 3.1.1 because it's been configured with a minimum and maximum dialect of 3.1.1:

 

wiresharek capture showing an SMB session creation 

Final Notes

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

 

 

For more information on securing SMB on Windows in-market, check out:

 

 

Until next time,

 

Ned Pyle

Updated Jul 02, 2024
Version 6.0
  • AMateos91's avatar
    AMateos91
    Iron Contributor
    Sep 13, 2023

    Quite interesting.

    Please, I would just like to know if there will be some changes at the time of assigning several administrator roles inside the Group Policy for SMB servers.

     

    Thanks for sharing! Best.

  • AMateos91's avatar
    AMateos91
    Iron Contributor
    Sep 13, 2023

    NedaS yes, sure. No problem.

    I mean; for instance, for the Windows-Linux OS, may it be possible to set up, through the Linux administrator management service, other default administrator role in order to carry out the configuration of the SMB dialect minimum and maximum?

  • NedPyle's avatar
    NedPyle
    Icon for Microsoft rankMicrosoft
    Sep 13, 2023

    AMateos91 I'm still confused or dumb :). Do you mean having these options in the Linux version of SMB (client kernel and KSMBD)? Or in the Microsoft version of Linux CBL-Mariner? Or something else? 

     

    Samba and Linux SMB kernel client already support controlling dialect via CONF files afaik.  

  • Paul-Blenderman's avatar
    Paul-Blenderman
    Copper Contributor
    Jan 06, 2025

    There is a bug in Set-SmbServerConfiguration and Set-SmbClientConfiguration. -Smb2DialectMax None should reset Smb2DialectMax to 65535, as Reset-SmbServerConfiguration does. But it sets the value to 65536. With that value, all negotiations fail.