Share via

Is my share not encrypted with Set-SmbServerConfiguration -EncryptData $True?

Arthur Quenneville 41 Reputation points
2024-05-16T17:41:00.1233333+00:00

I'm working to ensure that all shares on my servers are encrypted. Each server provisioned in Azure now includes a custom_data script that sets Set-SmbServerConfiguration -EncryptData $True -Force.

I've observed that when I run Get-SmbServerConfiguration | select-object EncryptData, it returns True, indicating that encryption is enabled at the server level. However, when I specifically check the share named 'Share' using the command Get-SmbShare -Name Share | select-object EncryptData, it returns False, suggesting encryption is not enabled at the share level.

Upon further investigation, I noticed that Wireshark indicates the use of SMB3 Encryption, and in Server Manager, the 'Encrypt Data Access' checkbox is checked and greyed out for the share. Despite this, it's concerning that Get-SmbShare returns False.

My question is whether this discrepancy is a bug with the command or if I should individually run Set-SmbShare -Name "ShareName" -EncryptData $True -Force for each share to ensure encryption is properly configured.

Additionally, I've been tasked with creating a report to scan all of our shares to ensure they are encrypted. However, the report doesn't seem accurate given that EncryptData is returning False for each share.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,340 questions
0 comments
Accepted answer
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 31,501 Reputation points Microsoft Vendor
    2024-05-17T02:10:09.0633333+00:00

    Hi Arthur Quenneville,

    Thanks for your post.

    The EncryptData property of MSFT_SmbServerConfiguration and that of MSFT_SmbServer are different and modifying the former will not cause the latter to be modified. Per my test on Windows Server 2022, the EncryptData property of MSFT_SmbServerConfiguration which is the global setting takes precedence. SMB Encryption will be enabled if you run Set-SmbServerConfiguration -EncryptData $True -Force so there is need to run Set-SmbShare -Name "ShareName" -EncryptData $True -Force for every share. Setting EncryptData of MSFT_SmbServerConfiguration to false allows the SMB encryption settings on individual shares to take effect.

    You can check this in the Server Manager. After running Set-SmbShare -Name "ShareName" -EncryptData $True -Force, the "Encrypt data access" option is checked.

    User's image

    If I run Set-SmbServerConfiguration -EncryptData $True -Force, the option is checked and greyed out. It cannot be modified even if EncryptData is set to false on the share by running Set-SmbShare -Name "ShareName" -EncryptData $False -Force. User's image

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest