Q: We are in the process of migrating our file servers to Windows Server 2012. On the migrated file shares we want to enable the new SMB Encryption feature. How can we make sure that our legacy Windows clients (before Windows 8) – that do not support SMB Encryption and SMB version 3 - can still access these shares?

A: First and for all you can wait with enabling SMB Encryption on your migrated shares until all your clients have been upgraded to Windows 8 or later. SMB Encryption is disabled by default and can be enabled on the file server for all shares or for each individual share.

If you already enabled SMB Encryption, you can still allow unencrypted access from legacy Windows clients by running the following PowerShell script:

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

Note that disabling this setting can allow malicious SMB version 3 clients to bypass SMB encryption by downgrading the SMB dialect to version 1 during the SMB dialect negotiation between the SMB client and server. To prevent this you could disable the SMB version 1.0 protocol using the PS script below. But then – at the same time - you would also block unencrypted access from your legacy clients. Because this is an unavoidable additional risk, make sure that you limit the duration of your allowance for unencrypted access in the migration period.

Set-SmbServerConfiguration –EnableSMB1Protocol $false