1. Kaseya
  2. Unitrends
  3. Recovery

Configuration Samba Share Access in Windows - Hyper-V Host For IR

Below is a Knowledge Base (KB) article you can use internally. I’ve structured it for clarity, operational use, and includes both the SMB dialect management feature and the required Windows configuration settings you specified.

KB: Enabling SMB Dialect Management and Securing SMB Configuration in Windows (SMB202 / Guest Logon / Signing Settings)
Document ID
KB-SMB-2026-001
Applies To

  • Windows 11 Insider (Build 25951+ and later)
  • Windows Server Insider (Build 25951+ and later)
  • Windows environments using SMB 2.x / 3.x file sharing
  • SMB file servers and Hyper-V over SMB storage environments

1. Overview
Microsoft introduced SMB dialect management in Windows Insider builds starting with Windows 11 Insider Preview Build 25951 and Windows Server Insider builds.
This enhancement allows administrators to explicitly control which SMB dialects (SMB 2.x and SMB 3.x versions) are negotiated between client and server. Previously, Windows automatically negotiated the highest mutually supported SMB dialect without administrative control over server-side dialect restrictions.
This change improves security by allowing organizations to:

  • Disable legacy SMB dialects
  • Enforce modern SMB versions (e.g., SMB 3.1.1)
  • Reduce exposure to older, less secure SMB implementations

2. Security Context
SMB is frequently targeted in enterprise environments for:

  • Relay attacks
  • Man-in-the-middle interception
  • Legacy guest access exploitation
  • Downgrade attacks to older SMB dialects

To mitigate these risks, Microsoft has progressively enforced:

  • SMB signing by default
  • Disabled insecure guest logons in newer builds
  • SMB dialect control (latest feature)

3. SMB Dialect Management Feature
3.1 What it does
SMB dialect management allows administrators to define:

  • Minimum SMB dialect version
  • Maximum SMB dialect version

This ensures only approved SMB protocol versions are used during negotiation.
Example:

  • Allow only SMB 3.1.1
  • Block SMB 2.0.2 / SMB 2.1 / SMB 3.0 legacy variants

4. Configuration Requirements
4.1 Enable SMB dialect control (Windows Insider builds)
Server-side (Inbound SMB)
Group Policy Path:

Computer Configuration
 → Administrative Templates
 → Network
 → Lanman Server
 → Mandate the minimum version of SMB
 → Mandate the maximum version of SMB

Client-side (Outbound SMB)
Group Policy Path:

Computer Configuration
 → Administrative Templates
 → Network
 → Lanman Workstation
 → Mandate the minimum version of SMB
 → Mandate the maximum version of SMB

4.2 PowerShell Configuration (Recommended)
Set SMB Dialect Minimum / Maximum (Server)

Set-SmbServerConfiguration -Smb2DialectMin SMB202 -Smb2DialectMax SMB311

Example enforcing modern-only SMB:

Set-SmbServerConfiguration -Smb2DialectMin SMB311 -Smb2DialectMax SMB311

Set SMB Dialect Minimum / Maximum (Client)

Set-SmbClientConfiguration -Smb2DialectMin SMB202 -Smb2DialectMax SMB311

5. Required SMB Security Settings
In addition to SMB dialect management, the following settings are required for hardened SMB environments.

5.1 AllowGuestLogon = 1
Purpose
Enables legacy or guest-based SMB access where authentication is not required.
Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters

Value

AllowInsecureGuestAuth = 1 (DWORD)

PowerShell equivalent (recommended validation):

Set-SmbClientConfiguration -EnableInsecureGuestLogons $true

5.2 RequireSecuritySignature = 0
Purpose
Controls SMB signing requirement.

  • 1 = SMB signing required (secure default in modern Windows)
  • 0 = SMB signing not required (legacy compatibility mode)

Client configuration:

Set-SmbClientConfiguration -RequireSecuritySignature $false

Server configuration:

Set-SmbServerConfiguration -RequireSecuritySignature $false

6. Recommended Enterprise Configuration (Balanced Compatibility)
For environments requiring legacy SMB compatibility (e.g., older NAS, Linux Samba, appliances, or Hyper-V SMB storage issues):
Recommended baseline:

# Allow modern SMB but prevent downgrade abuse
Set-SmbServerConfiguration -Smb2DialectMin SMB202 -Smb2DialectMax SMB311

# Allow guest access if required by legacy devices
Set-SmbClientConfiguration -EnableInsecureGuestLogons $true

# Disable strict signing only if required for interoperability
Set-SmbServerConfiguration -RequireSecuritySignature $false
Set-SmbClientConfiguration -RequireSecuritySignature $false

7. Security Implications (IMPORTANT)
Disabling or relaxing SMB security controls introduces risk:

Setting

Risk

AllowGuestLogon = 1No authentication, vulnerable to spoofing
RequireSecuritySignature = 0Vulnerable to MITM and relay attacks
Allow SMB2 legacy dialectsEnables downgrade attack surface

Best practice:

  • Prefer SMB 3.1.1 only where possible
  • Avoid guest authentication
  • Require signing in production environments

8. Verification Commands
Check SMB dialect configuration:

Get-SmbServerConfiguration | Select Smb2DialectMin, Smb2DialectMax
Get-SmbClientConfiguration | Select Smb2DialectMin, Smb2DialectMax

Check signing:

Get-SmbServerConfiguration | Select RequireSecuritySignature
Get-SmbClientConfiguration | Select RequireSecuritySignature

9. Operational Notes

  • Changes to SMB configuration take effect immediately for new SMB sessions only
  • Existing SMB sessions must be disconnected and re-established for changes to apply

⚠️ Important: Get-Smb* Cmdlet Reporting Delay

After applying SMB policy changes (via Group Policy or PowerShell), the output of Get-SmbServerConfiguration and Get-SmbClientConfiguration may not immediately reflect the updated policy values.

This is expected behavior due to internal caching and policy propagation timing.

Key points:

  • The system may continue to display previous configuration values temporarily
  • This does not mean the change failed
  • You should assume the configuration is applied once the command completes successfully without error
  • Verification should be based on:
    • Successful execution of Set-Smb*Configuration commands
    • Testing with a new SMB session connection
    • Observed behavior (dialect negotiation / guest access / signing behavior)

Practical guidance:

  • Do not rely solely on Get-Smb*Configuration immediately after changes
  • Always validate via:
    • New client connection tests (net use, mapped drive, or SMB mount)
    • Event logs (SMBClient / SMBServer operational logs)
    • Network negotiation behavior (dialect and signing status)

10. Summary
SMB dialect management provides granular control over SMB negotiation behavior in Windows Insider builds. When combined with guest access and signing configuration controls, administrators can balance:

  • Security hardening
  • Legacy compatibility
  • Hyper-V / Linux SMB interoperability

External Link - SMB dialect management now supported in Windows Insider

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section