|
Server : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 System : Windows NT SERVER-PC 10.0 build 26200 (Windows 11) AMD64 User : ServerPC ( 0) PHP Version : 8.2.12 Disable Function : NONE Directory : C:/Windows/PolicyDefinitions/en-US/ |
Upload File : |
<?xml version="1.0" encoding="utf-8"?>
<!-- (c) 2006 Microsoft Corporation -->
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
<displayName>enter display name here</displayName>
<description>enter description here</description>
<resources>
<stringTable>
<string id="Cat_LanmanWorkstation">Lanman Workstation</string>
<string id="Pol_CipherSuiteOrder_Name">Cipher suite order</string>
<string id="Pol_CipherSuiteOrder_Help">This policy setting determines the cipher suites used by the SMB client.
If you enable this policy setting, cipher suites are prioritized in the order specified.
If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used.
SMB 3.11 cipher suites:
AES_128_GCM
AES_128_CCM
AES_256_GCM
AES_256_CCM
SMB 3.0 and 3.02 cipher suites:
AES_128_CCM
How to modify this setting:
Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use.
Note: When configuring this security setting, changes will not take effect until you restart Windows.</string>
<string id="Pol_EnableInsecureGuestLogons_Name">Enable insecure guest logons</string>
<string id="Pol_EnableInsecureGuestLogons_Help">This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
If you disable this policy setting, the SMB client will reject insecure guest logons.
If you enable signing, the SMB client will reject insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access."
</string>
<string id="Pol_EnableCSCforCAShares_Name">Offline Files Availability on Continuous Availability Shares</string>
<string id="Pol_EnableCSCforCAShares_Help">
This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible.
If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares.
Note: Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states.
</string>
<string id="Pol_EnableHandleCachingForCAFiles_Name">Handle Caching on Continuous Availability Shares</string>
<string id="Pol_EnableHandleCachingForCAFiles_Help">
This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files.
If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares.
Note: This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage.
</string>
<string id="SUPPORTED_Windows_Server_2022_Windows_11_0">At least Windows Server 2022, Windows 11</string>
<string id="SUPPORTED_Windows_Server_2025_Windows_11_0">At least Windows Server 2025, Windows 11</string>
<string id="Pol_EnableCompressedTraffic_Name">Use SMB compression by default</string>
<string id="Pol_EnableCompressedTraffic_Help">This policy controls whether the SMB client uses traffic compression by default.
If you enable this policy setting, the SMB client will attempt to compress traffic by default when SMB compression is enabled.
If you disable or do not configure this policy setting, the SMB client will not by default attempt to compress traffic. However traffic compression may be requested by other means. See notes below.
Note: This policy is combined with per-share and per-file handle properties, through which traffic compression may be requested. As well, the SMB server must support and enable compression. For example, should this policy be disabled (or not configured), the SMB client may still perform compression if an SMB server share has compression requested. If this is undesired, and one wishes to completely disable compression, configure the accompanying 'Disable SMB compression' policy instead.
</string>
<string id="Pol_DisableCompression_Name">Disable SMB compression</string>
<string id="Pol_DisableCompression_Help">This policy controls whether the SMB client will disable (completely prevent) traffic compression.
If you enable this policy setting, the SMB client will never compress data, irrespective of other policies (such as the 'Use SMB compression by default' policy or per-share property).
If you disable or do not configure this policy setting, the SMB client may compress traffic (depending on a combination of other policies and conditions).
</string>
<string id="Pol_MaxSmb2Dialect_Name">Mandate the maximum version of SMB</string>
<string id="Pol_MaxSmb2Dialect_Help">This policy controls the maximum version of SMB protocol
Note: This group policy does not prevent use of SMB 1 if that component is still installed and enabled.
</string>
<string id="Pol_MinSmb2Dialect_Name">Mandate the minimum version of SMB</string>
<string id="Pol_MinSmb2Dialect_Help">This policy controls the minimum version of SMB protocol
Note: This group policy does not prevent use of SMB 1 if that component is still installed and enabled.
</string>
<string id="Dialect_0x202">SMB 2.0.2</string>
<string id="Dialect_0x210">SMB 2.1.0</string>
<string id="Dialect_0x300">SMB 3.0.0</string>
<string id="Dialect_0x302">SMB 3.0.2</string>
<string id="Dialect_0x311">SMB 3.1.1</string>
<string id="Pol_BlockNTLM_Name">Block NTLM (LM, NTLM, NTLMv2)</string>
<string id="Pol_BlockNTLM_Help">This policy controls if the SMB client will block NTLM for remote connection authentication.
If you enable this policy setting, the SMB client won't use NTLM for remote connection authentication.
If you disable or do not configure this policy setting, the SMB client can still use NTLM.
</string>
<string id="Pol_BlockNTLMServerExceptionList_Name">Block NTLM Server Exception List</string>
<string id="Pol_BlockNTLMServerExceptionList_Help">This policy setting determines if NTLM can be used to access specified servers.
If you enable this policy setting (valid only if NTLM (LM, NTLM, NTLMv2) is blocked), NTLM can be used to access servers specified. Please enter the desired servers (DNS name, IP address or NetBIOS name) in the edit box, one server name per line.
If you disable or do not configure this policy setting, the NTLM access to servers will be determined by other settings.
</string>
<string id="Pol_EnableRemoteMailslots_Name">Enable remote mailslots</string>
<string id="Pol_EnableRemoteMailslots_Help">This policy controls whether the SMB client will enable or disable remote mailslots over MUP.
If you disable this policy setting, remote mailslots will not function over MUP, hence they will not go through the SMB client redirector.
If you do not configure this policy setting, remote mailslots may be allowed through MUP.
</string>
<string id="Pol_RequireEncryption_Name">Require Encryption</string>
<string id="Pol_RequireEncryption_Help">This policy controls whether the SMB client will require encryption.
If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data.
If you disable or do not configure this policy setting, the SMB client will not require encryption. However, SMB encryption may still be required; see notes below.
Note: This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption.
Important: SMB encryption requires SMB 3.0 or later
</string>
<string id="Pol_EnableAlternativePorts_Name">Enable Alternative Ports</string>
<string id="Pol_EnableAlternativePorts_Help">This policy controls whether the SMB client will enable or disable alternative ports.
If you disable this policy setting, alternative ports will not be used by the SMB client.
If you do not configure this policy setting, alternative ports may be used by the SMB client.
</string>
<string id="Pol_AuditServerDoesNotSupportEncryption_Name">Audit server does not support encryption</string>
<string id="Pol_AuditServerDoesNotSupportEncryption_Help">This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support encryption.
If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support encryption.
If you disable or do not configure this policy setting, the SMB client will not log the event.
</string>
<string id="Pol_AuditServerDoesNotSupportSigning_Name">Audit server does not support signing</string>
<string id="Pol_AuditServerDoesNotSupportSigning_Help">This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support signing.
If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support signing.
If you disable or do not configure this policy setting, the SMB client will not log the event.
</string>
<string id="Pol_AuditInsecureGuestLogon_Name">Audit insecure guest logon</string>
<string id="Pol_AuditInsecureGuestLogon_Help">This policy controls whether the SMB client will enable the audit event when the client is logged on as guest account.
If you enable this policy setting, the SMB client will log the event when the client is logged on as guest account.
If you disable or do not configure this policy setting, the SMB client will not log the event.
</string>
<string id="Pol_AlternativePortMappings_Name">Alternative Port Mappings</string>
<string id="Pol_AlternativePortMappings_Help">This policy setting determines the alternative port registry mappings used by the SMB client.
If you enable this policy setting, the first valid mapping will be used if the mapping's server name matches the targeted server name for connectivity.
If you enable this policy setting and do not specify at least one valid mapping, or if you disable or do not configure this policy setting, then the SMB client will refer to other methods of determining alternative port usage such as with the NET USE or New-SmbMapping commands.
Examples:
contososa.file.core.windows.net:tcp:448
edgesrv1.corp.contoso.com:quic:450
How to modify this setting:
Arrange the desired alternative port mappings in the edit box with one mapping entry per line.
The format of each mapping entry specifies a server name, transport type, and port number separated by colons as done so in the example above.
Note: This policy does not require a Windows reboot to take effect.
</string>
<string id="Pol_EnableSMBQUIC_Name">Enable SMB over QUIC</string>
<string id="Pol_EnableSMBQUIC_Help">This policy setting controls whether the SMB client will enable SMB over QUIC.
If you disable this policy setting, the SMB client will not allow initiating connections over QUIC. In this case, if the user attempts to connect over QUIC, SMB client will attempt to connect over TCP.
If you do not configure this policy setting, the SMB client may allow initiating connections over QUIC.
</string>
<string id="Pol_DisabledSMBQUICServerExceptionList_Name">Disabled SMB over QUIC Server Exception List</string>
<string id="Pol_DisabledSMBQUICServerExceptionList_Help">This policy setting specifies the servers the SMB client can connect to over QUIC.
If you enable this policy setting (valid only if SMB over QUIC is disabled), the SMB client can connect to the specified servers over QUIC. Please enter the desired servers (DNS name, IP address or NetBIOS name) in the edit box, one server name per line.
If you disable or do not configure this policy setting, the SMB client's ability to connect to servers over QUIC will be determined by other settings.
</string>
</stringTable>
<presentationTable>
<presentation id="Pol_CipherSuiteOrder">
<text>Cipher suites:</text>
<multiTextBox refId="MultiText_CipherSuiteOrder"/>
</presentation>
<presentation id="Pol_MaxSmb2Dialect">
<text>Select SMB version:</text>
<dropdownList refId="MaxSmb2Dialect" defaultItem="0">Version:</dropdownList>
</presentation>
<presentation id="Pol_MinSmb2Dialect">
<text>Select SMB version:</text>
<dropdownList refId="MinSmb2Dialect" defaultItem="0">Version:</dropdownList>
</presentation>
<presentation id="Pol_BlockNTLMServerExceptionList">
<text>Block NTLM Server Exception List:</text>
<multiTextBox refId="MultiText_BlockNTLMServerExceptionList"/>
</presentation>
<presentation id="Pol_AlternativePortMappings">
<text>Alternative Port Registry Mappings:</text>
<multiTextBox refId="MultiText_AlternativePortMappings"/>
</presentation>
<presentation id="Pol_DisabledSMBQUICServerExceptionList">
<text>Disabled SMB over QUIC Server Exception List:</text>
<multiTextBox refId="MultiText_DisabledSMBQUICServerExceptionList"/>
</presentation>
</presentationTable>
</resources>
</policyDefinitionResources>