How to disable SMB signing via a Group Policy Object

If you have a scanner, copier, or other device that no longer authenticates after upgrading to 2003 R2 or 2008 Server (Active Directory), chances are it is due to a new SMB signing method that Microsoft has enabled by default. Currently, if you attempt to authenticate you must use SMB 2.0.This is great if you have alot of brand new Windows PC’s but unfortunately left nearly all copiers and equipment in the dust for authentication. Luckily, you can create a GPO and disable the REQUIREMENT of this setting. It does not change how anything authenticates as some beleive, it only allows the Domain Controller to listen and accept older SMB 1.0 requests, which most scanners and copiers tend to be.

Create a new GPO at either the Domain level or on the Domain Controllers OU.
Set the following:

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options

Set the two following keys to DISABLED. Note how even the policy is only for ALWAYS, not changing how anything authenticates natively.

Microsoft Network Client: Digitally sign communications (always)
Microsoft Network Server: Digitally sign communications (always)
 

Do a gpupdate.exe on the involved servers and give it a shot!

Comments are closed.