SMB signing is only on by default for servers. I've done quite a few pentests where that's been leveraged to dump the SAM hashes of workstations that happen to have the Domain admin stored.
Microsoft azhci will drop data and corrupt file systems if the servers attached have smb signing enforced. Good trap to keep in mind when a pentester says "just turn it on everywhere".