SMB over QUIC is a new feature in Windows Server 2025 that enables users to securely access Windows file shares over the internet without needing a VPN. This functionality, previously available only in the Windows Server 2022 Azure Edition, allows for direct access to SMB file servers from untrusted public networks.
The protocol enhances security through TLS 1.3 encryption with certificates, and it operates over UDP port 443 instead of the traditional TCP port 445. QUIC offers better performance and resilience under poor network conditions, and a new compression method helps reduce bandwidth usage. Moreover, QUIC Client Access Control lets administrators restrict access based on client certificates.
To set up SMB over QUIC on Windows Server 2025, follow these steps:
-
Configuring the File Server: While an Active Directory domain is preferred, SMB over QUIC can be set up in workgroup scenarios. You’ll need an SSL certificate for your file server’s FQDN, with the Subject Alternative Name (SAN) field filled out.
-
Creating a Self-Signed Certificate (if not using a commercial CA):
$todaydate = Get-Date$add3year = $todaydate.AddYears(3)New-SelfSignedCertificate -dnsname "mfs01.woshub.com" -notafter $add3year -CertStoreLocation cert:LocalMachineMy -
Mapping the Certificate to the SMB Server:
$cert = Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object Thumbprint -eq "D4CB32344D21EB9E38168EA04540DBE509BBD650"New-SmbServerCertificateMapping -Name "mfs01.woshub.com" -Thumbprint $cert.Thumbprint -StoreName My -
Enabling SMB over QUIC:
Set-SmbServerConfiguration -EnableSMBQUIC $true -
Checking Firewall Settings: Ensure that the appropriate rules are enabled in the Windows Defender Firewall to allow access on UDP port 443.
-
Client Configuration: To connect to the SMB share from a client device, ensure that the client trusts the certificate installed on the server. For organizations using corporate CAs, distribute the necessary root and intermediate certificates.
To map the shared folder, you can use the following command:
New-SmbMapping -LocalPath W: -RemotePath "\mfs01.woshub.comDocs" -TransportType QUICAlternatively:
net use W: "\mfs01.woshub.comDocs" /TRANSPORT:QUICWhen checking the Event Viewer, look for Event ID 30832 to confirm a successful QUIC connection. If you encounter Event ID 30803, it indicates a trust issue with the server certificate.
To further enhance security, you can enable certificate-based client authentication. This requires clients to present approved certificates before accessing the file server:
Set-SmbServerCertificateMapping -Name "mfs01.woshub.com" -RequireClientAuthentication $trueAlthough SMB over QUIC provides enhanced encryption for all traffic, it does not support legacy SMB clients including Windows 10 and earlier versions, as well as Samba versions prior to 4.23.
For more detailed information, you can refer to the official documentation on SMB over QUIC.