A major advantage of QUIC is its mandatory certificate-based encryption. SMB over QUIC is like an SMB VPN for users working remotely. The server certificate creates a TLS 1.3 encrypted tunnel via UDP port 443. SMB traffic, including authentication, is not exposed to the underlying network.
Transport options for Server Message Block SMB
Within the QUIC tunnel, SMB behaves as usual from the user’s point of view, and features such as multi-channel and compression are still available.
SMB over QUIC as the preferred protocol in the future
Due to these characteristics, Microsoft has positioned SMB over QUIC as a feature for edge servers, i.e., file servers running in the cloud or DMZ accessible over the internet. This was the reason for restricting QUIC support to the Azure Edition, which runs in the Microsoft Cloud or on-premises on Azure Stack HCI.
The announcement of SMB over QUIC for Windows Server 2025 aligns with the overall repositioning of the feature as a secure alternative to SMB over TCP. It hardens file servers even for internal use, and protects NTLM credentials against leakage. As a result, QUIC will become the preferred transport mechanism for SMB.
QUIC Client Access Control
New functionality in Windows Server 2022 allows administrators to restrict access to file servers through QUIC to specific clients. Traditionally, servers accepted all clients that held a certificate tracing back to the same root certificate as the one being used for QUIC on the server.
This recently introduced restriction utilizes certificates too. Administrators can add client certificate fingerprints to a trusted device list on the server. This enables the server, using detailed transmitted certificate data, to determine if a client is authorized for access.
Manually maintaining thumbprints of every client certificate on a large scale server might be challenging. Consequently, QUIC Client Access Control can now support SAN certificates, which can contain the names of several hosts.
Activating SMB over QUIC
The Windows Server Insider Preview Build 25997 includes SMB over QUIC for all editions, including Standard and Datacenter. By default, the feature is disabled and must be enabled by the server admin. Clients cannot enforce the use of the protocol.
The tools for activating SMB over QUIC remain the Windows Admin Center (WAC) and PowerShell. The current version of WAC is still limited to the Azure Edition for this task and denies QUIC configuration for other OS editions.
In PowerShell, the cmdlets responsible for this task are New-SmbServerCertificateMapping and Set-SmbServerConfiguration (see also: How to use SMB over QUIC in Windows Server 2022).
Checking the status of SMB over QUIC in PowerShell
Summary
Microsoft initially positioned SMB over QUIC, introduced with Windows Server 2022, exclusively for accessing file servers via the internet. It was therefore only available in the Azure Edition. However, the enhanced security of the QUIC protocol also benefits purely on-prem environments.