All Editions of Windows Server 2025 to Support SMB over QUIC: A Comprehensive Guide

One of the main new features of Windows Server 2022 is SMB over QUIC. QUIC serves as an alternative to TCP and RDMA, providing a secure connection to a file server over untrusted networks. This protocol is based on UDP and TLS 1.3, enhancing the security and performance of file shares. Windows Server 2025 will include it in all editions, along with the new QUIC Client Access Control. QUIC has been exclusive to the Azure Edition until now.

A major advantage of QUIC is its mandatory certificate-based encryption. SMB over QUIC is like an SMB VPN for users working remotely. The server certificate creates a TLS 1.3 encrypted tunnel via UDP port 443. SMB traffic, including authentication, is not exposed to the underlying network.

Transport options for Server Message Block SMB

Within the QUIC tunnel, SMB behaves as usual from the user’s point of view, and features such as multi-channel and compression are still available.

SMB over QUIC as the preferred protocol in the future

Due to these characteristics, Microsoft has positioned SMB over QUIC as a feature for edge servers, i.e., file servers running in the cloud or DMZ accessible over the internet. This was the reason for restricting QUIC support to the Azure Edition, which runs in the Microsoft Cloud or on-premises on Azure Stack HCI.

The announcement of SMB over QUIC for Windows Server 2025 aligns with the overall repositioning of the feature as a secure alternative to SMB over TCP. It hardens file servers even for internal use, and protects NTLM credentials against leakage. As a result, QUIC will become the preferred transport mechanism for SMB.

QUIC Client Access Control

New functionality in Windows Server 2022 allows administrators to restrict access to file servers through QUIC to specific clients. Traditionally, servers accepted all clients that held a certificate tracing back to the same root certificate as the one being used for QUIC on the server.

This recently introduced restriction utilizes certificates too. Administrators can add client certificate fingerprints to a trusted device list on the server. This enables the server, using detailed transmitted certificate data, to determine if a client is authorized for access.

Manually maintaining thumbprints of every client certificate on a large scale server might be challenging. Consequently, QUIC Client Access Control can now support SAN certificates, which can contain the names of several hosts.

Activating SMB over QUIC

The Windows Server Insider Preview Build 25997 includes SMB over QUIC for all editions, including Standard and Datacenter. By default, the feature is disabled and must be enabled by the server admin. Clients cannot enforce the use of the protocol.

The tools for activating SMB over QUIC remain the Windows Admin Center (WAC) and PowerShell. The current version of WAC is still limited to the Azure Edition for this task and denies QUIC configuration for other OS editions.

In PowerShell, the cmdlets responsible for this task are New-SmbServerCertificateMapping and Set-SmbServerConfiguration (see also: How to use SMB over QUIC in Windows Server 2022).

Checking the status of SMB over QUIC in PowerShell

Checking the status of SMB over QUIC in PowerShell


Microsoft initially positioned SMB over QUIC, introduced with Windows Server 2022, exclusively for accessing file servers via the internet. It was therefore only available in the Azure Edition. However, the enhanced security of the QUIC protocol also benefits purely on-prem environments.



, , ,