Introduction
As part of Microsoft’s ongoing security enhancements for SMB over QUIC, client access control introduces an additional layer of security. By restricting which clients can connect to an SMB over QUIC server, organizations can prevent unauthorized access while maintaining the benefits of VPN-less, encrypted file sharing.
By default, any client that trusts the server’s certificate can connect. However, with client access control, administrators can define allow- and block-lists based on client certificates, providing stricter access control without changing the existing authentication model.
This tutorial walks through the PowerShell commands used to configure and enforce SMB over QUIC client access control. To see SMB over QUIC client access control in action—from concept to configuration—watch the following video.
SMB over QUIC Client – Before the Change
Previously, any client with a trusted server certificate could connect to an SMB over QUIC server. While this ensured secure, encrypted communication, it did not allow granular control over which specific devices could access the server.
SMB over QUIC Client – After the Change
With the introduction of SMB over QUIC client access control, administrators can now:
✅ Restrict access to specific devices using certificate-based authentication
✅ Define allow- and block-lists for client connections
✅ Apply access control policies per server without affecting SMB authentication
Configuring SMB over QUIC Client Access Control
To enforce client access control, follow these steps using PowerShell.
1. Identify the Client Certificate
First, list the certificates available on the client device:
\> Get-ChildItem -Path Cert:\LocalMachine\My
This displays a list of certificates, including thumbprints and subject names.
Next, retrieve the specific client certificate needed for SMB over QUIC access:
\> $clientCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Match “<subject name>”}
Verify the output to ensure the correct certificate is selected.
2. Generate and Register the Certificate Hash
Extract the SHA-256 certificate hash:
\> $clientCert.GetCertHashString(“SHA256”)
Then, register the certificate with the SMB server:
\> New-SmbClientCertificateMapping -Namespace <namespace> -Thumbprint $clientCert.Thumbprint -StoreName My
3. Grant Access to the Client
Once the certificate is mapped, grant access by specifying either the certificate hash or issuer name:
\> Grant-SmbClientAccessToServer -Name <server_name> -IdentifierType SHA256 -Identifier <hash>
or
\> Grant-SmbClientAccessToServer -Name <server_name> -IdentifierType ISSUER -Identifier “<subject name>”
This ensures that only clients with approved certificates can establish a connection.
4. Test the Connection
To test connectivity, use the following command on the client device:
\> New-SmbMapping -RemotePath \\<server DNS name>\<share name> -TransportType QUIC
If necessary, disable SMB over QUIC temporarily to confirm the policy’s effectiveness:
\> Set-SmbClientConfiguration -EnableSMBQUIC $false
Confirm the action by selecting Y when prompted.
Best Practices & Pitfalls
✅ Do
- Implement strict client access control using certificate-based authentication to ensure only authorized devices can access SMB over QUIC.
- Test your settings in a non-production environment before deploying them into production.
❌ Don’t
- Rely solely on firewall rules—certificate-based client control provides end-to-end protection.
- Ignore certificate renewal—expired certificates can cause access disruptions or introduce security vulnerabilities.
Conclusion
With SMB over QUIC client access control, administrators can enforce stricter security policies while maintaining seamless remote file access. By leveraging certificate-based authentication, organizations gain fine-grained control over which devices can connect without modifying existing authentication methods.
Learn more: Visuality Systems’ QUIC Add-on – Enabling SMB over QUIC for YNQ and jNQ.
For any SMB-related needs, contact us.
Visuality Systems – The SMB Protocol Experts.
Raphael Barki, Head of Marketing, Visuality Systems
