Introduction
As part of Microsoft’s ongoing security initiative, SMB over QUIC was initially introduced in Windows Server 2022 but was restricted to the Azure Edition. With the release of Windows Server 2025, SMB over QUIC is now available in Datacenter and Standard editions, in addition to Azure Edition. This expansion provides enterprises with a secure, VPN-less alternative for remote file access, leveraging TLS 1.3 encryption over QUIC instead of traditional TCP.
This tutorial explains how to set up an SMB over QUIC server, configure the necessary TLS certificate, and connect from a Windows 11 client. A step-by-step video tutorial is embedded below.
What is SMB over QUIC?
SMB over QUIC is a modern alternative to TCP-based SMB, designed for secure file sharing over untrusted networks like the Internet. It replaces TCP/445 with UDP/443 and uses TLS 1.3 certificates for encryption and authentication, eliminating the need for passwords. This ensures that all SMB traffic—including authentication, multichannel, and compression—remains encrypted while seamlessly passing through edge firewalls. The user experience remains unchanged.
Learn more about SMB over QUIC Use Cases and Applications.
SMB over QUIC Server – Before the Change
Prior to Windows Server 2025, SMB over QUIC was only available in Windows Server 2022 Azure Edition. Organizations using standard or datacenter editions had to rely on traditional SMB over TCP/445, requiring VPNs for secure remote access.
SMB over QUIC Server – After the Change
With Windows Server 2025, SMB over QUIC is now available in Datacenter and Standard editions. This allows more enterprises to deploy a secure, VPN-less SMB solution, protecting SMB traffic with end-to-end encryption over TLS 1.3.
Configuring SMB over QUIC on the Server
To enable SMB over QUIC, the server must have a TLS 1.3 certificate installed, and its thumbprint must be used in the configuration.
Run the following PowerShell command to create the necessary SMB Server Certificate Mapping:
\> New-SmbServerCertificateMapping -Name <server FQDN> -ThumbPrint <certificate thumbprint> -StoreName My
Where:
- FQDN = Fully Qualified Domain Name (e.g., hostname.domain.com)
- Thumbprint = The thumbprint of a TLS 1.3 certificate stored in the My certificate store
Important: The certificate must be trusted by the client and include a Subject Alternative Name (SAN) matching the FQDN of the server.
Connecting from a Windows 11 Client
Once the server is configured, a Windows 11 client can connect using:
\> net use * \\server FQDN\c$ /p:n /transport:QUIC
If successful, the output will confirm that the drive is connected:
Drive Z: is now connected to \\server FQDN\c$.
The command completed successfully.
Best Practices & Pitfalls
✅ Dos
- Use Active Directory domains for SMB over QUIC.
- Keep the default UDP/443 inbound setting unless a change is necessary.
- Use read-only domain controllers where applicable.
❌ Don’ts
- Do not allow TCP/445 inbound to the file server.
- Avoid using IP addresses in SMB over QUIC certificate SANs, as this forces the use of NTLM instead of more secure Kerberos authentication.
Conclusion
With Windows Server 2025, SMB over QUIC is no longer limited to Azure Edition, enabling broader adoption of secure, VPN-less SMB access. Organizations should configure TLS 1.3 certificates properly and follow best practices to maximize security.
Learn more: Visuality Systems’ QUIC Add-on – Enabling SMB over QUIC for YNQ and jNQ.
For any SMB-related needs, contact us. Visuality Systems—The SMB Protocol Experts.
Raphael Barki, Head of Marketing, Visuality Systems
