One of the main new features of Windows Server 2022 is SMB over QUIC. QUIC serves as an alternative to TCP and RDMA, providing a secure connection to a file server over untrusted networks. This protocol is based on UDP and TLS 1.3, enhancing the security and performance of file shares. Windows Server 2025 will include it in all editions, along with the new QUIC Client Access Control. QUIC has been exclusive to the Azure Edition until now.

A major advantage of QUIC is its mandatory certificate-based encryption. SMB over QUIC is like an SMB VPN for users working remotely. The server certificate creates a TLS 1.3 encrypted tunnel via UDP port 443. SMB traffic, including authentication, is not exposed to the underlying network.

Transport options for Server Message Block SMB

Transport options for Server Message Block SMB

Within the QUIC tunnel, SMB behaves as usual from the user's point of view, and features such as multi-channel and compression are still available.

SMB over QUIC as the preferred protocol in the future

Due to these characteristics, Microsoft has positioned SMB over QUIC as a feature for edge servers, i.e., file servers running in the cloud or DMZ accessible over the internet. This was the reason for restricting QUIC support to the Azure Edition, which runs in the Microsoft Cloud or on-premises on Azure Stack HCI.

The announcement of SMB over QUIC for Windows Server 2025 aligns with the overall repositioning of the feature as a secure alternative to SMB over TCP. It hardens file servers even for internal use, and protects NTLM credentials against leakage. As a result, QUIC will become the preferred transport mechanism for SMB.

QUIC Client Access Control

Compared to the implementation in Windows Server 2022, there is new a feature that allows restricting access to file servers via QUIC to certain clients. Currently, a server accepts all clients whose certificate chains up to the same root certificate as the one used for QUIC on the server.

The new restriction is also based on certificates. Admins add the fingerprints of client certificates to a list of trusted devices on the server. When a computer connects to the server, it can decide, based on the transmitted certificate information, whether the client is authorized for access.

In large environments, maintaining the thumbprints of all client certificates on the server could be tedious. Therefore, QUIC Client Access Control also supports SAN certificates, which can include the names of multiple hosts.

Activating SMB over QUIC

The Windows Server Insider Preview Build 25997 includes SMB over QUIC for all editions, including Standard and Datacenter. By default, the feature is disabled and must be enabled by the server admin. Clients cannot enforce the use of the protocol.

The tools for activating SMB over QUIC remain the Windows Admin Center (WAC) and PowerShell. The current version of WAC is still limited to the Azure Edition for this task and denies QUIC configuration for other OS editions.

Enabling SMB over QUIC in the Windows Admin Center

Enabling SMB over QUIC in the Windows Admin Center

In PowerShell, the cmdlets responsible for this task are New-SmbServerCertificateMapping and Set-SmbServerConfiguration (see also: How to use SMB over QUIC in Windows Server 2022).

Checking the status of SMB over QUIC in PowerShell

Checking the status of SMB over QUIC in PowerShell


Microsoft initially positioned SMB over QUIC, introduced with Windows Server 2022, exclusively for accessing file servers via the internet. It was therefore only available in the Azure Edition. However, the enhanced security of the QUIC protocol also benefits purely on-prem environments.

For this reason, all editions of Windows Server 2025 support the QUIC tunnel for SMB. The company hinted that this will be the preferred transport for SMB in the future.

Subscribe to 4sysops newsletter!

In addition to making SMB over QUIC available for all Windows Server 2025 editions, they ship with Client Access Control, allowing access to a file server to be restricted to specific devices.

  1. Avatar

    SMB over the Internet is a huge security risk, so the SMB over QUIC will be significantly helpful, I think.
    Thank you for sharing the update.

  2. Avatar
    Scott- 1 week ago

    Agreed. This is a move in the right direction. I think ensuring that our security filtering both on Endpoint and Edge firewalls will need to be updated to filter QUIC protocols. Good to be moving forward on ‘secure by design’ instead of features that don’t matter.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account