- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
A major advantage of QUIC is its mandatory certificate-based encryption. SMB over QUIC is like an SMB VPN for users working remotely. The server certificate creates a TLS 1.3 encrypted tunnel via UDP port 443. SMB traffic, including authentication, is not exposed to the underlying network.
Within the QUIC tunnel, SMB behaves as usual from the user's point of view, and features such as multi-channel and compression are still available.
SMB over QUIC as the preferred protocol in the future
Due to these characteristics, Microsoft has positioned SMB over QUIC as a feature for edge servers, i.e., file servers running in the cloud or DMZ accessible over the internet. This was the reason for restricting QUIC support to the Azure Edition, which runs in the Microsoft Cloud or on-premises on Azure Stack HCI.
The announcement of SMB over QUIC for Windows Server 2025 aligns with the overall repositioning of the feature as a secure alternative to SMB over TCP. It hardens file servers even for internal use, and protects NTLM credentials against leakage. As a result, QUIC will become the preferred transport mechanism for SMB.
QUIC Client Access Control
Compared to the implementation in Windows Server 2022, there is new a feature that allows restricting access to file servers via QUIC to certain clients. Currently, a server accepts all clients whose certificate chains up to the same root certificate as the one used for QUIC on the server.
The new restriction is also based on certificates. Admins add the fingerprints of client certificates to a list of trusted devices on the server. When a computer connects to the server, it can decide, based on the transmitted certificate information, whether the client is authorized for access.
In large environments, maintaining the thumbprints of all client certificates on the server could be tedious. Therefore, QUIC Client Access Control also supports SAN certificates, which can include the names of multiple hosts.
Activating SMB over QUIC
The Windows Server Insider Preview Build 25997 includes SMB over QUIC for all editions, including Standard and Datacenter. By default, the feature is disabled and must be enabled by the server admin. Clients cannot enforce the use of the protocol.
The tools for activating SMB over QUIC remain the Windows Admin Center (WAC) and PowerShell. The current version of WAC is still limited to the Azure Edition for this task and denies QUIC configuration for other OS editions.
In PowerShell, the cmdlets responsible for this task are New-SmbServerCertificateMapping and Set-SmbServerConfiguration (see also: How to use SMB over QUIC in Windows Server 2022).
Microsoft initially positioned SMB over QUIC, introduced with Windows Server 2022, exclusively for accessing file servers via the internet. It was therefore only available in the Azure Edition. However, the enhanced security of the QUIC protocol also benefits purely on-prem environments.
For this reason, all editions of Windows Server 2025 support the QUIC tunnel for SMB. The company hinted that this will be the preferred transport for SMB in the future.
Subscribe to 4sysops newsletter!
In addition to making SMB over QUIC available for all Windows Server 2025 editions, they ship with Client Access Control, allowing access to a file server to be restricted to specific devices.