Introduction to SMB over QUIC
In hybrid work environments, file sharing needs to be fast, secure, and reliable. This is essential even with the unpredictable internet. SMB over QUIC offers all three by merging the strong file sharing features of SMB with the QUIC transport protocol. This creates a more modern, secure, and VPN free method to access file shares.
What is SMB over QUIC?
SMB over QUIC allows secure, VPN-less access to file shares over the internet using UDP port 443 (QUIC protocol) instead of traditional TCP 445. It’s encrypted using TLS 1.3 and is ideal for remote workers or hybrid environments.
How SMB over QUIC is Different from Traditional SMB
| Feature | Traditional SMB | SMB over QUIC |
|---|---|---|
| Transport Protocol | TCP/UDP | QUIC (UDP-based) |
| Encryption | Optional (via SMB Encryption) | Mandatory (TLS 1.3) |
| NAT Traversal | Limited | Excellent (works behind firewalls) |
| VPN Requirement | Often Yes | No VPN Needed |
Prerequisites
- Windows Server 2025 (all editions) & 2022 Datacenter : Azure Edition.
- The SMB server and client must be joined to an Active Directory domain, or the client must have a local user account on the SMB server. The SMB server must have access to at least one domain controller for authentication, but no domain controller requires any internet access. We recommended using SMB over QUIC with Active Directory domains however it isn’t required. You can also use SMB over QUIC on a workgroup-joined server with local user credentials and NTLM.
- Your server must be accessible to clients on its public interface by adding a firewall allow rule to allow SMB over QUIC. By default, SMB over QUIC uses UDP/443 inbound. Do not allow TCP/445 inbound to the file server.
- The file server must have access to at least one domain controller for authentication.
- DNS record for the server’s FQDN.
- A valid TLS certificate trusted by clients (issued by internal CA or public CA).
- Administrative privileges or equivalent for the SMB server you’re configuring.
- Windows 11 or later is require for client access.
How to Deploy SMB over QUIC
Step 1: Install the SSL & root Certificates on the server
SMB over QUIC requires TLS 1.3 and will not function unless the client fully trusts the server’s certificate.
QUIC clients computers must trust the full certificate chain.
Install the Root certificate if not installed .
Install certificate with .p7b (PKCS #7) file extension which you received from a CA and contains public cert + intermediate chain.
A .p7b includes intermediate certificates that the client may need to validate the server’s identity
It is not used directly for QUIC — but it’s an important step in setting up a valid and trusted certificate chain on the server.
Follow the screenshot to install certificates:
Double click on both the files and install them one by one.
- Root Certificate:
- PKCS #7 Certificate (.p7b)
Install all three certificates one by one (original server certificate + chain) – double click on each certificate and install. While installing, select “Automatically select the certificate store based on the type of certificate” in import wizard .
Verify the installed valid certificates chain.
Open Run – type “certlm.msc” – press enter , go to – Certificates- Local Computer – Personal- Certificates. Double click on server original certificate (server fqdn- Servername.vlookuphub.com) – go to path.
Check certificates chain , it should not have “cross mark” in certificates chain. All should be showing as valid and ok.
Step 2: Install the “File Server Role”
Go to server manager and install roles as per following screenshot
Reboot the server if require to finish the installation.
Step 3: Configure SMB over QUIC
List the certificates in the client’s certificate store by running the following PowerShell command
Get-ChildItem -Path Cert:LocalMachineMy
To gather your client certificate hash using PowerShell
Get-ChildItem -Path Cert:LocalMachineMy ! fl *
Run the following command to store the certificate in a variable. Replace <subject name> with the subject name of the certificate you want to use.
$clientCert = Get-ChildItem -Path Cert:LocalMachineMy
Verify the certificate matches the one you want to use by running the following command
$serverCert
Enable and map the client certificate to the SMB client.
To enable SMB over QUIC using the certificate thumbprint of the matched certificate, run the following command. Make sure to replace <server FQDN> with the fully qualified domain name of the SMB over QUIC server.
New-SmbServerCertificateMapping -Name <server FQDN> -ThumbPrint $serverCert.Thumbprint -Storename My 
Step 4: Test mapping connectivity
In server non OS drive, create a temporary share folder with permission to test.
Test to map network drive using Transport : QUIC.
Using elevated command prompt
NET USE \<server FQDN><sharefolder name> /TRANSPORT:QUIC
Using elevated PowerShell
New-SmbMapping -RemotePath \<server FQDN><sharefolder name> -TransportType QUIC
Example: New-SmbMapping -LocalPath 'Z:' -RemotePath'\vlookuphubcomp.contoso.comsales' -TransportType QUIC
Execute this above command in elevated PowerShell.
You will have output as per given above screenshot, then it is successfully mapped. So SMB over QUIC is working fine.
For more detailed insides visit Microsoft official documentation on this
Dive into more related articles at vlookuphub .
SMB over quick dose support legacy method to connect share ?
Pingback: Windows Server 2025: New Features, Enhancements & Key Benefits - vLookupHub