SMB over QUIC Configuration in Windows Server 2022 and later

What is SMB over QUIC?

SMB over QUIC allows secure, VPN-less access to file shares over the internet using UDP port 443 (QUIC protocol) instead of traditional TCP 445. It’s encrypted using TLS 1.3 and is ideal for remote workers or hybrid environments.

Prerequisites :

1. Windows Server 2022 Datacenter : Azure Edition (Standard edition does not support QUIC)
   
   
2. Any edition of Windows Server 2025 or later
   
   
3. The SMB server and client must be joined to an Active Directory domain, or the client must have a local user account on the SMB server. The SMB server must have access to at least one domain controller for authentication, but no domain controller requires any internet access. We recommended using SMB over QUIC with Active Directory domains however it isn't required. You can also use SMB over QUIC on a workgroup-joined server with local user credentials and NTLM.
   
   
4. Your server must be accessible to clients on its public interface by adding a firewall allow rule to allow SMB over QUIC. By default, SMB over QUIC uses UDP/443 inbound. Do not allow TCP/445 inbound to the file server.
   
   
5. The file server must have access to at least one domain controller for authentication.
   
   
6. DNS record for the server’s FQDN.
   
   
7. A valid TLS certificate trusted by clients (issued by internal CA or public CA).
   
   
8. Administrative privileges or equivalent for the SMB server you're configuring.

Deploy SMB over QUIC :

Step 1: Install the certificates on the server:

SMB over QUIC requires TLS 1.3 and will not function unless the client fully trusts the server’s certificate.

QUIC clients computers must trust the full certificate chain.

Install the Root certificate if not installed . 

Install certificate with .p7b (PKCS #7) file extension which you received from a CA and contains public cert + intermediate chain.

A .p7b includes intermediate certificates that the client may need to validate the server's identity

It is not used directly for QUIC — but it's an important step in setting up a valid and trusted certificate chain on the server.

Follow the screenshot to install certificates:

 

Double click on both the files and install them one by one.

• Root Certificate:

 

• PKCS #7 Certificate (.p7b)

Install all three certificates one by one (original server certificate + chain) - double click on each certificate and install. While installing, select "Automatically select the certificate store based on the type of certificate" in import wizard . 

Verify the installed valid certificates chain.

  

Open Run - type "certlm.msc" - press enter , go to -  Certificates- Local Computer - Personal- Certificates. Double click on server original certificate (server fqdn- Servername.vlookuphub.com) - go to path.

Check certificates chain , it should not have "cross mark" in certificates chain. All should be showing as valid and ok.

Step 2: Install the "File Server Role":

Go to server manager and install roles as per following screenshot 

Reboot the server if require to finish the installation.

Step 3: Configure SMB over QUIC :

List the certificates in the client's certificate store by running the following PowerShell command

Get-ChildItem -Path Cert:\LocalMachine\My

To gather your client certificate hash using PowerShell

Get-ChildItem -Path Cert:\LocalMachine\My ! fl *

Run the following command to store the certificate in a variable. Replace <subject name> with the subject name of the certificate you want to use.

$clientCert = Get-ChildItem -Path Cert:\LocalMachine\My

Verify the certificate matches the one you want to use by running the following command

$serverCert

Enable and map the client certificate to the SMB client.

To enable SMB over QUIC using the certificate thumbprint of the matched certificate, run the following command. Make sure to replace <server FQDN> with the fully qualified domain name of the SMB over QUIC server.

New-SmbServerCertificateMapping -Name <server FQDN> -ThumbPrint $serverCert.Thumbprint -Storename My

                                        All the above command will be result as per following screenshot.

Step 4: Test mapping connectivity.

In server non OS drive, create a temporary share folder with permission to test.   

Test to map network drive using Transport : QUIC.

Using elevated command prompt 
  

NET USE \\<server FQDN>\<sharefolder name> /TRANSPORT:QUIC

Using elevated PowerShell

New-SmbMapping -RemotePath \\<server FQDN>\<sharefolder name> -TransportType QUIC

Example: New-SmbMapping -LocalPath 'Z:' -RemotePath '\\vlookuphubcomp.contoso.com\sales' -TransportType QUIC

Execute this above command in elevated PowerShell.

You will have output as per given above screenshot, then it is successfully mapped. So SMB over QUIC is working fine.