Blog Post

Storage at Microsoft
3 MIN READ

SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Nov 15, 2023

Heya folks, Ned here again. Starting with Windows Server Insider Preview Build 25997, the SMB over QUIC server feature is now available in Datacenter and Standard editions. This changes the previous behavior where it was only available in Windows Server Azure Edition.

 

SMB over QUIC

SMB over QUIC introduced an alternative to TCP and RDMA, supplying secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords.

 

SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and on highest security internal networks. The server certificate creates a TLS 1.3-encrypted tunnel over a UDP port instead of the legacy TCP/445. No SMB traffic - including authentication and authorization - is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change and capabilities like multichannel and compression continue to work.

 

A file server administrator must opt in to enabling SMB over QUIC, it isn't on by default and a client can't force a file server to enable SMB over QUIC. We recently added an additional option called Client Access Control that lets you further secure the file server through an allow-list for clients.

 

What changed

In Windows Server 2022, the SMB over QUIC server is limited to Azure Edition machines. Now in Windows Server Insider Preview servers, you can configure SMB over QUIC on all editions, including Datacenter and Standard. There are no additional requirements, it is now just available everywhere. Azure Edition is designed to be a cutting-edge platform for new features and organizations who want state-of-the-art-technology, but it is not a final destination for all of them. Windows 11, Windows Server 2022, Windows Insider clients, and third parties can connect to the server like usual.

 

Because Windows Admin Center still checks that you're on Azure Edition for now, you'll need to use PowerShell to configure the feature. Follow the configuration steps at https://aka.ms/smboverquic to get your certificate, but skip the WAC steps and use the New-SmbServerCertificateMapping command to setup the server for now:

 

New-SmbServerCertificateMapping -Name server FQDN -ThumbPrint certificate thumbprint -Storename My 

 

powershell output

You can also now specify the SMB over QUIC listening ports, as mentioned in the SMB alternative ports blog post recently. The default is UDP/443 but you can now change it using:

 

Set-SmbServerAlternativePort -TransportType QUIC -Port <a number between 0 and 65536> -EnableInstances Default

 

You can then connect to it using that port from a recent Windows 11 Insider client using NET USE /QUICPORT or New-SmbMapping -QuicPort:

 

net use command

Final Notes

As mentioned in the SMB alternative ports blog post recently, you will also be able to configure SMB over QUIC to listen on a UDP port other than the default 443. Look for this option in a coming Windows Server Insiders release.  

 

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

 

 

For more information on securing SMB on Windows in-market, check out:

 

 

Until next time,

 

Ned Pyle

Updated Jul 02, 2024
Version 3.0
  • Wes808's avatar
    Wes808
    Brass Contributor

    Howdy Ned, hope you're doing well.

     

    I have been testing SMB over Quic on server 2025 for some time now.  Haven't had any real issues.  My main test has been from my own machine, which is native entra-joined, so AD isn't aware of it of course.  My user account is hybrid, however.

     

    This has worked fine, I can connect via unc or drive mapping to \\server.externaldomain.com\share$ without issue.  A couple days ago I configured WHFB on my machine - previously was just using password auth to log in.  I've now noticed that if I sign into the machine using Hello, the smb over quic share cannot be accessed.  If I sign out and back in via password, it works fine again.

     

    When it fails (after using Hello) I get "The system cannot contact a domain controller to service the authentication request.  Please try again later."

     

    Any thoughts on what (if there's anything) I can do to alleviate this?  I'm guessing it's something to do with password auth working with hybrid password hash auth, but maybe hello doesn't have something compatible to pass onprem? (over my head!)

    Thanks!

  • Wes808 that is very interesting (in a bad way). Do you mind emailing me or DMing me about this, I'd like to collect some data from you and don't want that shared here. My email is nedpyle at microsoft dot com, or send me a message here in Tech Community. 

  • krasiaa123's avatar
    krasiaa123
    Copper Contributor

    Pretty great, but... SMB over QUIC behind Web Application Proxy?

    The idea behind the question is multiple SMB servers with QUIC enabled behind NAT, using single public IPv4 address, with multiple different subdomains with SNI.

    Using SMB Alternative ports will not be feasible solution in the current situation. 

    Any possibility to implement that without third-party tools?