How to Configure SMB over QUIC for Secure Windows File Sharing Without VPN

Start by installing the File Server role on your Windows Server 2025. This provides the foundation for SMB services and includes the necessary management tools.

Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools

This command installs the File Server role with all management tools. The installation typically takes 2-3 minutes and may require a restart depending on your server configuration.

Get-WindowsFeature -Name FS-FileServer

You should see Install State: Installed in the output.

SMB over QUIC requires a valid TLS certificate with a Subject Alternative Name (SAN) that matches your public FQDN. You can use certificates from public CAs like Let's Encrypt, DigiCert, or your internal CA.

If using a public CA, request a certificate for your server's public hostname (e.g., fileserver.example.com). For this tutorial, we'll assume you have a certificate file ready to import.

Import the certificate into the Local Machine certificate store:

# Import certificate from PFX file
$certPassword = ConvertTo-SecureString "YourCertPassword" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:\Certificates\fileserver.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $certPassword

After importing, get the certificate thumbprint which you'll need for the next steps:

Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*fileserver.example.com*"} | Select-Object Thumbprint, Subject

Create a public DNS record that resolves your chosen hostname to your server's public IP address or load balancer. This hostname must match the SAN in your TLS certificate.

For example, if your server's public IP is 203.0.113.45 and your certificate is for fileserver.example.com, create an A record:

fileserver.example.com.    IN    A    203.0.113.45

Test DNS resolution from a client machine:

nslookup fileserver.example.com

Configure Windows Firewall to allow UDP 443 inbound and block TCP 445 on the public interface:

# Allow UDP 443 for SMB over QUIC
New-NetFirewallRule -DisplayName "SMB over QUIC" -Direction Inbound -Protocol UDP -LocalPort 443 -Action Allow

# Block TCP 445 on public interface (replace "Public" with your public interface name)
New-NetFirewallRule -DisplayName "Block SMB TCP 445 Public" -Direction Inbound -Protocol TCP -LocalPort 445 -InterfaceType Public -Action Block

Get-NetFirewallRule -DisplayName "SMB over QUIC" | Select-Object DisplayName, Enabled, Direction, Action

The rule should show as Enabled: True and Action: Allow.

Now you'll bind your TLS certificate to the SMB server service. This tells Windows which certificate to use for SMB over QUIC connections.

Use the certificate thumbprint you obtained in step 2:

# Replace with your actual certificate thumbprint
$thumbprint = "1234567890ABCDEF1234567890ABCDEF12345678"
Set-SmbServerCertificateMapping -Thumbprint $thumbprint -StoreName My

Verify the certificate mapping is configured correctly:

Get-SmbServerCertificateMapping

This should display your certificate thumbprint and store name. If you see an error about the certificate not being found, double-check that:

• The certificate is in the Local Machine\My store
• The thumbprint is correct (no extra spaces or characters)
• The certificate has not expired

Enable the SMB over QUIC feature on your Windows Server 2025. This is the core configuration that allows SMB traffic to use the QUIC protocol over UDP 443.

Set-SmbServerConfiguration -EnableSMBQUIC $true

When prompted, confirm the change by typing Y and pressing Enter. This setting takes effect immediately without requiring a restart.

Verify that SMB over QUIC is enabled:

Get-SmbServerConfiguration | Select-Object EnableSMBQUIC

You should see EnableSMBQUIC : True in the output.

Check that the SMB server is listening on UDP 443:

Get-NetUDPEndpoint | Where-Object {$_.LocalPort -eq 443}

Restart-Service -Name "Server" -Force

Create the directory structure and SMB shares that will be accessible over QUIC. For this example, we'll create a "Projects" share.

First, create the directory:

New-Item -Path "C:\Shares\Projects" -ItemType Directory -Force

Create the SMB share with appropriate permissions:

New-SmbShare -Name "Projects" -Path "C:\Shares\Projects" -FullAccess "BUILTIN\Administrators" -ChangeAccess "BUILTIN\Users"

Configure additional share-level permissions if needed. For domain environments, you might want to grant access to specific domain groups:

# Example for domain environment
# Grant-SmbShareAccess -Name "Projects" -AccountName "CORP\FileServer-Projects-Modify" -AccessRight Change -Force

Set NTFS permissions on the folder for additional security:

# Grant modify permissions to Users group on the folder
icacls "C:\Shares\Projects" /grant "Users:(OI)(CI)M"

Get-SmbShare -Name "Projects" | Select-Object Name, Path, Description

Test local access to ensure the share works:

Test-Path "\\localhost\Projects"

This should return True if the share is accessible locally.

On your Windows 11 client (version 24H2 or later), enable SMB over QUIC support. This must be done on each client that will access the shares.

Open PowerShell as Administrator on the client machine and enable SMB over QUIC:

Set-SmbClientConfiguration -EnableSMBQUIC $true

Confirm the change when prompted. Verify the setting is enabled:

Get-SmbClientConfiguration | Select-Object EnableSMBQUIC

Ensure the client trusts your server's certificate. If you're using a public CA, this should work automatically. For internal CAs, import the root certificate:

# Only needed for internal CAs
# Import-Certificate -FilePath "C:\Certificates\RootCA.crt" -CertStoreLocation Cert:\LocalMachine\Root

Test connectivity to your server's FQDN:

Test-NetConnection -ComputerName "fileserver.example.com" -Port 443 -InformationLevel Detailed

Now connect to your SMB shares from the Windows 11 client using the QUIC protocol. This is where you'll see the magic happen - secure file sharing over the internet without a VPN.

Map a network drive using the -UseQUIC parameter:

New-SmbMapping -RemotePath "\\fileserver.example.com\Projects" -LocalPath "Z:" -UseQUIC

If prompted for credentials, enter your domain credentials or local account credentials that have access to the share.

Alternatively, you can connect without mapping a drive letter:

New-SmbMapping -RemotePath "\\fileserver.example.com\Projects" -UseQUIC

Verify that the connection is using QUIC protocol:

Get-SmbConnection | Where-Object {$_.ServerName -eq "fileserver.example.com"} | Select-Object ServerName, ShareName, Dialect, Transport, Encrypted

You should see output showing:

• Transport: QUIC
• Encrypted: True
• Dialect: 3.1.1 (SMB 3.1.1)

Test file operations by creating a test file:

"Test content" | Out-File -FilePath "Z:\test.txt"

Perform comprehensive testing to ensure your SMB over QUIC configuration is working correctly and securely. This step validates that you have truly secure, VPN-free file sharing.

Test file operations from the client to ensure full functionality:

# Create a test directory
New-Item -Path "Z:\TestFolder" -ItemType Directory

# Copy a file to test upload performance
Copy-Item -Path "C:\Windows\System32\notepad.exe" -Destination "Z:\TestFolder\notepad_copy.exe"

# Test file download
Copy-Item -Path "Z:\TestFolder\notepad_copy.exe" -Destination "C:\Temp\downloaded_notepad.exe"

Monitor the connection to ensure it remains stable:

Get-SmbConnection | Where-Object {$_.Transport -eq "QUIC"} | Format-Table ServerName, ShareName, Transport, Encrypted, Dialect

Check SMB server statistics to see QUIC connections:

# Run this on the server
Get-SmbConnection | Where-Object {$_.Transport -eq "QUIC"} | Measure-Object

Test from different network locations to ensure internet accessibility. Try connecting from:

• A different internet connection (mobile hotspot)
• A remote office location
• A cloud VM in a different region

Verify encryption is working by checking the connection properties:

Get-SmbConnection | Where-Object {$_.ServerName -eq "fileserver.example.com"} | Select-Object EncryptionMethod, SigningMethod