How to Set Up Windows Server 2019 SMB over QUIC
SMB over QUIC is a feature introduced in Windows Server 2022 that allows SMB 3 file sharing over the QUIC transport protocol (UDP port 443) instead of TCP port 445. While Windows Server 2019 itself does not support the SMB over QUIC server role, Windows Server 2019 clients can connect to Windows Server 2022 or Azure File Sync gateway servers running SMB over QUIC. This guide covers understanding the architecture, configuring Windows Server 2019 as an SMB over QUIC client, and transitional strategies for organizations moving toward SMB over QUIC.
Understanding SMB over QUIC Architecture
QUIC (Quick UDP Internet Connections) is a modern transport protocol built by Google and standardized by the IETF (RFC 9000). QUIC provides multiplexing, connection migration, built-in TLS 1.3 encryption, and zero-RTT connection resumption. When SMB 3 runs over QUIC, all file sharing traffic is encrypted using TLS 1.3, travels over UDP port 443, and bypasses traditional firewall restrictions that block TCP 445.
The primary use case is secure remote access to SMB file shares over the internet or untrusted networks without requiring a VPN. A Windows Server 2022 SMB over QUIC gateway publishes a certificate, and clients authenticate using that certificate to establish the encrypted QUIC connection.
Windows Server 2019 as an SMB over QUIC Client
Windows Server 2019 includes the SMB over QUIC client capability. The client uses the existing SMB stack but transports over QUIC when connecting to a server that advertises QUIC support. Verify the client capability:
# Check SMB client configuration on Windows Server 2019
Get-SmbClientConfiguration | Select-Object EnableSMBQUIC, RequireSecuritySignature, EnableSecuritySignature
# Enable SMB over QUIC on the client (if not already enabled)
Set-SmbClientConfiguration -EnableSMBQUIC $true -Confirm:$false
# Verify the change
Get-SmbClientConfiguration | Select-Object EnableSMBQUICConnecting Windows Server 2019 to an SMB over QUIC Server
When an SMB over QUIC server (Windows Server 2022) is available, Windows Server 2019 clients connect using the standard UNC path. The client automatically negotiates QUIC if the server supports it and the connection traverses a network where UDP 443 is available:
# Map a drive to an SMB over QUIC server
# The server must have a valid TLS certificate for the QUIC endpoint
net use Z: \smb-quic-server.company.comDataShare /user:DOMAINusername
# Or via PowerShell
New-SmbMapping -LocalPath Z: `
-RemotePath "\smb-quic-server.company.comDataShare" `
-UserName "DOMAINusername" `
-Password "SecureP@ss"
# Verify the connection and check transport protocol used
Get-SmbConnection | Select-Object ServerName, ShareName, Dialect, TransportName
# If TransportName shows "QUIC" the connection is using SMB over QUIC
# If it shows "TCP" it's using standard SMBPreparing TLS Certificates for SMB over QUIC
The SMB over QUIC server (Windows Server 2022) requires a valid TLS certificate. For Windows Server 2019 clients, configure them to trust the issuing CA. If using an internal PKI:
# On Windows Server 2019 client, add internal CA certificate to trusted roots
# Download the CA certificate from your internal PKI
Invoke-WebRequest -Uri "http://pki.domain.local/ca/InternalRootCA.crt" `
-OutFile "C:CertsInternalRootCA.crt"
# Install the CA certificate to the Trusted Root Certification Authorities store
Import-Certificate -FilePath "C:CertsInternalRootCA.crt" `
-CertStoreLocation "Cert:LocalMachineRoot"
# Verify it was installed
Get-ChildItem -Path "Cert:LocalMachineRoot" |
Where-Object { $_.Subject -like "*InternalRootCA*" }Configuring Windows Firewall on Windows Server 2019 for QUIC
# Allow outbound SMB over QUIC (UDP 443) from Windows Server 2019
New-NetFirewallRule `
-Name "SMB-QUIC-Outbound" `
-DisplayName "SMB over QUIC - Outbound" `
-Direction Outbound `
-Protocol UDP `
-RemotePort 443 `
-Action Allow `
-Profile Domain,Private,Public
# If acting as a relay server, also allow inbound
New-NetFirewallRule `
-Name "SMB-QUIC-Inbound" `
-DisplayName "SMB over QUIC - Inbound" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 443 `
-Action Allow
# Verify rules
Get-NetFirewallRule -Name "SMB-QUIC-*" | Select-Object Name, Enabled, Direction, ActionSetting Up Azure File Sync as an SMB over QUIC Gateway
Azure File Sync with Windows Server 2022 as a cloud endpoint allows Windows Server 2019 to access Azure Files over SMB over QUIC. Configure Azure File Sync gateway:
# Install Azure File Sync agent on the Windows Server 2022 gateway
$afsUrl = "https://aka.ms/afs/agent/Server2022"
Invoke-WebRequest -Uri $afsUrl -OutFile "C:TempStorageSyncAgent.msi"
Start-Process msiexec -ArgumentList "/i C:TempStorageSyncAgent.msi /quiet" -Wait
# Register the sync server with Azure (run interactively for auth)
Register-AzStorageSyncServer `
-ResourceGroupName "FSyncRG" `
-StorageSyncServiceName "MySyncService"
# On Windows Server 2019 client, after the gateway is set up,
# connect to the gateway's SMB over QUIC endpoint
net use M: \ws2022-gateway.company.comAzureFilesShare /user:DOMAINuserMonitoring SMB over QUIC Connections
# Monitor active SMB connections and their transport
Get-SmbConnection | Select-Object ServerName, ShareName, Dialect, TransportName, NumOpens
# Check Event Log for SMB over QUIC events
Get-WinEvent -LogName "Microsoft-Windows-SMBClient/Operational" |
Where-Object { $_.Message -like "*QUIC*" } |
Select-Object TimeCreated, Id, Message |
Select-Object -First 20
# Performance counters for SMB client
Get-Counter -Counter "SMB Client Shares(*)*" -SampleInterval 2 -MaxSamples 5Organizations running Windows Server 2019 should plan their migration path to Windows Server 2022 or later to take full advantage of SMB over QUIC server capabilities. In the interim, ensure that Windows Server 2019 clients have the latest cumulative updates applied, as Microsoft has backported some SMB improvements to Windows Server 2019. For remote access scenarios, use VPN or Azure AD Application Proxy until SMB over QUIC server support is available in your environment.
