In short
SMB over QUIC lets you publish a Windows file share directly to the internet on UDP port 443, wrapped in TLS 1.3, with no VPN. In Windows Server 2025 this feature is available in the Standard, Datacenter, and Azure editions, not just Azure Edition like it was in Server 2022. The setup takes seven steps: install the File Server role, open UDP 443, issue a free Let's Encrypt certificate with win-acme, bind it to SMB, create a share, connect from a Windows 11 client with /TRANSPORT:QUIC, and verify the transport. Whole flow runs in about 30 minutes on a fresh Server 2025 install. We tested it live on a Raff Windows Server in Vint Hill, Virginia and have the QuicConnectionCount=1, TcpConnectionCount=0 output to prove it.
Who this guide is for
You want remote workers, branch offices, or contractors to mount a Windows file share over the open internet without standing up a VPN. Common scenarios:
- A 5 to 50 person SMB whose remote employees need a shared drive and you don't want to manage Wireguard or OpenVPN configs
- An MSP serving small businesses with distributed teams, where each client gets its own SMB-over-QUIC file server instead of a VPN appliance
- A digital agency or studio whose contractors need access to project folders but you don't want to issue VPN credentials and revoke them every contract end
- A small dev team that needs a network drive accessible from coffee shops, home offices, and on-the-road laptops with the same UNC path everywhere
If you have strong identity infrastructure already (Entra ID joined laptops, Conditional Access, Intune-managed devices), SMB over QUIC slots in cleanly. If you have none of that, the security boundary is your share permissions plus the strength of the local user passwords on the file server, so think about that before going to production.
This guide does not cover Active Directory Domain Services. We run a workgroup scenario with local Windows user accounts because that matches how most small Raff Server tenants deploy. AD-joined SMB over QUIC works the same way at the protocol level, just with Kerberos inside the QUIC tunnel instead of NTLM.
What you'll need
- A Raff Windows Server 2025 with a public IP. This guide tested on the Production plan ($35.99, 4 vCPU / 8 GB RAM / 120 GB NVMe), which is the right size for a file server with up to 50 active users and a few hundred GB of shared data. Smaller workloads run fine on the Small Business plan ($19.99). Heavy multi-share deployments with large datasets step up to Heavy Workload ($63.99) or Enterprise ($127.99) for the extra storage and RAM.
- Local administrator access to the Raff Server via RDP.
- A registered DNS A record pointing to your server's public IP. Examples in this article use
quic-test.raffusercloud.com. You'll use your own FQDN likefiles.example.com. The Let's Encrypt certificate is issued against this FQDN, so it must resolve publicly before you run win-acme. - Port 80 inbound temporarily to your server's public IP (for the Let's Encrypt HTTP-01 challenge during cert issuance). You can close it again after.
- Port UDP 443 inbound permanently to your server's public IP (this is the SMB over QUIC transport).
- A Windows 11 client (any edition, 24H2 or newer) to test the connection from. We'll come back to this in the "Common misconception" section because it's the single biggest source of bad information online.
- Estimated time: 30 to 45 minutes end-to-end on a fresh VM.
What changed in Windows Server 2025
Three things that matter, if you're coming from older guides written for Server 2022:
- SMB over QUIC is no longer Azure-only. In Server 2022 you needed Azure Edition (which only ran on Azure Stack HCI or in Azure), so for most self-hosters this feature didn't exist. Server 2025 Standard and Datacenter both ship with it. You can run it on any commodity VPS like a Raff Windows Server.
EnableSMBQUICdefaults toTrueon a fresh Server 2025 install. You don't need to enable an optional feature, install a role module specifically for QUIC, or flip any global setting. The File Server role plus a bound certificate is the only configuration needed.- Windows Admin Center (WAC) configuration for SMB over QUIC is not supported on Server 2025 at the time of writing. PowerShell is the only way to configure it. Microsoft's docs confirm this; if you find an older WAC walkthrough, ignore it and use the PowerShell commands in this guide.
About the examples
We tested every command in this guide on a live Raff Windows Server. Specifics:
- Hostname: us-host-723754
- Public IP: 23.26.4.223
- FQDN for the cert: quic-test.raffusercloud.com
- Edition shown in outputs: Windows Server 2025 Standard Evaluation
- Build: 26100 (Server 2025 RTM)
[!NOTE] Why our screenshots show "Evaluation" Our test VM shows
Windows Server 2025 Standard Evaluationin command outputs because we provisioned with the eval image for documentation work. When you order Windows Server 2025 from your Raff dashboard, you have two options. Licensed image: VM ships fully activated, no expiry, ready for production. Evaluation image: free 180-day trial, useful for testing and lab. Activates with a real key any time. SMB over QUIC works identically on both. Pick eval to test, pick licensed when you go to production.
A common misconception: Windows 11 edition requirements
Older guides written in 2022 and 2023 tell you that the SMB over QUIC client requires Windows 11 Enterprise, Education, or Pro for Workstations. This was true at launch.
It is no longer true. Starting with Windows 11 24H2, the SMB over QUIC client ships in every edition including Pro and Home. Microsoft's current SMB over QUIC documentation explicitly lists Windows 11 (all editions, 24H2 or newer) as supported clients. If you're running Win11 24H2 or 25H2 Pro on your daily-driver laptop, you're good. You do not need to upgrade to Enterprise.
What this means in practice: your remote employees on regular Win11 Pro laptops can connect to your SMB over QUIC server without any edition upgrade. The reader of an older guide who thinks "we'd need to buy E5 licenses for everyone" is looking at outdated information.
Step 1: Install the File Server role
RDP into your Raff Windows Server, open PowerShell as administrator, and run:
Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools
Expected output:
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {File Server}
RestartNeeded: No is what you want. Server 2025 installs File Server cleanly with no reboot.
Verify SMB server config defaults:
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol, EnableSMB2Protocol, EnableSMBQUIC, EncryptData, RestrictNamedPipeAccessViaQuic
You should see:
EnableSMB1Protocol : False
EnableSMB2Protocol : True
EnableSMBQUIC : True
EncryptData : False
RestrictNamedPipeAccessViaQuic: True
A few things worth knowing here.
EnableSMB1Protocol: False is correct. SMB1 has been deprecated since 2017 and is a security risk. Leave it off.
EnableSMBQUIC: True means the SMB server is already willing to accept QUIC connections once you bind a certificate to it. No additional flag to flip.
EncryptData: False looks alarming but is correct for QUIC. This flag controls SMB-level encryption for legacy SMB over TCP. SMB over QUIC encrypts at the QUIC/TLS 1.3 transport layer, so SMB-level encryption is redundant. The TLS 1.3 tunnel encrypts everything end to end already, including the auth handshake.
RestrictNamedPipeAccessViaQuic: True is a security default. Named pipes (used by remote management protocols like the Server Manager remote APIs) are blocked over QUIC by default. Don't change this unless you have a specific reason; if a remote admin tool fails to connect over QUIC, that's the reason, and the right answer is usually to admin over the local network or a separate RDP session, not to relax this restriction.
Now create a folder to share:
New-Item -Path "C:\QuicShare" -ItemType Directory -Force "This file lives on the Raff Server. Reachable over SMB+QUIC." | Out-File "C:\QuicShare\readme.txt" -Encoding UTF8
Step 2: Open UDP 443 in the firewall
This is the step where almost every online guide gets the protocol wrong. SMB over QUIC uses UDP 443, not TCP 443. If you accidentally open TCP 443 thinking that's how QUIC works (because TLS is usually associated with TCP), nothing will work and the error you get back is unhelpful.
New-NetFirewallRule -DisplayName "SMB over QUIC (UDP 443)" ` -Direction Inbound ` -Protocol UDP ` -LocalPort 443 ` -Action Allow ` -Profile Any
Verify:
Get-NetFirewallRule -DisplayName "SMB over QUIC (UDP 443)" | Format-List DisplayName, Enabled, Direction, Action
You should see Enabled: True, Direction: Inbound, Action: Allow.
Now temporarily open TCP 80 for the Let's Encrypt HTTP-01 challenge in the next step:
New-NetFirewallRule -DisplayName "Lets Encrypt HTTP-01 (TCP 80)" ` -Direction Inbound ` -Protocol TCP ` -LocalPort 80 ` -Action Allow ` -Profile Any
We'll close this back down once the certificate is issued and renewals are scheduled via Task Scheduler (which can survive without port 80 once the initial cert is in place, provided you set up DNS-01 challenges later, which we cover at the end). For now, open it.


