All posts by Richard M. Hicks

Midwest Management Summit (MMSMOA) 2026

I’m excited to be presenting two sessions at the upcoming Midwest Management Summit at Mall of America (MMSMOA), taking place May 3-7, 2026, at the Radisson Blu in Bloomington, MN. This is the premier systems management event in the U.S., offering unrivaled access to Microsoft and industry professionals from around the world.

Cloud PKI for Intune

My first session, Zero to Certificates in 5 Minutes with Cloud PKI for Microsoft Intune, covers how to quickly configure and deploy certificates using Cloud PKI for Microsoft Intune. This session is ideal for anyone looking to streamline certificate management without the traditional heavy infrastructure burden.

Entra Private Access

My second session, Moving to Zero Trust: Entra Private Access for Always On VPN Administrators, explores the transition from traditional Always On VPN to Microsoft’s Entra Private Access, highlighting practical steps, architectural differences, and the benefits of maintaining secure access in a modern Zero Trust environment. I will also share important migration tips, tricks, and best practices.

Let’s Connect!

Looking forward to diving into these topics with everyone there. I hope to see some familiar faces and meet new ones, too! If you are attending the event, be sure to say hello!

Additional Information

Midwest Management Summit at Mall of America (MMSMOA)

Cloud PKI for Microsoft Intune on RunAs Radio

Microsoft Entra Private Access on RunAs Radio

Leave a comment
by Richard M. Hicks on March 13, 2026  •  Permalink
Posted in Active Directory Certificate Services, Certificate Authentication, Certificate Services, Certificate-Based Authentication, certificates, Cloud PKI, Conference, education, Entra, Entra Private Access, Entra Private Network Connector, learning, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Private Access, PKI, Training, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 13, 2026

https://directaccess.richardhicks.com/2026/03/13/midwest-management-summit-mmsmoa-2026/

Always On VPN Ask Me Anything (AMA) April 2026

We’re already through most of Q1 2026, so I’ve put another AMA on the calendar so we can all connect again. Be sure to join me on Tuesday, April 7, at 10:00 AM PDT (UTC -7) for the next edition of the Always On VPN AMA (Ask Me Anything!) session.

Do you have questions about Always On VPN? Are you having a specific issue you can’t figure out? Would you like more information about configuration options? Here’s your chance to get your questions answered! Register now and join the session to ask me anything (AMA!) about Microsoft Windows Always On VPN and related technologies.

The AMA will be an open forum session where we can all talk shop about Always On VPN and related technologies. It’s a great chance to learn new things and share experiences with your peers. We’ll discuss known issues and limitations, best practices, and more. I’m also planning to have some special guests, so be sure to join us!

Everyone is welcome. Don’t miss out on this excellent opportunity to connect and learn. Register now!

Can’t make the session? Register anyway, and I’ll send you the link to the recording as soon as it is available!

Leave a comment
by Richard M. Hicks on March 13, 2026  •  Permalink
Posted in Always On VPN, Always On VPN DPC, AMA, AOVPN, AovpnDPC, Azure VPN, DPC, DPC Support, education, learning, Microsoft, VPN, webinar, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 13, 2026

https://directaccess.richardhicks.com/2026/03/13/always-on-vpn-ask-me-anything-ama-april-2026/

CertKit Agent Support for Always On VPN SSTP and DirectAccess IP-HTTPS TLS Certificates

With public TLS certificate lifetimes set to drop to 200 days soon (next week!), Always On VPN and DirectAccess administrators face an increased risk of service disruption if certificates aren’t renewed on time. These shorter certificate lifetimes require more frequent renewals, substantially increasing management overhead. Although 200 days equate to roughly a twice-a-year renewal, lifetimes will decrease further to 100 days next year and eventually to just 47 days in 2029. SSTP and IP-HTTPS are TLS-based tunneling protocols used by Always On VPN and DirectAccess, respectively, tying their certificate health directly to remote access availability. Now is the time to automate the enrollment and renewal of Always On VPN SSTP and DirectAccess IP-HTTPS/TLS certificates to ensure reliable operation in the future.

Always On VPN

Previously, I wrote about using CertKit.io to automate the enrollment and renewal of public TLS certificates for Always On VPN. CertKit is an online service that administrators can use to delegate the task of enrolling for short-lived certificates from Let’s Encrypt. In that post, I shared some sample code to retrieve the certificate from CertKit and assign it to the SSTP listener for the Routing and Remote Access Service (RRAS). However, CertKit added new features to its solution, eliminating the need for additional code.

CertKit Agents

Recently, CertKit introduced CertKit Agents. These lightweight software agents are installed on Windows Servers (other operating systems are supported as well) to automate the process of downloading CertKit certificates and installing them in the local computer certificate store. Importantly, they now specifically support both the Always On VPN (SSTP) and DirectAccess (IP-HTTPS) workloads natively.

Always On VPN

The CertKit agent automatically detects the Routing and Remote Access (RRAS) workload and updates the certificate binding for the SSTP listener accordingly. Since this process requires a service restart, which terminates all current VPN connections, CertKit allows you to select an outage window for certificate updates.

Here, administrators can define the day(s) and time window during which the agent is authorized to restart the RemoteAccess service when updating the TLS certificate for SSTP. The day and time are based on the server’s configured time zone settings.

DirectAccess

Beginning with CertKit agent v1.6.2, the agent automatically detects whether DirectAccess is configured, enabling IP-HTTPS TLS certificates to be automatically enrolled and renewed. However, additional configuration is required. The following changes must be made to support CertKit for DirectAccess.

  • Service Account – Administrators must configure a service account in Active Directory for the CertKit agent. A Group Managed Service Account (gMSA) is preferred, but a standard domain service account is also supported.
  • GPO Delegation – CertKit service account must be delegated the ‘Edit settings, delete, and modify security’ permission on the DirectAccess server and client settings GPOs.
  • Log On as a Service – When using a domain service account, administrators must grant the CertKit service the ‘Log on as a service’ right on the DirectAccess server. However, when using gMSA, the ‘Log on as a service’ right is not required.
  • Local Administrator – Administrators must also add the CertKit agent service account to the Local Administrators group on the server.

Configuration Script

I have published a PowerShell script to simplify configuring the CertKit agent on DirectAccess servers. The script automatically performs all required tasks for the CertKit agent to work with DirectAccess. You will find the Enable-DACertKit.ps1 PowerShell script on GitHub. Alternatively, you can install the script directly from the PowerShell Gallery.

Install-Script -Name Enable-DACertKit -Scope CurrentUser

After installing the CertKit agent, run the PowerShell script to complete the configuration. Next, authorize the agent in the CertKit management portal and assign a certificate. Once complete, CertKit can fully manage the IP-HTTPS TLS certificate for DirectAccess.

Note: Like Always On VPN, changes to the DirectAccess IP-HTTPS certificate require a service restart, which is disruptive. Be sure to define a maintenance window (as shown previously) to ensure the change is made during non-peak times.

Summary

As TLS certificate lifecycles continue to shrink, automating certificate enrollment and renewal has become essential for both Always On VPN and DirectAccess environments. CertKit agents streamline this process by automatically retrieving, installing, and binding certificates for SSTP and IP-HTTPS, all while supporting scheduled outage windows to minimize disruption. With these new capabilities, administrators can significantly reduce operational overhead and ensure consistent, reliable remote access services without manual intervention. Visit CertKit.io to get started today.

More Information

If you would like to learn more about CertKit or see a demonstration with Always On VPN or DirectAccess, fill out the form below, and I’ll provide you with more details.

Additional Information

Always On VPN SSTP Certificate Automation with CertKit

CertKit Agents

Enable-DACertKit.ps1 on GitHub

Enable Group Managed Service Accounts

Leave a comment
by Richard M. Hicks on March 10, 2026  •  Permalink
Posted in Always On VPN, AOVPN, Automation, CertKit, Cloud Service, Cryptography, Deployment, Device Management, DirectAccess, Encryption, Enterprise, enterprise mobility, Infrastructure, IP-HTTPS, IPv6 Transition, Microsoft, Mobility, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, SSL, SSL and TLS, TLS, TLS 1.3, Transport Layer Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 10, 2026

https://directaccess.richardhicks.com/2026/03/10/certkit-agent-support-for-always-on-vpn-sstp-and-directaccess-ip-https-tls-certificates/

« Older Posts