All posts in category enterprise mobility

What’s New in Absolute Secure Access v14

Absolute Software recently announced a significant upgrade for its popular secure remote access and Zero Trust Network Access (ZTNA) solution. Version 14 of Secure Access introduces many compelling new features and updates that administrators will find beneficial. In addition, crucial security vulnerabilities in the previous release have been addressed.

New Features

Absolute Secure Access v14.x includes many enhancements over previous releases. Here are a few of the highlights.

Improved Performance

Absolute Secure Access v14 provides much faster throughput on multi-gigabit networks (e.g., 2.5Gbps Wi-Fi 6E/7 or 10Gbps wired). New kernel-level optimizations reduce CPU overhead by up to 40% on high-speed links, improving performance on faster networks.

Modern Certificate Handling

SHA-1 has been deprecated since 2011, and beginning with Absolute Secure Access v14, support for SHA-1 certificates has been removed completely.

Enhanced Client Auto Reconnect

Improved client auto-reconnect logic now survives Windows standby mode for more than 12 hours (previous versions were capped at around 4 hours). This will reduce frustration when devices return from standby for extended periods.

Automatic Host Group Updates

Host groups are an excellent way to streamline policy configuration for services like Microsoft 365 and AWS. These cloud providers publish the IP addresses of their services, which are dynamic and often change over time. Absolute Secure Access v14 now supports automatic host group updates for these services. Microsoft 365 updates occur every 28 days, and AWS updates occur every 5 days by default. This interval is configurable for administrators.

Security Updates

Absolute Secure Access v14 closes four server-side CVEs as well as 14 third-party CVEs (Apache, OpenSSL, etc.) that were not patched in v13.x.

Summary

If you have deployed previous versions of Absolute Secure Access, consider upgrading to v14.x today. You’ll gain improved performance, reduced administrative overhead, critical security updates, and much more. If you’d like help with your migration or want to learn more about the new capabilities in Absolute Secure Access v14, fill out the form below, and I’ll provide more information.

Additional Information

Absolute Secure Access

Absolute Secure Access Enterprise VPN Advanced Features In Depth

Absolute Secure Access and IPv6

Leave a comment
by Richard M. Hicks on November 5, 2025  •  Permalink
Posted in Absolute, Absolute Secure Access, Absolute Software, Enterprise, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, NetMotion Software, Remote Access, Security, Security Update, Update, VPN
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on November 5, 2025

https://directaccess.richardhicks.com/2025/11/05/whats-new-in-absolute-secure-access-v14/

Certificate Connector for Microsoft Intune Agent Certificate Renewal Failure

The Certificate Connector for Microsoft Intune is a vital component that allows administrators to issue and manage enterprise PKI certificates to endpoints managed by Microsoft Intune. The connector is installed on a Windows server with access to the on-premises Certificate Authority (CA). It is registered with Intune and can be used by any PKCS or SCEP device configuration profiles defined by Intune administrators.

Agent Certificate

When you install the Certificate Connector for Intune, a certificate issued by the Microsoft Intune ImportPFX Connector CA is automatically enrolled into the local computer certificate store of the server where the connector is installed. This certificate authenticates the connector to Intune and is valid for one year from the date of issuance. This certificate is automatically renewed in most cases. However, some configurations prevent this from happening.

Failed To Renew

Administrators may find event log errors with event ID 2 from the CertificateConnectors source in the Microsoft-Intune-CertificateConnectors operational event log with the following information.

Pki Create Service:

Failed to renew agent certificate

System.Security.Cryptography.CryptographicException: Access is denied.

Root Cause

Agent certificate renewal fails when the Certificate Connector for Intune is running under a service account that is not a member of the local administrators security group. You will not encounter this error if the connector services are running in the SYSTEM context, however.

Resolution

There are a few different ways to resolve this issue. Here are some options to consider.

Grant Admin Rights

Adding the service account under which the connector service runs will allow the agent certificate to renew automatically. However, this may not be desirable from a security perspective. To address this, administrators may temporarily grant local administrative access to renew the agent certificate, then revoke this permission once the certificate has been successfully renewed. However, this is a manual process that doesn’t scale well and requires annual administrative intervention.

Reinstall

Uninstalling and reinstalling the Certificate Connector for Intune will force a new certificate enrollment during the registration process. You can delete the old certificate after completing the installation.

Switch to SYSTEM

Changing from a service account to SYSTEM will also resolve this issue. However, it is not recommended to make these changes directly on the services themselves. Instead, administrators should remove and reinstall the Certificate Connector for Intune, selecting the SYSTEM option rather than the service account method.

Note: Using the SYSTEM account for the Certificate Connector for Intune should be avoided when using PKCS. Details here.

Summary

The Certificate Connector for Intune agent certificate renewal fails when the service is configured to run as a service account without local administrative rights. The best way to resolve this is to add the service account to the local administrators group on the server where the connector is installed. However, this isn’t always ideal. Although running the connector in the SYSTEM context is acceptable when using SCEP, it should be avoided when using PKCS. Administrators will have to accept the risk of the service account having local administrative rights or accept that they’ll have to reinstall the connector annually.

Additional Information

Certificate Connector for Intune Service Account and PKCS

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Intune Strong Certificate Mapping Error

Intune PKCS and SCEP Certificate Validity Period

Certificate Connector for Intune Failure

Certificate Connector for Intune Configuration Failed

Troubleshooting Intune Failed PKCS Request

Leave a comment
by Richard M. Hicks on October 28, 2025  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKCS, PKI, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, troubleshooting, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 28, 2025

https://directaccess.richardhicks.com/2025/10/28/certificate-connector-for-microsoft-intune-agent-certificate-renewal-failure/

Always On VPN DPC Commercial Support

The Always On VPN Dynamic Profile Configurator (DPC) is a free, open-source solution that helps administrators deploy and manage Always On VPN client configuration settings using Active Directory, Group Policy, or Microsoft Intune. Since version 5.0, DPC has been publicly available and widely adopted. Until now, support has been limited to the community Discord channel. Many organizations, however, require formal support before they can deploy software, even open-source solutions. To meet this need, Leo D’Arcy and I are now offering a commercial support option for DPC.

Why Commercial Support Matters

Enterprises rely on accountability and timely assistance to ensure business-critical services run smoothly. Open source provides flexibility and cost savings, but it often lacks the reliability guarantees companies require. Commercial support bridges that gap—delivering confidence, faster resolutions, and compliance with internal support standards.

Customer Success Story

A UK National Health Service (NHS) Trust, an early customer of the support program, praised the impact of DPC on its remote access strategy. An infrastructure engineer at the NHS trust has this to say about DPC and commercial support:

“We have recently transitioned from SSL VPN to AOVPN and took the opportunity to use DPC to manage our configuration and deployment. We’ve previously experimented with Microsoft’s officially documented process, but DPC really simplifies and streamlines the implementation and management of the AOVPN tunnels.

During rollout, we discovered an issue that caused the user tunnel config to become corrupt. Being able to directly communicate and troubleshoot with Leo and the team meant that we were quickly able to have a fix and a new version of the client ready for deployment.

We are now running DPC and AOVPN on around 4000 endpoints with around 2000 concurrent connections each day. Feedback from users is very positive, and DPC simplifies ongoing management.”

Value Added

This real-world experience highlights the two most significant benefits of DPC with commercial support: rapid issue resolution (direct access to the people who build the software) and confidence at scale (thousands of endpoints, thousands of daily connections).

What DPC Commercial Support Includes

Purchasing a commercial support package provides:

  • 1 year of support services (renewable)
  • Direct access to Leo D’Arcy, lead developer of DPC
  • Support from Richard Hicks for DPC-related queries
  • Enhanced troubleshooting beyond community channels
  • Prioritized bug fixes
  • Early consideration for new feature requests
  • Dedicated private channels for secure communication

Don’t Wait

With a commercial support package, your organization gains expert guidance, faster issue resolution, and direct access to the team that builds and maintains DPC. DPC commercial support ensures smooth deployments, reduced risks, and compliance with internal support requirements

Learn More

Interested in a commercial support contract for Always On VPN DPC? Email us at [email protected] or complete the form below, and we’ll get back to you with more information.

Additional Information

Always On VPN DPC Open Source

Always On VPN DPC Features

Always On VPN DPC Advanced Features

Migrating from Always On VPN DPC Commercial to Open Source

Always On VPN DPC with Microsoft Intune

Always On VPN Discord Channel

Leave a comment
by Richard M. Hicks on September 30, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Azure VPN Gateway, Deployment, Device Management, device tunnel, DPC, DPC Support, Dynamic Profile Configurator, Enterprise, enterprise mobility, Infrastructure, InTune, MDM, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Open Source, Operational Support, Remote Access, systems management, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 30, 2025

https://directaccess.richardhicks.com/2025/09/30/always-on-vpn-dpc-commercial-support-2/

« Older Posts
Newer Posts »