All posts in category routing and remote access service

RemoteAccess Service Hangs in Windows Server 2025

For Always On VPN administrators using the Routing and Remote Access Service (RRAS) on Windows Server 2025, you’ve likely encountered issues with service restarts and system reboots since migrating to the latest release of the Windows server operating system. I’ve experienced this myself, and many of my customers and Discord users have raised the same complaints.

Important Note! The fix for this issue is included in the April 2026 security updates. See below for more details.

Service Hang

Attempting to restart the RemoteAccess service after the server has accepted at least one VPN connection causes the service to hang. In addition, many have reported that the server hangs and eventually blue-screens during a shutdown or restart.

Resolution

Microsoft included a fix for this issue in the April 2026 security updates. However, the fix is not enabled by default. After applying the April 2026 updates, administrators must activate the fix by setting the following registry key.

Key: HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides\
Name: 3247592078
Type: DWORD
Value: 1

You can enable this setting by opening an elevated PowerShell command window and running the folowing commands.

$RegPath = 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides'
If (-not (Test-Path $RegPath)) {
   New-Item -Path $RegPath -Force | Out-Null
}
Set-ItemProperty -Path $RegPath -Name '3247592078' -Value 1 -Type DWORD -Force

Once the registry has been updated, reboot the server for the change to take effect.

Additional Information

Always On VPN on Discord

Windows Server Insider Builds

3 Comments
by Richard M. Hicks on March 3, 2026  •  Permalink
Posted in Always On VPN, AOVPN, Microsoft, Remote Access, routing and remote access service, RRAS, VPN, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on March 3, 2026

https://directaccess.richardhicks.com/2026/03/03/remoteaccess-service-hangs-in-windows-server-2025/

Always On VPN and Azure VPN Gateway SSTP Protocol Retirement

The Azure VPN gateway has been an option for supporting Microsoft Always On VPN client connections for organizations moving resources to the cloud. Today, Azure VPN gateway supports Internet Key Exchange version 2 (IKEv2), OpenVPN, and Secure Socket Tunneling Protocol (SSTP), although SSTP support has long been limited in scope and scalability. However, Microsoft recently indicated that some important changes are coming soon that will affect VPN protocol support on the Azure VPN gateway.

SSTP and Azure VPN Gateway

Microsoft has announced plans to deprecate and eventually remove support for SSTP on the Azure VPN gateway.

Key Dates

Here is Microsoft’s timeline for retiring SSTP for VPN connections.

  • March 31, 2026 – SSTP can no longer be enabled on new or existing gateways
  • March 31, 2027 – Existing SSTP connections will stop functioning

SSTP: Second Class Citizen

The retirement of SSTP for Azure VPN gateway should not have a significant impact on Always On VPN deployments. Support for SSTP on Azure VPN gateway has always been limited, making it a less viable option for most Always On VPN deployments. SSTP connections are capped at 128 concurrent connections (256 in active-active mode), regardless of gateway SKU. Additionally, Azure VPN gateway does not support simultaneous user and device tunnels, further limiting its usefulness in modern Always On VPN designs.

Plan Migration Now

If you are using Azure VPN gateway to support Always On VPN client connections, now is the time to begin planning a migration to IKEv2, which offers better scalability and native Always On VPN support. Alternatively, consider Windows Server RRAS in Azure, a third-party VPN solution, or Entra Private Access if Azure VPN gateway no longer meets your requirements.

More Information

For official guidance, see SSTP Protocol Retirement and Connections Migration. If you’re unsure how this change affects your Always On VPN deployment, or you would like help planning a migration, this is a good time to review your design and roadmap. Fill out the form below, and I’ll provide you with more information.

Additional Information

SSTP Protocol Retirement and Connections Migration

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN

Windows Server RRAS in Microsoft Azure

Microsoft Entra Private Access

Leave a comment
by Richard M. Hicks on January 26, 2026  •  Permalink
Posted in administration, Always On VPN, AOVPN, Azure, Azure VPN, Azure VPN Gateway, cloud, Deployment, device tunnel, end of life, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, OpenVPN, public cloud, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSTP, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 26, 2026

https://directaccess.richardhicks.com/2026/01/26/always-on-vpn-and-azure-vpn-gateway-sstp-protocol-retirement/

Always On VPN RRAS and PowerShell 7

PowerShell is an essential tool for administrators supporting Microsoft Always On VPN. It is critical for configuring supporting infrastructure services, such as Routing and Remote Access (RRAS) and Network Policy Server (NPS), as well as provisioning and managing Always On VPN client configuration settings on endpoints. The current version of PowerShell, PowerShell 7.5.3, is a game-changer for scripting and automation, bringing a host of improvements over its predecessors. PowerShell 7 offers better performance, lower memory usage, and cross-platform support (Windows, macOS, and Linux), making it more versatile than ever.

Problem in PowerShell 7

Recently, I discovered an oddity with PowerShell 7 when reviewing the configuration of an RRAS server. Specifically, PowerShell 7 differs in the way it produces output for the Get-RemoteAccess command, preventing administrators from viewing the details of the currently configured TLS certificate used for SSTP VPN connections in RRAS.

PowerShell 5

Running Get-RemoteAccess in PowerShell 5 provides detailed information about the SslCertificate property in the output of the command, as shown here.

Note that the data returned in the SslCertificate property is of the type X509Certificate2.

PowerShell 7

In PowerShell 7, Get-RemoteAccess displays only a string of numbers instead of detailed certificate information.

Notably, the data returned in the SslCertificate property is of the type System.Byte.

Solution

While PowerShell 7 doesn’t output the certificate details in human-readable form, you can easily convert the data using the following PowerShell command.

[System.Security.Cryptography.X509Certificates.X509Certificate2]::new((Get-RemoteAccess).SslCertificate) | Format-List

AovpnTools Module

To simplify administration, I’ve added a function to my AovpnTools PowerShell module called Get-VpnServerTlsCertificate. This function allows you to view the currently configured SSTP certificate details directly with a single command. In addition, you have the option to save the certificate to a file for further inspection and troubleshooting.

The GetVpnServerTlsCertificate function is included in AovpnTools v1.9.8 and later. You can install AovpnTools from the PowerShell gallery by running the following command.

Install-Module -Name AovpnTools

You can also find the AovpnTools PowerShell module on GitHub.

Summary

With PowerShell 7, RRAS certificate details display differently, but administrators can quickly resolve this using a simple conversion or the Get-VpnServerTlsCertificate function in the AovpnTools module. Either way, administrators can continue to use PowerShell 7 to manage their Windows Server RRAS servers.

Additional Information

Installing PowerShell 7 on Windows

AovpnTools in the PowerShell Gallery

AovpnTools on GitHub

Leave a comment
by Richard M. Hicks on September 16, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, certificates, Microsoft, PowerShell, PowerShell 7, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Server Core, SSL, SSL and TLS, SSTP, TLS, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 16, 2025

https://directaccess.richardhicks.com/2025/09/16/always-on-vpn-rras-and-powershell-7/

« Older Posts
Newer Posts »