All posts in category troubleshooting

Entra Private Access Channels Are Unreachable

Administrators deploying Microsoft Entra Private Access may encounter a scenario in which the Global Secure Access (GSA) agent reports an error. However, the client continues to work without issue, and all internal resources remain reachable via the Entra Private Access connection. This issue occurs only when the Private Access forwarding profile is enabled alone. It does not happen if the Microsoft traffic forwarding profile is also enabled.

GSA Status Error

When this happens, the Private access channel status is Connected, but the Entra access channel is Disconnected. Also, you will see the following error message when clicking on the GSA client in the notification area.

Some channels are unreachable

Global Secure Access has some channels that are unreachable

Health Check

To investigate further, click the Troubleshooting tab, then click Run tool in the Advanced diagnostics tool section. In the Health check section, you will see the following error message.

Diagnostic URLs were not found in forwarding policy

Scrolling down the list also reveals the following error messages.

Magic IP received = False

Tunneling succeeded Entra Authentication = False

Root Cause

Several months ago, Microsoft made changes to the health check probes that required enabling the Microsoft traffic forwarding profile to work. Some essential health-check probes were not accessible via the Private Access channel, resulting in the error messages shown above when only the Private Access forwarding profile is enabled.

Resolution

Microsoft is rolling out changes to address this issue at the time of this writing (late October 2025). If you encounter this error, it will most likely resolve itself soon. Alternatively, administrators can enable the Microsoft traffic forwarding profile, which will also fix this issue.

Additional Information

Microsoft Entra Private Access

Microsoft Entra Global Secure Access (GSA)

Microsoft Security Service Edge (SSE) Now Generally Available

Microsoft Entra Security Service Edge (SSE) on RunAs Radio

Leave a comment
by Richard M. Hicks on October 30, 2025  •  Permalink
Posted in Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, SASE, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, troubleshooting, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 30, 2025

https://directaccess.richardhicks.com/2025/10/30/entra-private-access-channels-are-unreachable/

Certificate Connector for Microsoft Intune Agent Certificate Renewal Failure

The Certificate Connector for Microsoft Intune is a vital component that allows administrators to issue and manage enterprise PKI certificates to endpoints managed by Microsoft Intune. The connector is installed on a Windows server with access to the on-premises Certificate Authority (CA). It is registered with Intune and can be used by any PKCS or SCEP device configuration profiles defined by Intune administrators.

Agent Certificate

When you install the Certificate Connector for Intune, a certificate issued by the Microsoft Intune ImportPFX Connector CA is automatically enrolled into the local computer certificate store of the server where the connector is installed. This certificate authenticates the connector to Intune and is valid for one year from the date of issuance. This certificate is automatically renewed in most cases. However, some configurations prevent this from happening.

Failed To Renew

Administrators may find event log errors with event ID 2 from the CertificateConnectors source in the Microsoft-Intune-CertificateConnectors operational event log with the following information.

Pki Create Service:

Failed to renew agent certificate

System.Security.Cryptography.CryptographicException: Access is denied.

Root Cause

Agent certificate renewal fails when the Certificate Connector for Intune is running under a service account that is not a member of the local administrators security group. You will not encounter this error if the connector services are running in the SYSTEM context, however.

Resolution

There are a few different ways to resolve this issue. Here are some options to consider.

Grant Admin Rights

Adding the service account under which the connector service runs will allow the agent certificate to renew automatically. However, this may not be desirable from a security perspective. To address this, administrators may temporarily grant local administrative access to renew the agent certificate, then revoke this permission once the certificate has been successfully renewed. However, this is a manual process that doesn’t scale well and requires annual administrative intervention.

Reinstall

Uninstalling and reinstalling the Certificate Connector for Intune will force a new certificate enrollment during the registration process. You can delete the old certificate after completing the installation.

Switch to SYSTEM

Changing from a service account to SYSTEM will also resolve this issue. However, it is not recommended to make these changes directly on the services themselves. Instead, administrators should remove and reinstall the Certificate Connector for Intune, selecting the SYSTEM option rather than the service account method.

Note: Using the SYSTEM account for the Certificate Connector for Intune should be avoided when using PKCS. Details here.

Summary

The Certificate Connector for Intune agent certificate renewal fails when the service is configured to run as a service account without local administrative rights. The best way to resolve this is to add the service account to the local administrators group on the server where the connector is installed. However, this isn’t always ideal. Although running the connector in the SYSTEM context is acceptable when using SCEP, it should be avoided when using PKCS. Administrators will have to accept the risk of the service account having local administrative rights or accept that they’ll have to reinstall the connector annually.

Additional Information

Certificate Connector for Intune Service Account and PKCS

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Intune Strong Certificate Mapping Error

Intune PKCS and SCEP Certificate Validity Period

Certificate Connector for Intune Failure

Certificate Connector for Intune Configuration Failed

Troubleshooting Intune Failed PKCS Request

Leave a comment
by Richard M. Hicks on October 28, 2025  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKCS, PKI, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, troubleshooting, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 28, 2025

https://directaccess.richardhicks.com/2025/10/28/certificate-connector-for-microsoft-intune-agent-certificate-renewal-failure/

Always On VPN DPC 5.2.0 Now Available

I’m pleased to announce that Always On VPN Dynamic Profile Configurator (DPC) version 5.2.0 is now available. My good friend Leo D’Arcy has been hard at work for the last few months squashing some bugs and adding a few new features to DPC. If you are running a previous release of Always On VPN DPC, either open source or commercial, it’s time to upgrade.

Important!! DPC 5.2.0 has a bug that prevents the service from stopping. This has been addressed in DPC 5.2.1. Guidance for upgrading from DPC 5.2.0 to 5.2.1 can be found here.

Reminder: We’re on Discord. Join the conversation today!

What’s New in DPC 5.2.0

Always On VPN DPC 5.2.0 has some compelling new features.

  • Exclude Routes from DNS – DPC has a feature that allows administrators to add routes to the routing table using DNS. When this setting is enabled, DPC will attempt to resolve the specified hostname to an IP address and add it to the VPN’s routing table when creating the profile. With 5.2.0, this capability has been extended to exclusion routes, allowing administrators to exclude resources by host name.
  • Write Event Logs to Disk – This setting allows administrators to optionally write DPC event information to a text file in addition to logging them in the event log. Writing event log information to a text file on disk can make troubleshooting easier in some scenarios.
  • Delay Profile Updates – This new feature ensures reliable VPN profile creation after group policy updates take place.

Bug Fixes

In addition to new capabilities, Always On VPN DPC 5.2.0 includes fixes for many outstanding issues.

  • DPC name resolution issue where duplicate IP addresses are returned, resulting in failed route additions when using ‘Allow Routes from DNS’.
  • Missing events in the DPC operational event log.
  • Enabling ‘Disable Disconnect Button’ or ‘Disable Advanced Edit Button’ settings results in a profile mismatch warning.
  • Added resiliency to DPC name resolution when one or more name resolution requests fail.

Group Policy Template

As a reminder, any time there are new features in DPC, there will be corresponding changes to Group Policy administrative template and template language files. Be sure to update your ADMX and ADML files in the group policy central store to take advantage of these new capabilities in DPC 5.2.0.

Recommendation

If you are running any release of Always On VPN DPC, commercial or open source, consider upgrading now to gain access to new features and operational reliability improvements. You can find DPC v5.2.0 on GitHub here.

Additional Information

Always On VPN DPC v5.2.0 Available Now

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Now Open Source

Migrating from Always On VPN DPC Commercial to Open Source

Always On VPN DPC with Microsoft Intune

Microsoft Always On VPN on Discord

Always On VPN DPC

Leave a comment
by Richard M. Hicks on August 12, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, AovpnDPC, Device Management, device tunnel, Discord, DNS, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Group Policy, Microsoft, Mobility, Name Resolution, Open Source, Operational Support, ProfileXML, Remote Access, systems management, troubleshooting, Update, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on August 12, 2025

https://directaccess.richardhicks.com/2025/08/12/always-on-vpn-dpc-5-2-0-now-available/

« Older Posts