All posts in category Windows 11

What’s New in Entra Global Secure Access Client v2.28.96

On April 27, 2026, Microsoft announced an update for the Entra Global Secure Access (GSA) client version 2.28.96. This new release includes improvements to the user experience for BYOD scenarios, to surface more information about endpoint status on the main screen, and to Intelligent Local Access (ILA).

Sign Out

Microsoft has changed how the Sign Out button is displayed depending on the device’s join type. With GSA client 2.28.96, the Sign Out button now appears by default only on Microsoft Entra-registered devices. This option is hidden on Microsoft Entra-joined devices but can optionally be displayed by setting a registry key.

Intelligent Local Access

This update also includes changes to the Intelligent Local Access (ILA) feature. Administrators can now assign a private application to multiple private networks. In addition, the GSA client now includes a new Private Access Definitions section on the Forwarding Profile tab of the Advanced Diagnostics tool. This new section includes the Private DNS definitions and a new Private network definitions section, which detail the current ILA configuration, including defined private networks, configured DNS server addresses, the FQDN to resolve for the private network, and the expected IP address for the ILA FQDN.

Additional Changes

GSA client v2.28.96 also includes additional changes to address known issues and bugs.

  • Internet connection test changed from msn.com to www.msftconnecttest.com
  • Additional log data collection, including Kerberos logs and the output of gpresult.exe
  • Log collection includes the list of trusted root Certification Authorities (CAs) on the endpoint

Download GSA v2.28.96

Administrators can download the latest release of the Global Secure Access (GSA) client here.

Additional Information

Global Secure Access Client for Windows v2.28.96

Entra Private Access Intelligent Local Access (ILA)

Entra Private Access and BYOD

Leave a comment
by Richard M. Hicks on April 28, 2026  •  Permalink
Posted in Cloud Service, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, ILA, Intelligent Local Access, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Mobility, public cloud, Remote Access, SASE, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 28, 2026

https://directaccess.richardhicks.com/2026/04/28/whats-new-in-entra-global-secure-access-client-v2-28-96/

Webinar: Certificate Automation for Windows Infrastructure

If you manage Windows Server workloads that require public TLS certificates like Always On VPN, DirectAccess, Remote Desktop Gateway, Internet Information Services (IIS), and others, you know that certificate expirations don’t send friendly reminders. Certificates expire quietly. Too often, end users are the ones who sound the alarm—when resources are already unavailable. Of course, this never happens at a convenient time. It’s usually the middle of the night, on the weekend.

Current State

Most Windows IT teams are still managing certificates the same way they did years ago, using spreadsheets, calendar reminders, and an assortment of renewal scripts. It usually works… until it suddenly doesn’t.

Free Webinar

I’m pleased to announce that I’ll be joining Todd Gardner from CertKit for a free live webinar on Tuesday, May 26, at 11:00 AM CDT, in which we will break down the following:

  • Why certificate mismanagement causes so much pain at scale
  • How to build real automation that works across your full environment, including internal services and vendor appliances
  • A live demonstration of CertKit showing end-to-end discovery, monitoring, and automated renewal

There will also be time for live Q&A, so bring your questions!

Join Us!

If you’re tired of patching the problem with fragile scripts and assorted reminders, join us to learn about a fully automated solution that can dramatically improve the situation. Register now and don’t miss this opportunity to reduce your TLS certificate management burden and end the need for 2 AM certificate renewal fire drills.

Webinar Details

Webinar: TLS Certificate Automation for Windows Infrastructure
Hosts: Todd Gardner (CertKit) and Richard Hicks (Richard M. Hicks Consulting, Inc.)
Date: Tuesday, May 26
Time: 11:00 AM CDT
Registration: Click here to register!

Leave a comment
by Richard M. Hicks on April 28, 2026  •  Permalink
Posted in Automation, Certificate Authentication, Certificate Lifecycle Management, Certificate Services, certificates, CertKit, CLM, Microsoft, SSL and TLS, TLS, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 28, 2026

https://directaccess.richardhicks.com/2026/04/28/webinar-certificate-automation-for-windows-infrastructure/

Always On VPN with PEAP Fails in Windows 11 26H1

Always On VPN RasMan Errors in Windows 10 1903

There appears to be a bug in the latest Windows 11 26H1 (no, that’s not a typo – 26H1) build affecting Protected Extensible Authentication Protocol (PEAP). In my testing, all VPN connection attempts (Always On VPN and manual/ad-hoc) failed when PEAP was used for authentication.

Windows 11 26H1

Recently, while reviewing downloads and product keys in Visual Studio, I noticed a new Windows 11 release listed: Windows 11 26H1 (business and consumer editions). I initially thought 26H1 would be ARM-only, but the download is available for x64 as well.

I’m not sure whether this is intended as a general release, because Microsoft describes it as an Insider Experimental Preview Build (28200.1873). I also don’t recall seeing Insider builds offered through Visual Studio downloads, so I’m not sure what to make of it. Either way, if you’re evaluating this build, the notes below document a VPN issue I was able to reproduce.

Troubleshooting

After preparing a Windows 11 26H1 test client, I found that the Always On VPN user tunnel would not connect. The same configuration worked on earlier Windows 11 versions. In the event log, I observed the following errors.

Error 619

When using SSTP, the event log records error code 619 (event ID 20227) from the RasClient event source, with the following error message.

The user [domain\user] dialed a connection named [connection name] which has failed. The error code returned on failure is 619.

Error 691

When using IKEv2, the event log records error code 691 (event ID 20227) from the RasClient event source, with the following error message.

The user [domain\user] dialed a connection named [connection name] which has failed. The error code returned on failure is 691.

Workaround

At the time of writing, the only workaround I’ve found to restore Always On VPN connectivity is to switch authentication from PEAP to EAP-TLS. This may not be a drop-in change for every environment, so evaluate the security and operational impact before rolling it out broadly. You’ll need to enable EAP-TLS on both the client and the NPS/RADIUS server.

Summary

I’m not convinced Windows 11 26H1 will be widely deployed soon, since it appears to be an experimental/Insider build rather than a general release. If you decide to evaluate it, plan to use the workaround above to maintain Always On VPN connectivity.

Feedback

Have you tested Always On VPN with Windows 11 26H1? If so, do you see the same behavior? Share your findings in the comments.

Additional Information

Windows 11 Insider Experimental (26H1) Preview Build 28200.1873

Leave a comment
by Richard M. Hicks on April 27, 2026  •  Permalink
Posted in Always On VPN, AOVPN, authentication, EAP, EAP-TLS, Microsoft, PEAP, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 27, 2026

https://directaccess.richardhicks.com/2026/04/27/always-on-vpn-with-peap-fails-in-windows-11-26h1/

« Older Posts