All posts tagged enterprise mobility

RemoteAccess Service Hangs in Windows Server 2025

For Always On VPN administrators using the Routing and Remote Access Service (RRAS) on Windows Server 2025, you’ve likely encountered issues with service restarts and system reboots since migrating to the latest release of the Windows server operating system. I’ve experienced this myself, and many of my customers and Discord users have raised the same complaints.

Service Hang

Attempting to restart the RemoteAccess service after the server has accepted at least one VPN connection causes the service to hang. In addition, many have reported that the server hangs and eventually blue-screens during a shutdown or restart.

Resolution

Unfortunately, there is no workaround or fix for this issue today. However, hope is on the horizon.

Coming Soon

I have several customers with open support cases for this issue. Microsoft has informed them that a fix is due out soon, perhaps with the April security updates (April 14, 2026). I performed validation testing with the latest Insider build for Windows Server 2025 and can confirm that Microsoft fixed the issue in this release. Unfortunately, I wouldn’t recommend running an Insider build in production, so hang on (pun intended!) for the April security updates.

Additional Information

Always On VPN on Discord

Windows Server Insider Builds

Leave a comment
by Richard M. Hicks on March 3, 2026  •  Permalink
Posted in Always On VPN, AOVPN, Microsoft, Remote Access, routing and remote access service, RRAS, VPN, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on March 3, 2026

https://directaccess.richardhicks.com/2026/03/03/remoteaccess-service-hangs-in-windows-server-2025/

Entra Private Access and Bring Your Own Device (BYOD)

Microsoft Entra Private Access is a Zero Trust Network Access (ZTNA) solution that provides secure access to private enterprise resources. With the release of Global Secure Access (GSA) client version 2.26.108, Microsoft has addressed a crucial functionality gap by adding support for Bring Your Own Device (BYOD), enabling secure access from non-managed endpoints.

BYOD Support in Global Secure Access

Microsoft introduced BYOD support for Entra Private Access with the release of the GSA client version 2.26.108. This update allows the GSA client to be installed on Microsoft Entra-registered devices that are not domain-joined or managed by the organization, enabling secure access to private resources from personal or unmanaged endpoints.

Use Cases

BYOD support in GSA and Entra Private Access enables several common scenarios where network access from managed devices is impractical or unavailable, including:

  • Vendor or contractor access
  • IT incident response from unmanaged endpoints
  • Temporary or seasonal staffing
  • Collaboration with external partners

Replacing Legacy VPN for Ad Hoc Access

Historically, legacy VPN solutions were the primary option for providing ad hoc access to private resources from unmanaged devices. With the introduction of BYOD support in the GSA client, organizations can now extend Entra Private Access to these scenarios without deploying or maintaining a separate VPN infrastructure.

Additional Changes

In addition to adding BYOD support, GSA client v2.26.108 includes the following new enhancements.

  • Improved Intelligent Local Access (ILA) detection
  • Join Type displayed in the client interface
  • GSA traceroute enhancements, including a 50M MB speed test between the client and edge service.

Summary

BYOD support removes a key barrier to adopting Microsoft Entra Private Access. Organizations can now securely provide access to private resources using Zero Trust policies, even when users connect from unmanaged or personal devices, and without relying on legacy VPN solutions.

Additional Information

Microsoft Entra Private Access Bring Your Own Device (BYOD)

Microsoft Global Secure Access Client for Windows v2.26.108

Microsoft Entra Private Access Intelligent Local Access

Always On VPN vs. Entra Private Access

Leave a comment
by Richard M. Hicks on February 10, 2026  •  Permalink
Posted in authentication, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, cloud, Cloud Service, Conditional Access, Enterprise, enterprise mobility, Entra Conditional Access, Entra Global Secure Access, Entra Private Access, Global Secure Access, GSA, ILA, Intelligent Local Access, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Private Access, Mobility, Private Network Connector, public cloud, Remote Access, Secure Service Edge, Security, Security Service Edge, VPN, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 10, 2026

https://directaccess.richardhicks.com/2026/02/10/entra-private-access-and-bring-your-own-device-byod/

Always On VPN and Azure VPN Gateway SSTP Protocol Retirement

The Azure VPN gateway has been an option for supporting Microsoft Always On VPN client connections for organizations moving resources to the cloud. Today, Azure VPN gateway supports Internet Key Exchange version 2 (IKEv2), OpenVPN, and Secure Socket Tunneling Protocol (SSTP), although SSTP support has long been limited in scope and scalability. However, Microsoft recently indicated that some important changes are coming soon that will affect VPN protocol support on the Azure VPN gateway.

SSTP and Azure VPN Gateway

Microsoft has announced plans to deprecate and eventually remove support for SSTP on the Azure VPN gateway.

Key Dates

Here is Microsoft’s timeline for retiring SSTP for VPN connections.

  • March 31, 2026 – SSTP can no longer be enabled on new or existing gateways
  • March 31, 2027 – Existing SSTP connections will stop functioning

SSTP: Second Class Citizen

The retirement of SSTP for Azure VPN gateway should not have a significant impact on Always On VPN deployments. Support for SSTP on Azure VPN gateway has always been limited, making it a less viable option for most Always On VPN deployments. SSTP connections are capped at 128 concurrent connections (256 in active-active mode), regardless of gateway SKU. Additionally, Azure VPN gateway does not support simultaneous user and device tunnels, further limiting its usefulness in modern Always On VPN designs.

Plan Migration Now

If you are using Azure VPN gateway to support Always On VPN client connections, now is the time to begin planning a migration to IKEv2, which offers better scalability and native Always On VPN support. Alternatively, consider Windows Server RRAS in Azure, a third-party VPN solution, or Entra Private Access if Azure VPN gateway no longer meets your requirements.

More Information

For official guidance, see SSTP Protocol Retirement and Connections Migration. If you’re unsure how this change affects your Always On VPN deployment, or you would like help planning a migration, this is a good time to review your design and roadmap. Fill out the form below, and I’ll provide you with more information.

Additional Information

SSTP Protocol Retirement and Connections Migration

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN

Windows Server RRAS in Microsoft Azure

Microsoft Entra Private Access

Leave a comment
by Richard M. Hicks on January 26, 2026  •  Permalink
Posted in administration, Always On VPN, AOVPN, Azure, Azure VPN, Azure VPN Gateway, cloud, Deployment, device tunnel, end of life, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, OpenVPN, public cloud, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSTP, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 26, 2026

https://directaccess.richardhicks.com/2026/01/26/always-on-vpn-and-azure-vpn-gateway-sstp-protocol-retirement/

« Older Posts