Windows Server 2025 Marks the End of Microsoft DirectAccess

Well, the time has finally come. Microsoft DirectAccess, first introduced in Windows Server 2008 R2, will be removed from the next release of Windows Server. This means that Windows Server 2025 is officially the end of the line for DirectAccess.

Why Is This Happening?

DirectAccess has had a good run, no doubt. However, DirectAccess is built on legacy technologies, making it difficult to implement and support in modern environments. For example, DirectAccess requires the following:

  • Domain-joined servers and clients
  • Active Directory group policy management
  • NTLMv2 for authentication
  • Complex IPv6 transition and translation technologies

Further, DirectAccess does not support:

  • Modern endpoint management using Microsoft Intune
  • Integration with Entra ID and Entra Conditional Access
  • Fine-grained user access control (zero trust)
  • Windows Professional or other non-Microsoft endpoints

Microsoft’s strategic focus has shifted toward cloud-native identity, device management, and Zero Trust access solutions, making DirectAccess increasingly difficult to align with modern enterprise requirements and ultimately resulting in Microsoft discontinuing DirectAccess.

What’s Next

Organizations should consider migrating from DirectAccess to Always On VPN or Entra Private Access. Always On VPN provides a traditional VPN-based remote access solution with broad deployment flexibility, while Entra Private Access offers a cloud-native Zero Trust approach for accessing private applications and resources.

Migration Path

Organizations currently relying on DirectAccess should begin planning their migration strategy now. Although Windows Server 2025 continues to support DirectAccess, future Windows Server releases will not, making proactive migration planning essential.

Get Expert Guidance on DirectAccess Migration

Every DirectAccess deployment is different. The right migration strategy depends on your existing infrastructure, identity platform, management approach, and security requirements. Complete the form below to discuss your environment and receive guidance on transitioning to Always On VPN or Entra Private Access.

Additional Information

Microsoft DirectAccess Deprecation on Future Windows Server Releases

REMINDER: Windows Server 2016 End of Life January 2027 – Plan Your AD CS Migration Now

With just over six months remaining before Windows Server 2016 reaches end of support, now is the time to begin planning migrations for workloads hosted on this platform. Mainstream support ended on January 11, 2022, and Windows Server 2016 has since remained in extended support. However, extended support ends on January 12, 2027. After that date, Microsoft will no longer provide security updates or technical support, increasing the risk of running production workloads due to exposure to newly discovered vulnerabilities and exploits.

Active Directory Certificate Services

Many organizations are still running critical infrastructure on Windows Server 2016. Administrators often delay upgrading Microsoft Active Directory Certificate Services (AD CS) due to its complexity. However, a well-planned AD CS migration not only reduces risk but also provides an opportunity to modernize cryptography, certificate templates, and operational practices.

Certificate Authorities

Administrators must carefully migrate Certificate Authorities (CAs) running on Windows Server 2016 to minimize downtime. In environments where ongoing CA maintenance has been limited, migrating the CA database can be especially challenging. If the CA is installed on a domain controller, now is a good time to consider separating these services to ensure reliable operation. Also, it’s a good idea to evaluate the CA’s configuration and security posture during migration to enhance security and improve service resilience.

NDES Servers

Microsoft Network Device Enrollment Services (NDES) servers, commonly deployed to facilitate certificate enrollment via Microsoft Intune, pose a unique challenge during migration. Unfortunately, configuring NDES is exceedingly complex and error-prone. NDES relies on a delicate combination of specialized IIS configuration, AD service accounts, custom certificate templates, and CA permissions, making even minor changes risky without proper planning. Not surprisingly, administrators are often hesitant to touch these systems as they are notoriously difficult to troubleshoot when problems arise.

Pro Tip: We spend an entire day covering NDES configuration in the Mastering Enterprise PKI Certificates with Microsoft Intune training course. The next session is September 1-3, 2026. Register now!

Intune Certificate Connectors

Don’t overlook Windows Server 2016 servers with the Intune Certificate Connector installed. Fortunately, this is one of the more manageable workloads to migrate. All that’s required is to install new connectors on supported servers and delete the old ones.

Summary

With extended support for Windows Server 2016 ending on January 12, 2027, organizations running production workloads—especially critical infrastructure such as Active Directory Certificate Services (AD CS), Certificate Authorities (CAs), and NDES servers—face significant security risks from unpatched vulnerabilities once the OS reaches end-of-life. Careful migration planning to newer versions such as Windows Server 2022 or 2025 is essential to minimize downtime, improve security posture, and ensure long-term resilience.

Start Planning Now

Don’t leave these mission-critical infrastructure services to the last minute! Begin planning your migration today. If you’d like expert guidance, I have many years of experience migrating these workloads. I have developed specialized tools and techniques to ensure a smooth, secure, and successful transition. Fill out the form below to schedule a free one-hour consultation to assess your Windows Server 2016 AD CS workloads, identify migration risks, and outline next steps.

Additional Information

Windows Server 2016 Lifecycle Policy

PKI Fundamentals with Microsoft Active Directory Certificate Services (AD CS) Online Training Course

Mastering Enterprise PKI Certificates with Microsoft Intune Online Training Course

Entra Private Access and VPN Migration Strategies on Entra.News

I recently had the opportunity to connect with Merill Fernando from Microsoft as a guest on his popular Entra.News podcast to discuss Microsoft Entra Private Access, which is part of the Entra Global Secure Access Security Service Edge (SSE) service. We spent the hour talking about the similarities and differences between classic VPN technologies and zero-trust network access (ZTNA). In addition, we discussed some technical aspects of Entra Private Access, and I shared migration and coexistence strategies to help ease the transition to zero trust. Also, we discussed the importance of integrating Entra Conditional Access and the shift from network to application access. You’ll find the interview at Entra.News and also on YouTube. Enjoy!

Additional Information

How to Migrate from Legacy VPN to Entra Private Access – Entra.News

Microsoft Entra Private Access

Always On VPN vs. Entra Private Access

Microsoft Entra Private Access Network Connector Overview and Deployment Strategies

Microsoft Entra Private Access Intelligent Local Access