All posts tagged security

What’s New in Entra Global Secure Access Client v2.24.117

In early December 2025, Microsoft announced an update for the Entra Global Secure Access client. This latest release, v2.24.117, includes important changes that administrators will find helpful for efficient connectivity and enhanced troubleshooting.

Intelligent Local Access

The latest release of the Microsoft Entra Global Secure Access client adds support for Intelligent Local Access (ILA). ILA ensures optimal network connectivity when accessing published resources. ILA can detect when it is on a trusted network and send traffic directly to the resource, bypassing the cloud gateway to improve performance. Authentication and authorization are still required for application access regardless of location.

B2B Guest Access

B2B Guest Access, now in public preview, enables external partners to securely access an organization’s private resources using their own devices and home Microsoft Entra ID credentials, without credential duplication. Partners install the Global Secure Access client, sign in, and switch to the resource tenant, routing traffic via Private Access profiles for Conditional Access, MFA, and continuous evaluation. It supports BYOD and multitenant switching, requires guest user setup and specific client configurations in the resource tenant, and needs licensing only in the resource tenant. However, B2B Guest Access does not support Kerberos-based on-premises resources. More details here.

Traceroute

This latest release of the Entra Global Secure Access client also includes a new traceroute tool. GsaTracert.exe, located in the C:\Program Files\Global Secure Access Client\GSATracert\ folder, allows administrators to test connectivity to published resources and evaluate network response time and performance.

FQDN

Administrators can use GsaTracert.exe to validate connectivity to a resource using its fully qualified domain name (FQDN). When running the command, GsaTracert.exe reports the round-trip time (RTT) in milliseconds for each hop along the path, including the target resource. It will also indicate which point of presence (PoP) the client is currently connected to. The syntax to perform this test is:

.\GsaTracert.exe --host <fqdn:port>

For example:

.\GsaTracert.exe --host app1.lab.richardhicks.net:443

IP:Host

In addition to testing an FQDN, administrators can test individual resources using a combination of IP address and port number. The syntax to perform this test is:

.\GsaTracert.exe --host <ip:port>

For example:

.\GsaTracert.exe --host 172.16.0.254:22

Application ID

In addition to FQDN and IP:Port, administrators can also supply the application ID to test. However, since an application can include multiple IP addresses and/or ports, the measurement for backend resources is omitted when using this option. The syntax to perform this test is:

.\GsaTracert.exe --app-id <app ID>

For example:

.\GsaTracert.exe --app-id a8b914b-4143-4901-9fbb-09b61319d5a6

Note: You can find the application ID for a published application by opening the Entra admin center and navigating to Global Secure Access > Applications > Enterprise Applications. The application ID will be displayed on the Overview page of the published Enterprise application.

Speedtest

Administrators can use the –speedtest switch with any of the combinations above to test the endpoint’s Internet performance. The results are for the connection to the public Internet, not to the published resource.

Additional Features

The following new features are designed to improve the user experience for Global Secure Access users.

Disable Private Access

Administrators can now use a registry setting to show the Disable button, allowing users to disable Entra Private Access. Disabling Private Access is helpful when a device is on the internal network, and the user prefers to access resources directly rather than through Global Secure Access.

View Account

The new Global Secure Access client now includes a View Account link to the user’s Microsoft Entra My Account website.

Summary

The Microsoft Entra Global Secure Access Client v2.24.117 introduces several valuable enhancements for administrators and users alike. Key highlights include Intelligent Local Access for optimized performance on trusted networks, public preview support for B2B Guest Access enabling secure external collaboration without credential duplication, and the new GsaTracert.exe traceroute tool for detailed network diagnostics. Additional improvements, such as the ability to disable Private Access via registry settings and quick access to the My Account portal, further streamline management and troubleshooting. These updates reinforce Microsoft Entra Global Secure Access as a robust solution for secure, efficient resource connectivity.

Additional Information

Microsoft Entra Global Secure Access client v.2.24.117

Install the Entra Global Secure Access client for Microsoft Windows

Microsoft Entra Private Access Intelligent Local Access (ILA)

Preventing Port Exhaustion on Entra Private Network Connector Servers

Leave a comment
by Richard M. Hicks on January 5, 2026  •  Permalink
Posted in Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Security, Security Service Edge, SSE, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 5, 2026

https://directaccess.richardhicks.com/2026/01/05/whats-new-in-entra-global-secure-access-client-v2-24-117/

Windows Secure Boot UEFI Certificates Expiring June 2026

For IT administrators responsible for managing Windows devices, a crucial certificate update milestone is coming in June 2026 that could result in degraded security for systems that are not updated. Specifically, the Microsoft certificates that manage UEFI Secure Boot trust will expire, potentially allowing untrusted or malicious software to load on affected machines during system boot.

Secure Boot

Windows Secure Boot is a UEFI firmware security feature that ensures a computer boots only with trusted, digitally signed operating system loaders and drivers, preventing malicious code (such as rootkits or compromised bootloaders) from loading during startup. Introduced with Windows 8, it verifies the cryptographic signatures of boot components against a database of authorized keys, blocking unauthorized or tampered software to protect system integrity from the earliest stages of boot.

Chain of Trust

The UEFI Platform Key (PK) is the ultimate root of trust in Secure Boot. It is a single public key owned by the device manufacturer and stored in firmware. The PK certificate signs the Key Exchange Key (KEK) and grants authority to modify the other Secure Boot databases, such as the allowed database (DB) and the disallowed database (DBX). The DB and DBX contain certificates and signatures for authorized and unauthorized software, respectively.

Microsoft Secure Boot Certificate Expiration

Two crucial Microsoft Secure Boot certificates are set to expire in June 2026. They are:

  • Microsoft Corporation KEK CA 2011 (stored in KEK)
  • Microsoft UEFI CA 2011 (stored in DB)

In addition, another critical Microsoft Secure Boot certificate expires in October 2026.

  • Microsoft Windows Production PCA 2011 (stored in DB)

When these certificates expire, devices may fail to recognize trusted bootloaders, and future Secure Boot policies may not be applied. Updating the certificates ensures continued protection against malicious rootkits and ensures Windows firmware compliance

View Certificate Information

Ideally, administrators could use PowerShell to view these UEFI Secure Boot certificates. Sadly, the output of the Get-SecureBootUEFI PowerShell command is not particularly helpful and does not display any pertinent certificate details.

Get-SecureBootUEFI -Name KEK

PowerShell Script

To address this limitation, I’ve created a PowerShell script that allows administrators to view all UEFI certificates, including PK, KEK, and DB certificates, and optionally save them as base64-encoded files. The script is available on GitHub and in the PowerShell gallery.

Install-Script -Name Get-UEFICertificate -Scope CurrentUser

View UEFI Certificates

After downloading the Get-UEFICertificate PowerShell script, run the following command to view the KEK database.

Get-UEFICertificate -Type KEK

In this example, the only KEK certificate is the expiring Microsoft Corporation KEK CA 2011 certificate. Running the command and specifying the DB type shows only the expiring Microsoft Windows Product PCA 2011 certificate.

Note: UEFI also includes hashes of specific executables in the DB and DBX databases. By default, this script focuses on UEFI certificates and omits hash calculations for brevity. Use the -IncludeHashes switch to view this information.

Updating Microsoft UEFI Certificates

With the October 2025 updates, Microsoft introduced new registry keys to enable and monitor the update status of these UEFI Secure Boot certificates.

Status

To begin, administrators can check the status of the update process by reading the value of the UEFICA2023Status registry key.

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\ -Name UEFICA2023Status | Select-Object UEFICA2023Status

Update

To initiate the update process, set the value of AvailableUpdates to 0x5944.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot’ -Name ‘AvailableUpdates’ -Value 0x5944

Next, start the Secure-Boot-Update scheduled task.

Start-ScheduledTask -TaskName ‘\Microsoft\Windows\PI\Secure-Boot-Update’

Once complete, the UEFICA2023Status indicates InProgress.

After a reboot, start the Secure-Boot-Update scheduled task once more. The UEFICA2023Status should indicate that it has been updated (may require one more reboot!).

Updated Certificates

After the update process completes, run the Get-UEFICertificate PowerShell script to confirm that new certificates have been added to UEFI Secure Boot.

Updated Microsoft KEK Certificates

Updated Microsoft DB Certificates

Summary

With multiple Microsoft Secure Boot CA certificates expiring in 2026, organizations need to ensure devices are updated to maintain a valid UEFI trust chain. This guide shows how to view existing firmware certificates, apply Microsoft’s Secure Boot CA 2023 updates, and confirm that new KEK and DB certificates have been installed. Completing this process now will ensure devices remain protected from tampered or malicious boot components as the 2026 expiration dates approach.

Additional Information

Windows Secure Boot certificate expiration and CA updates

Registry key updates for Secure Boot: Windows devices with IT-managed updates

Get-UEFICertificate PowerShell Script on GitHub

Get-UEFICertificate PowerShell Script in the PowerShell Gallery

2 Comments
by Richard M. Hicks on December 4, 2025  •  Permalink
Posted in administration, Certificate Authority, certificates, Cryptography, Deployment, Enterprise, MDM, MEM, Microsoft, Mobile Device Management, Operational Support, PKI, PowerShell, PowerShell 7, Secure Boot, Security, systems management, UEFI, Update, Windows 10, Windows 11
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on December 4, 2025

https://directaccess.richardhicks.com/2025/12/04/windows-secure-boot-uefi-certificates-expiring-june-2026/

What’s New in Absolute Secure Access v14

Absolute Software recently announced a significant upgrade for its popular secure remote access and Zero Trust Network Access (ZTNA) solution. Version 14 of Secure Access introduces many compelling new features and updates that administrators will find beneficial. In addition, crucial security vulnerabilities in the previous release have been addressed.

New Features

Absolute Secure Access v14.x includes many enhancements over previous releases. Here are a few of the highlights.

Improved Performance

Absolute Secure Access v14 provides much faster throughput on multi-gigabit networks (e.g., 2.5Gbps Wi-Fi 6E/7 or 10Gbps wired). New kernel-level optimizations reduce CPU overhead by up to 40% on high-speed links, improving performance on faster networks.

Modern Certificate Handling

SHA-1 has been deprecated since 2011, and beginning with Absolute Secure Access v14, support for SHA-1 certificates has been removed completely.

Enhanced Client Auto Reconnect

Improved client auto-reconnect logic now survives Windows standby mode for more than 12 hours (previous versions were capped at around 4 hours). This will reduce frustration when devices return from standby for extended periods.

Automatic Host Group Updates

Host groups are an excellent way to streamline policy configuration for services like Microsoft 365 and AWS. These cloud providers publish the IP addresses of their services, which are dynamic and often change over time. Absolute Secure Access v14 now supports automatic host group updates for these services. Microsoft 365 updates occur every 28 days, and AWS updates occur every 5 days by default. This interval is configurable for administrators.

Security Updates

Absolute Secure Access v14 closes four server-side CVEs as well as 14 third-party CVEs (Apache, OpenSSL, etc.) that were not patched in v13.x.

Summary

If you have deployed previous versions of Absolute Secure Access, consider upgrading to v14.x today. You’ll gain improved performance, reduced administrative overhead, critical security updates, and much more. If you’d like help with your migration or want to learn more about the new capabilities in Absolute Secure Access v14, fill out the form below, and I’ll provide more information.

Additional Information

Absolute Secure Access

Absolute Secure Access Enterprise VPN Advanced Features In Depth

Absolute Secure Access and IPv6

Leave a comment
by Richard M. Hicks on November 5, 2025  •  Permalink
Posted in Absolute, Absolute Secure Access, Absolute Software, Enterprise, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, NetMotion Software, Remote Access, Security, Security Update, Update, VPN
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on November 5, 2025

https://directaccess.richardhicks.com/2025/11/05/whats-new-in-absolute-secure-access-v14/

« Older Posts