Microsoft has announced that the DirectAccess remote access solution is now deprecated and will be removed in a future release of Windows, recommending companies migrate to the ‘Always On VPN’ for enhanced security and continued support.
DirectAccess is a bidirectional remote access technology introduced by Microsoft in Windows 7 and Windows Server 2008 R2, providing domain-joined remote users an “always on” connection to internal corporate networks without using VPN connections.
The system is used by remote employees who need constant and reliable access to corporate resources and IT administrators managing and updating devices outside the corporate network.
Always On VPN is a remote access solution introduced by Microsoft as a successor to DirectAccess, made available on Windows Server 2016 and Windows 10 and all subsequent releases.
It supports modern VPN protocols like IKEv2 and SSTP and multi-factor authentication (MFA) for better security. It also allows administrators to define which apps and services can use the VPN connection.
Additionally, Always On VPN is more flexible than DirectAccess as it can work with domain-joined and non-domain-joined devices.
Migrating to Always On VPN
Microsoft announced the deprecation of DirectAccess this week, but it has not determined exactly when it will be stripped from Windows.
Users are advised to plan and execute a migration to Always On VPN as soon as possible to avoid dealing with downtimes or other issues later.
To ease the process, Microsoft published a migration guide last year suggesting a phased approach to migrating to Always on VPN to allow for easier troubleshooting.
Microsoft also suggests setting up the Always On VPN infrastructure alongside the existing DirectAccess setup for a smooth transition.
The guide contains details on how to issue the required certifications to clients, what PowerShell scripts to use for deploying new VPN configuration, Intune management tips, and monitoring for problems via Microsoft Endpoint Configuration Manager.
After the migration is completed, admins should remove the DirectAccess server role in Server Manager, update DNS records accordingly, and decommission the server from Active Directory Domain Services (AD DS).