DirectAccess Is Deprecated: Migrate to ZTNA, Not Just Always On VPN

DirectAccess is deprecated and Windows 11 24H2 already breaks it. Why Always On VPN is only a half-step and how to migrate to sovereign ZTNA in 2026.
Windows systems administrator reviewing a DirectAccess to ZTNA migration plan in a modern office

Microsoft has deprecated DirectAccess. Windows Server 2025 is the last release that ships it, future Server releases drop it entirely, and Windows 11 24H2 already breaks its IP-HTTPS connectivity in the field. Microsoft’s default answer is Always On VPN, but that is a network-centric VPN in newer clothing: it still hands the client an internal IP, still assumes implicit trust, and leans on a fragile on-premises PKI chain that a single domain-controller update can take down. For a European mid-market team, the durable and NIS2-ready move is Zero Trust Network Access, and a sovereign single-platform SASE like Jimber is the strongest fit.

Key takeaways

  • DirectAccess was formally deprecated in 2024; Windows Server 2025 is the final OS to include it, and it will be removed from future Server releases.
  • Windows 11 24H2 breaks DirectAccess over IP-HTTPS today, so waiting is already a business-continuity risk, not just a roadmap item.
  • Always On VPN keeps the implicit-trust model and adds a demanding PKI stack (AD CS, NDES, Intune cert distribution) that broke for many teams after the February 2025 domain-controller enforcement update.
  • Entra Private Access is Microsoft’s own ZTNA, but it is still maturing and is built around Entra-joined Windows devices, leaving hybrid, non-Windows and OT scenarios thin.
  • A sovereign, single-platform ZTNA/SASE removes the PKI burden, covers every OS plus agentless OT, and keeps data under EU jurisdiction — the combination NIS2 and CyFun reward.

The DirectAccess deprecation timeline

DirectAccess has been on borrowed time since Windows Server 2012 R2, when Microsoft froze its development and kept it alive for legacy compatibility only.

Phase When Impact
Development frozen After Windows Server 2012 R2 No new features; code maintained for compatibility only
Formal deprecation 2024 Marked deprecated in Microsoft’s documentation
Client regression Windows 11 24H2 Upgrades break IP-HTTPS connectivity, dropping remote sessions
Last supported server Windows Server 2025 Still functional, but only for this release’s lifecycle
Removal Future Windows Server releases Server roles and management consoles removed from the images

The 24H2 regression is the part that turns a planning question into an operational one. Since that feature update, administrators report that DirectAccess over IP-HTTPS stops working outright, and the usual registry tweaks do not fix it, so the only quick remedy is to pause 24H2 or roll machines back to 23H2. A client-side update should not be able to sever your remote access, and here it does.

Why DirectAccess is being retired

DirectAccess was designed when the corporate perimeter was a building. Its assumptions no longer hold:

  • Mandatory domain join. Servers and clients must belong to an on-premises Active Directory domain, which blocks the shift to Entra-ID-only, cloud-native endpoints.
  • GPO-only management. Configuration runs entirely through Group Policy, which is inflexible and drifts out of sync on devices that rarely touch the office network.
  • Ageing authentication. It leans on NTLMv2 for computer authentication, while Microsoft is actively retiring the NTLM family in favour of Kerberos.
  • Complex IPv6 transition. Because it is IPv6-native, traffic over the IPv4 internet needs translation layers such as IP-HTTPS, NAT64, DNS64, ISATAP and Teredo, which add latency and make troubleshooting painful.
  • Enterprise licensing. It requires Windows Enterprise, so Windows Professional estates and mixed macOS, iOS or Android fleets are excluded.

Microsoft’s two paths, and why neither is the finish line

For a DirectAccess replacement Microsoft points to Always On VPN and Entra Private Access. Both are worth understanding before you commit.

Always On VPN is the legacy model, modernised at the edges. It drops the IPv6 transition mess and supports both domain-joined and Entra-ID-joined devices via Intune, using a device tunnel (pre-logon, Enterprise-only) and a user tunnel. It can integrate with Entra Conditional Access and MFA. At its core, though, it is still a network-centric VPN: after authentication the client receives an IP on the internal subnet, which means implicit trust and the lateral movement that comes with it. It also hair-pins SaaS and Microsoft 365 traffic back through the datacentre before sending it to the cloud, wasting bandwidth. And it depends on a demanding PKI stack: an on-premises AD Certificate Authority, NDES servers, IIS changes and certificate distribution through Intune.

Entra Private Access is real ZTNA, but early. Part of Global Secure Access, it uses lightweight outbound-only connectors behind the firewall, so no inbound ports are opened. It works well for pure cloud-native scenarios, but it is still developing and is built around Entra-joined Windows devices, without the depth to carry complex on-premises legacy protocols, non-Windows systems and OT in a hybrid mid-market estate without heavy overhead.

The February 2025 PKI failure: a preview of the Always On VPN burden

The fragility of the Always On VPN model showed clearly when Microsoft enforced strong certificate binding on domain controllers in the February 2025 security update. Before it, controllers accepted certificates without a strong mapping to a security identifier and merely logged a warning. After it, they rejected every authentication that lacked that strong mapping.

Because most Always On VPN user certificates are issued automatically through SCEP or PKCS via Intune and NDES, the update caused an immediate, large-scale outage of remote connections, with cryptic client errors. Administrators had to drop domain controllers back to audit mode through a registry change to restore business operations, then fully reconfigure certificate templates on the CA, update the Intune Certificate Connector, and reissue every user certificate. One server-side update took down remote access across the estate. That is the maintenance surface Always On VPN asks a lean team to own.

Always On VPN versus sovereign ZTNA/SASE

Set the two end-states side by side and the gap is structural, not cosmetic.

Aspect Microsoft Always On VPN Sovereign ZTNA/SASE (Jimber)
Security model Implicit trust; client gets an internal IP, enabling scanning and lateral movement Zero Trust; per-session, per-application access, with the wider network invisible
PKI / certificates On-premises AD CS, NDES, IIS and Intune cert distribution to maintain Identity-centric; connects to Entra ID or Okta over SAML/OIDC, no local PKI
Firewall Inbound VPN gateways accept external traffic, enlarging the attack surface Outbound-only connectors; no inbound ports opened
OS coverage Native to Windows; macOS, iOS and Android need separate, complex setups One agent across Windows, macOS, Linux, iOS and Android, plus agentless access
Network path Hair-pins SaaS and Microsoft 365 through the datacentre Direct, locally optimised routing through nearby PoPs
Management Split across Intune, GPO, NPS/RRAS and AD; no single dashboard One console for policy, posture, SWG, FWaaS and audit

Mixed fleets and the OT blind spot

Both DirectAccess and Always On VPN were built for Windows. In a real mid-market estate people also work on macOS and mobile, and keeping Always On VPN forces the IT team to run separate, disconnected VPN tooling for those platforms. There is also a harder gap: printers, IP phones and industrial PLCs cannot run a VPN client at all, so they sit unprotected on a flat network. This is exactly where a full SASE platform pulls ahead of a Windows-first VPN. Jimber closes both gaps with ZTNA network isolation and its Network Isolation Access Client (NIAC), an inline device that sits between a legacy or OT asset and the network and enforces identity-based encryption and microsegmentation without installing anything on the endpoint. Our note on device posture checks for NIS2 covers the continuous-validation side.

What NIS2 rewards, and the sovereignty factor

Under Belgium’s NIS2 law directors are personally accountable for cyber-risk measures, with fines up to €10 million or 2% of global turnover, and the CyberFundamentals (CyFun) framework is how most Belgian organisations demonstrate conformity. ZTNA maps directly onto the controls auditors look for: identity-based microsegmentation replaces implicit trust, and a single console gives the traffic visibility you need to meet the 24-hour incident-notification duty. You can see the full mapping in our NIS2 security measures to SASE controls guide, and the audit view in the NIS2 compliance checklist.

One factor decides more than any feature. A SASE platform inspects all outbound web traffic and internal authentication requests, so the vendor’s legal home matters. A US-headquartered vendor, or its EU subsidiary, falls under the US CLOUD Act and FISA Section 702, which can compel access to data and logs held on European servers without a European court. That is a direct GDPR conflict and a documented supply-chain risk under NIS2. Jimber is headquartered in Belgium with no US parent and processes all data inside the EU, which is what lets a mid-market team show a fully sovereign, compliant access chain while removing the DirectAccess and PKI burden at the same time. For the wider argument, see our European SASE alternatives piece and the enterprise VPN end-of-life watchlist.

Frequently asked questions

What does the Windows 11 24H2 update do to an existing DirectAccess setup?

It breaks the IP-HTTPS tunnel that DirectAccess relies on over the public IPv4 internet, so remote users lose access to internal resources immediately. Ordinary registry fixes do not resolve it, so pausing the 24H2 update and rolling affected machines back to 23H2 is the only quick workaround, which makes a proper migration urgent.

Why did Always On VPN connections fail after the February 2025 domain-controller update?

That update enforced strong certificate binding on domain controllers, which then reject any certificate that is not strongly mapped to a unique security identifier. Because most Always On VPN certificates are issued through SCEP or PKCS via Intune and NDES, the change caused mass authentication failures until administrators reverted to audit mode and reissued certificates with the correct mapping.

What is the difference in network visibility between Always On VPN and ZTNA?

Always On VPN connects at the network level: once authenticated, the device gets an internal IP and can scan other hosts. ZTNA connects at the application level, so the client never receives a network address and reaches only the one authorised application, which keeps the rest of the network invisible and blocks lateral movement.

Does the Always On VPN device tunnel work on Windows Professional?

No. The device tunnel, which connects before user sign-in and enables pre-logon management, requires Windows Enterprise. The user tunnel runs on Professional, but on its own it cannot handle remote password changes or pre-logon GPO updates.

Is Entra Private Access enough to replace DirectAccess for a hybrid or OT estate?

For pure cloud-native, Entra-joined Windows scenarios it can work. It is still maturing, though, and is built around Entra-joined devices, so hybrid setups with on-premises legacy protocols, non-Windows systems or OT hardware are thin. A full SASE platform with agentless isolation for those devices is a better fit for a mixed mid-market environment.

How does a sovereign SASE secure devices that cannot run an agent?

For printers, VoIP phones and OT systems that cannot run a client, Jimber uses the Network Isolation Access Client (NIAC), an inline physical or virtual device that intercepts the traffic of these endpoints, encrypts it, and forwards it only through authorised, identity-based ZTNA tunnels, without any software on the endpoint.

Move to Zero Trust, not to the next VPN

DirectAccess is ending and Windows 11 is already forcing the issue. Rather than swap it for another network-centric VPN and the PKI chain that comes with it, map your applications, connect your identity provider, and pilot a ZTNA cutover for one user group this quarter. Book a Jimber demo to see an agentless, EU-sovereign path off DirectAccess, or compare pricing against an Always On VPN and PKI build.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed