Original publish date: June 11, 2026KB ID:Â 5103659
In this article
Introduction
As part of our continued commitment to security, reliability, and performance, DirectAccess has been deprecated and will be removed in a future version of Windows Server. While DirectAccess has provided seamless remote connectivity for many years, it has been replaced by a more modern and flexible solution: Always On VPN.
This change reflects the move toward cloud-ready networking technologies that better meet current security and management requirements. In this article, learn about DirectAccess deprecation, why this change is happening, and what organizations should do next to help ensure a smooth transition.
What does deprecation mean for DirectAccess?Â
When a feature is deprecated, it remains available and supported for the product lifecycle, but it is no longer the recommended solution for new deployments. Organizations should plan to transition to the recommended replacement before the deprecated feature is removed in a future release.
If you run a supported version of Windows Server that includes DirectAccess, you can continue to use DirectAccess for the supported lifecycle of that Windows Server release.
Why move away from DirectAccess?
DirectAccess was originally built for on-premises, domain-centric environments. It depends on technologies such as IPv6 transition mechanisms and Group Policy–based management, which can make it less suitable for cloud-first environments and modern access-control models.
To continue benefitting from the best available security, we recommend transitioning to Always On VPN.
Benefits of Always On VPNÂ
-
Modern and secure: Supports Microsoft Entra ID (formerly, Azure AD) integration, multifactor authentication (MFA), Conditional Access, and Windows Hello for Business. Always On VPN aligns with modern Zero Trust security models.
-
Simpler networking: Works with IPv4 and IPv6 without requiring complex IPv6 transition technologies.
-
Broader device support: Works with domain joined, Entra ID–joined, hybrid, and nondomain joined devices. Always On VPN enables bring-your-own-device (BYOD) and cloud-first scenarios.
-
Granular access control: Enables traffic filtering and per-user or per-group access policies. Always On VPN allows least privilege network access.
-
Modern management: Can be deployed and managed using Microsoft Intune and mobile device management (MDM), in addition to traditional tooling.
-
Better performance and reliability: Uses modern virtual private network (VPN) protocols like IKEv2 that provide improved performance and resilience on unreliable networks.
-
Flexible infrastructure: Can be integrated with Windows Routing and Remote Access Service (RRAS) or supported non-Microsoft VPN solutions, reducing infrastructure lock-in.
Steps to transition to Always On VPN
For migration guidance, see Remote Access Always On VPN migration overview. At a high level, the migration process consists of four stages:
-
Plan the migration. Build migration rings and learn about Always On VPN (feature comparisons, enhancements, and technology).
-
Deploy a side-by-side VPN infrastructure.
-
Deploy certificates and configuration to the clients.
-
Remove and decommission DirectAccess from client and server devices.
NOTEÂ DirectAccess remains available in Windows Server 2025 and other supported Windows Server releases that include DirectAccess.
Conclusion
The deprecation of DirectAccess helps organizations move toward more modern remote access technologies. By transitioning to Always On VPN, organizations can help keep remote connectivity secure, flexible, and reliable while preparing for the future removal of DirectAccess. If you need help planning the transition, contact Microsoft Support or your Microsoft representative.
