none
Difference between Microsoft DirectAccess and Windows 10 AutoVPN RRS feed

  • Question

  • Hi,

    The AutoVPN feature, available with the Windows 10 Anniversary Update, provides a new way to access work resources from your Windows 10 desktop or mobile device while you are not connected to the work network.

    Can some one please explain how it differs from Microsoft DirectAccess?

    Tuesday, January 24, 2017 3:18 AM

Answers

  • DirectAccess is an "always-on" technology, where it will always connect as soon as the user gets an internet connection. The user is unable to disable DirectAccess, at least at the tunneling level, so your management functions and patches and updates are always able to apply to the client computers, whether the users like it or not :) (this is a benefit to the security side)

    DirectAccess also uses its own connectivity and encryption methods, rather than using the traditional VPN protocols like L2TP, SSTP, IKE, etc. DA uses IPsec tunnels for transport of all traffic.

    AutoVPN is just plain ole VPN (the regular protocols, etc), with creative launch capabilities. You can setup policies that tell it to launch when you log into the desktop, or when a particular application is launched. This means that DirectAccess launches sooner in the process than AutoVPN, allowing you to even do things like real-time password resets while you are sitting at the lock or login screens.

    In my mind, from a user's perspective they are close to the same, though under the hood they are doing very different things. The biggest difference that I see, and the reason that almost nobody deploys AutoVPN, is deployment. DirectAccess settings are all distributed to the client computers via Group Policy, super easy and straightforward. AutoVPN policies are only able to be distributed via InTune, last I heard. I believe they plan to port this functionality over to SCCM as well, maybe it's already in there, but everybody has Group Policy where not everybody has invested in InTune or SCCM. This is the main reason I still see everybody preferring DirectAccess over AutoTriggerVPN at this point.

    Oh, one other thing - DirectAccess is a very easy incorporation of certificates as part of the authentication process, making that authentication very strong and secure. Using certificates with VPN connections has always been a topic of confusion with any VPN, and not very simple to setup.

    If you couldn't tell, I'm a big fan of DirectAccess. That's because, as long as you know what you're doing when you set it up, it works flawlessly for years and years. Typically the only support calls I get are expired certificates, usually when someone forgets to mark an SSL cert expiry on their calendar ;)

    • Marked as answer by Alvi932 Tuesday, February 14, 2017 7:41 PM
    Wednesday, January 25, 2017 9:33 PM
  • AutoVPN is new in Windows 10 Anniversary edition, you need to be running at least that to be able to use it. This differs greatly from DA where DA can work back as far as Win7.

    A DirectAccess infrastructure includes a DirectAccess server, of course, but AutoVPN is really only a client-side technology. The VPN that you use on the backend doesn't necessarily matter. It could be Windows Servers running RRAS, or Cisco, CheckPoint, etc. Once your VPN of choice is setup on the backend, then you can use AutoVPN to configure the clients with a VPN profile for tapping into that VPN.

    The real downside to AutoVPN is that (as far as I know) it can only be configured by either InTune or SCCM. You would need to be running one or the other in order to push AutoVPN profiles around to the client computers. This is a big blocker to implementation for many companies.

    • Marked as answer by Alvi932 Tuesday, February 14, 2017 7:41 PM
    Tuesday, February 14, 2017 4:01 PM

All replies

  • DirectAccess is an "always-on" technology, where it will always connect as soon as the user gets an internet connection. The user is unable to disable DirectAccess, at least at the tunneling level, so your management functions and patches and updates are always able to apply to the client computers, whether the users like it or not :) (this is a benefit to the security side)

    DirectAccess also uses its own connectivity and encryption methods, rather than using the traditional VPN protocols like L2TP, SSTP, IKE, etc. DA uses IPsec tunnels for transport of all traffic.

    AutoVPN is just plain ole VPN (the regular protocols, etc), with creative launch capabilities. You can setup policies that tell it to launch when you log into the desktop, or when a particular application is launched. This means that DirectAccess launches sooner in the process than AutoVPN, allowing you to even do things like real-time password resets while you are sitting at the lock or login screens.

    In my mind, from a user's perspective they are close to the same, though under the hood they are doing very different things. The biggest difference that I see, and the reason that almost nobody deploys AutoVPN, is deployment. DirectAccess settings are all distributed to the client computers via Group Policy, super easy and straightforward. AutoVPN policies are only able to be distributed via InTune, last I heard. I believe they plan to port this functionality over to SCCM as well, maybe it's already in there, but everybody has Group Policy where not everybody has invested in InTune or SCCM. This is the main reason I still see everybody preferring DirectAccess over AutoTriggerVPN at this point.

    Oh, one other thing - DirectAccess is a very easy incorporation of certificates as part of the authentication process, making that authentication very strong and secure. Using certificates with VPN connections has always been a topic of confusion with any VPN, and not very simple to setup.

    If you couldn't tell, I'm a big fan of DirectAccess. That's because, as long as you know what you're doing when you set it up, it works flawlessly for years and years. Typically the only support calls I get are expired certificates, usually when someone forgets to mark an SSL cert expiry on their calendar ;)

    • Marked as answer by Alvi932 Tuesday, February 14, 2017 7:41 PM
    Wednesday, January 25, 2017 9:33 PM
  • Hi Jordan, 

    From a deployment standpoint (AutoVPN) how the back end is setup? I mean how many Windows server is needed?  What role and features need to be installed on this server? What server OS is supported for AutoVPN?

    How the configuration of AutoVPN server?

    How the AutoVPN back end / server end setup differs from DA?

    Windows 10 Ent version and domain join is needed for DA. What about Win 10 AutoVPN? other version except Ent is supported?


    Tuesday, February 14, 2017 2:33 AM
  • AutoVPN is new in Windows 10 Anniversary edition, you need to be running at least that to be able to use it. This differs greatly from DA where DA can work back as far as Win7.

    A DirectAccess infrastructure includes a DirectAccess server, of course, but AutoVPN is really only a client-side technology. The VPN that you use on the backend doesn't necessarily matter. It could be Windows Servers running RRAS, or Cisco, CheckPoint, etc. Once your VPN of choice is setup on the backend, then you can use AutoVPN to configure the clients with a VPN profile for tapping into that VPN.

    The real downside to AutoVPN is that (as far as I know) it can only be configured by either InTune or SCCM. You would need to be running one or the other in order to push AutoVPN profiles around to the client computers. This is a big blocker to implementation for many companies.

    • Marked as answer by Alvi932 Tuesday, February 14, 2017 7:41 PM
    Tuesday, February 14, 2017 4:01 PM
  • So, if we take a look at the whole picture, AutoVPN is a new Windows OS VPN client. Previously, with XP, Vista and 7 you could establish VPN connection (like dial-up profile) without any VPN client software, but only to RRAS maybe.

    DA is a cool feature, but since Microsoft push us all to the cloud, DA is not popular anymore, since it is totally against the cloud management solutions. What do you think, will the be DA end of life date soon? :)


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Monday, October 23, 2017 1:20 PM
  • There is now Always On VPN with Windows 10 Fall Creators Update.  Here is a comparison page from Microsoft: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-map-da

    Monday, December 11, 2017 5:58 PM
  • One thing that sicks out for me is lack of offline domain join support with Auto VPN at the moment. We use it widely with DA, huge time saver :)

    On the other side you won't need Enterprise/Edu licenses to run AutoVPN.

    Tuesday, December 12, 2017 8:53 AM
  • Good point on offline domain join support. Also, it is still my understanding that SCCM/Intune are the mechanisms for pushing out AutoVPN settings, and I still think that is going to be a blocker to implementation. DirectAccess being able to roll out via Group Policy is a huge advantage that DA has over AutoVPN at the moment.

    I've deployed DA hundreds of times and the requirement for running Enterprise SKU has never once caused a deployment to stop. Enterprise is what the vast majority of businesses run, especially those that are large enough to have SCCM. I don't believe that customers looking at using AutoVPN are doing so because of the SKU flexibility. So while I understand VPN is easier for BYOD, and fully agree that it is (because you don't even have to be domain-joined to do VPN), the trend I see lately is that companies are migrating away from BYOD in a hurry with all the security breaches over the last couple of years. More and more companies are now locking down the environments and only corporate-issued laptops are able to connect back into the corporate network. This makes a lot of sense to me, and I believe is a trend that will continue since per-device costs are so low now. Buying a laptop for an employee is well worth the cost of knowing that laptop is secured.

    All in all, yes clearly Microsoft is making improvements to AutoVPN and making it a more viable solution, and I'm excited to see it become so. But calling DirectAccess end-of-life right now is definitely premature as it still holds a number of advantages. My .02

    Tuesday, December 12, 2017 3:11 PM
  • Excelent post Jordan! Also, you have to remember, that SCCM/Intune requirements for pushing AutoVPN config is only matter of time, it might be different situation in 12 month, as I see all this things around Windows 10 are changing very rapidly.

    This is very interesting point you wrote about going away from BYOD because of security aspects. I'm glad to hear that :D ...indeed, the world has changed from Windows 7 times and became more insecure (...or it is just a Microsoft´s marketing speach around UEFI and stuff).

    Also, MS is pushing very handy security solutions to manage (LAPS, Applocker, Defender features), but traditional admin staff do not rely MS as a security company. That´s a today challenge.


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Tuesday, December 12, 2017 8:05 PM
  • Using SCCM or Intune is better but it's not required. 

    I haven't tested it already (because it will be hardcore to do everything manually) but according to the Deployment Guide, you can just use PowerShell to deploy the Always-ON VPN Profile.

    Gérald


     





    Wednesday, December 13, 2017 3:20 PM
  • @Gérald - If correct, then you can use Group Policy to call Powershell to deploy Always On VPN.  Perfect!
    Wednesday, December 13, 2017 4:14 PM
  • I think the main difference from my point of view is Windows OS support. Auto VPN is the cheap DA implementation but it works on all clients and doesn’t need to be domain joined versus DA which requires Enterprise version of Windows Also new authentication and management features as Azure MFA are supported by Auto VPN as well as conditional access. Auto VPN diesn’t Require dedicated server.
    Monday, December 18, 2017 7:03 PM
    Moderator
  • Hi Jordan

     It seems to me that DirectAccess would be more secure since it allow only access to file shares. We have never allowed VPNs because it brings the "whole PC" back into the network. This AutoVPN that allows machines that are not on the domain to connect seems to pose the same problem. Am I wrong?

    Is DirectAccess more secure, especially if a remote PC were to be infected with malware for instance?

    Thank you

    Bart


    Bart Louwagie


    Thursday, January 25, 2018 5:41 PM
  • Hey Bart, there are going to be numerous points of view on your question. DirectAccess definitely allows access for more than just file shares. It is a full connectivity solution for remote systems (I often replace VPNs with DA to give a company's remote workforce access to everything that they need). That being said, the traffic pattern of DA is vastly different than of a VPN. A traditional VPN is usually a full-scale layer 3 tunnel back to the corporate network, where DA is not. There are ways to limit what both VPN and DA have access to inside the network, so you can mitigate some risk with either solution.

    As far as domain membership, DirectAccess requires it and VPN does not. The BYOD crowd will say that VPN holds the advantage here, but I have seen the BYOD trend on the decline as companies care more about security than about allowing employees to bring their own devices to work. More recent experience shows me that companies are trending toward only allowing access back to the corporate network from company-owned, domain-joined machines. From a general security perspective, this makes the most sense to me. So I personally give the nod to DA in this scenario.

    As far as malware goes - both DA and VPN are simply transports back to the corporate network, so if a laptop were to get infected with malware it could potentially traverse either kind of tunnel. Since DA is always connected, it allows you to keep a better security posture on your laptops, so hopefully they are less at risk for getting infected in the first place. AutoVPN would be in this same boat, but for any company that provides VPN that is not AutoVPN and therefore gives the user the capability to turn off the VPN - that puts them into a much more vulnerable boat. In the case of DA versus traditional VPN where users only connect when they choose to connect, then I definitely feel the advantage goes to DA.

    Thursday, January 25, 2018 8:29 PM
  • It seems quite interesting to me now, after I´ve read Jordan´s experience about security, that in one hand Microsoft is pushing Cloud solutions with BYOD and on other hand, the security is highly proritized topic today - you can´t have both maximized, can you :) 

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!


    Friday, January 26, 2018 1:01 PM
  • Yes, there are certainly many different directions that companies can take. And hopefully nobody takes my comments the wrong way, there are certainly organizations and environments where "all-in" for cloud works fine, including allowing employees to bring their own devices or even work full-time from (dare I say it on a Microsoft forum?) something like an iPad.

    But on the other hand, there will always be companies who will not trust their data to a cloud provider and will always have an on-premise datacenter. In fact, that is still the vast majority of businesses out there today. While that landscape is constantly changing, it's important not to forget about those customers - the ones who want an on-premise network, with company-owned machines that are always connected, updated, and protected.

    Friday, January 26, 2018 2:59 PM
  • Also you need to compare and test, are you really capable of managing your devices same way with Intune+MDM vs. SCCM + GPO. Because lots of security settings needs to be centrally managable.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Tuesday, January 30, 2018 10:36 AM
  • Sorry for offtopic, but for DA discussions, is this a better place for now, sinse UAG has been out of the picture?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Thursday, February 15, 2018 8:27 AM