remote user domain integration - DirectAccess vs Always On VPN

Tektot Ket 1 Reputation point
2020-10-30T18:40:22.233+00:00

We use a 3rd-party security vendor vpn client & server which the users sign into with current domain credentials after signing into their Windows 10 desktops with cached domain credentials. With this solution remote domain-joined computers that rarely visit a company office to connect on the internal network never get changes or additions to group policy computer settings as described in this archived forum post: how-to-force-gpo-changes-on-remote-pcs-that-used-cached-credential-login

Additionally, domain-synced password expiration notices or password change prompting at windows logon is not possible and group membership + kerberos tickets will not refresh at logon. All of this leads to support concerns.

Can anyone comment on whether DirectAccess or "Always On VPN" address these shortcomings and whether one is a better approach vs the other in an environment where Windows 10 Enterprise, Server 2019, and SCCM are available?

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,302 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,686 Reputation points Microsoft Vendor
    2020-11-02T02:11:33.903+00:00

    Hi ,

    You could consider to use Always On VPN Device Tunnel in such scenes.

    Always On VPN Device Tunnel was designed with a specific purpose that being to provide pre-logon network connectivity to support scenarios such as logging on without cached credentials.

    AOVPN Device Tunnel takes place as the machine has booted up. It does not require the user to log in first since it only requires the machine certificate to authenticate which will be used independently of which user logs in.

    For your reference:

    Always On VPN Device Tunnel Only Deployment Considerations

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Configure VPN device tunnels in Windows 10

    36568-image.png

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments