I finally got time to upgrade my Surface Pro to Windows 8.1 Enterprise. One of the things I most want to test is DirectAccess, as I live and die by this on my main laptop. However, despite the computer object for my machine being in the group that the DA group policies are applied to, no DA settings appeared.
TIP: On Windows 8.1, use Get-DAClientExperienceConfiguration in a PowerShell window to check your settings.
It turned out the policy wasn’t being applied because of the default Windows Server 2012 option of creating a WMI filter to only apply the Direct Access group policy to laptops. That filter had a bunch of Windows version statements in it.
To fix:
Open the Group Policy Management tool (on your DC or laptop with remote admin tools installed).
Find the group policy object “DirectAccess Client Settings”
At the bottom of the policy is WMI Filtering. You will see a filter called “DirectAccess – Laptop only WMI Filter”
Click the button to the right to open the filter. You should see something like the panel below. Click Edit Filter[
Select the second entry. Click Edit.
The original filter text is:
Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE '6.2%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE '6.1%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))
Windows 8.1 is version 6.3.x, so you need to change the filter toread as follows (edits highlighted in red):
Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR ((Version LIKE '6.2%' OR Version LIKE '6.3%') AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE '6.1%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))
Give AD a few minutes to catch up then run gpupdate /force in a command prompt on your laptop. If you run the powershell again, you should see a full complement of DA settings. The network panel takes a few minutes to catch up, but you should soon see your DirectAccess connection listed.