I’ve been frustrated recently with a number of articles and blog posts I’ve seen indicating Windows 8 DirectAccess clients connecting to a Windows Server 2012 DirectAccess server require a Trusted Platform Module (TPM) and the use of smart cards for authentication. This is a myth, and nothing could be further from the truth. TPM and smart cards are indeed supported (TPM with Windows 8, smart cards with Windows 7 and Windows 8 DirectAccess clients) but they are not explicitly required. For the posts I’ve seen I have asked the authors to correct their statements, and to their credit some of them have. Others, unfortunately, have not. I’m not sure if they are simply misinformed or if they are deliberately misleading their readers to downplay DirectAccess in an effort to sell another VPN solution. Regardless, I am compelled to set the record straight here. So, to be perfectly clear:
TPM is NOT a requirement for DirectAccess clients.
There you have it. Now go out and deploy DirectAccess today!
Jordan Krause
/ March 12, 2013x2!! Thank you!
Jason Jones
/ March 12, 2013I would assume they are confused about the introduction of Virtual Smart Card in Windows 8 which is often combined with a DirectAccess solution to provide strong authentication without the traditional cost of physical Smart Card solutions. With Virtual Smart Card, the user certificates are stored in the TPM, so maybe this is where the confusion arises??
Richard Hicks
/ March 12, 2013That’s correct. And there’s been some confusion with regard to virtual smart cards being *required* vs. *supported*. Two very different things!
Jason
/ March 13, 2013I’d like to ask a question, I’ve got a SBS 2008 setup, and a client wants to use direct access. If I add a Windows 2012 member server and a Windows 8 client, will I be able to utilise the Direct Access functionality, or will there be some AD Schema limitations, or similar show stoppers? Thanks in advance, Jason.
Richard Hicks
/ March 15, 2013Hi Jason,
That will work perfectly. No other changes to your infrastructure will be required. 🙂
fioccod
/ July 7, 2014Hi Richard, what do you think of the official Microsoft document that you can download at the following link?
http://www.microsoft.com/en-us/download/details.aspx?id=34764
I read “If your computer does not have a TPM, you cannot use DirectAccess.”
Richard Hicks
/ July 7, 2014This document references a specific deployment configuration (that being Microsoft’s corporate DirectAccess implementation) and is not a general requirements document. In this example, for Microsoft’s implementation they had a requirement for TPM. However, this is not a hard requirement to deploy DirectAccess – it is optional.