DirectAccess Clients and TPM

I’ve been frustrated recently with a number of articles and blog posts I’ve seen indicating Windows 8 DirectAccess clients connecting to a Windows Server 2012 DirectAccess server require a Trusted Platform Module (TPM) and the use of smart cards for authentication. This is a myth, and nothing could be further from the truth. TPM and smart cards are indeed supported (TPM with Windows 8, smart cards with Windows 7 and Windows 8 DirectAccess clients) but they are not explicitly required. For the posts I’ve seen I have asked the authors to correct their statements, and to their credit some of them have. Others, unfortunately, have not. I’m not sure if they are simply misinformed or if they are deliberately misleading their readers to downplay DirectAccess in an effort to sell another VPN solution. Regardless, I am compelled to set the record straight here. So, to be perfectly clear:

TPM is NOT a requirement for DirectAccess clients.

There you have it. Now go out and deploy DirectAccess today!

Leave a comment

7 Comments

  1. Jordan Krause

     /  March 12, 2013

    x2!! Thank you!

    Reply
  2. I would assume they are confused about the introduction of Virtual Smart Card in Windows 8 which is often combined with a DirectAccess solution to provide strong authentication without the traditional cost of physical Smart Card solutions. With Virtual Smart Card, the user certificates are stored in the TPM, so maybe this is where the confusion arises??

    Reply
    • That’s correct. And there’s been some confusion with regard to virtual smart cards being *required* vs. *supported*. Two very different things!

      Reply
  3. Jason

     /  March 13, 2013

    I’d like to ask a question, I’ve got a SBS 2008 setup, and a client wants to use direct access. If I add a Windows 2012 member server and a Windows 8 client, will I be able to utilise the Direct Access functionality, or will there be some AD Schema limitations, or similar show stoppers? Thanks in advance, Jason.

    Reply
  4. Hi Richard, what do you think of the official Microsoft document that you can download at the following link?

    http://www.microsoft.com/en-us/download/details.aspx?id=34764

    I read “If your computer does not have a TPM, you cannot use DirectAccess.”

    Reply
    • This document references a specific deployment configuration (that being Microsoft’s corporate DirectAccess implementation) and is not a general requirements document. In this example, for Microsoft’s implementation they had a requirement for TPM. However, this is not a hard requirement to deploy DirectAccess – it is optional.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: