Windows Clients Do Not Receive DirectAccess Configuration Changes

Windows Clients Do Not Receive DirectAccess Configuration Changes

A scenario can occur in which changes to the DirectAccess configuration made using the Remote Access Management console or at the command line using PowerShell are not reflected on the DirectAccess client, even after receiving the latest group policy updates. The issue occurs for DirectAccess clients that are provisioned with the Offline Domain Join (ODJ, or djoin.exe) tool.

When the ODJ provisioning package is initially created, it does not add the new computer account to the DirectAccess security group. The ODJ-provisioned client receives all DirectAccess configuration settings at the time of provisioning, but it will not receive subsequent changes to the DirectAccess configuration made after it was originally provisioned.

To resolve this issue, be sure to proactively add the DirectAccess client’s computer account to the appropriate DirectAccess security group in Active Directory after provisioning with ODJ using Active Directory Users and Computers (ADUC), the Active Directory Administrative Center (ADAC), or by executing the following PowerShell command:

Add-ADGroupMember -Identity [DirectAccess Client Security Group] -Members [computername]

Once the DirectAccess client has been added to the security group and restarted, it will then receive DirectAccess configuration settings changes going forward.

Leave a comment

4 Comments

  1. Jason Hall

     /  July 25, 2021

    Hi Richard,
    We occasionally have some systems working via DA fine, but randomly the DA connection just disappears. In the past we have requested users come into the office to get a GPUpdate to fix this issue, however with current lockdowns this isn’t an option. Reboots & restarting services don’t seem to help bring it back.

    Any idea’s why the DA connection would just drop off?
    or if its possible to maybe export some registry entries from a working system & import them on the bugged system to get it back online without coming into the office?

    Cheers!

    Reply
    • I’ve heard of this happening when DirectAccess clients are in the field for extended periods of time, and they are using KMS activation to upgrade from Professional to Enterprise Edition. One thing that seems to happen is that the client can’t communicate with on-premises KMS servers for some reason, and eventually the client reverts to Pro. Could that be happening here?

      Reply
      • Jason Hall

         /  July 26, 2021

        Our clients shouldn’t be reverting to pro as they are all built using the enterprise WIM.
        I think I had checked this on a previous instance of this occurring & it was still showing as a licensed enterprise install of Windows 10.

        Guess its just another nudge for us to try to get priority on scheduling the work to switch to AOVPN.

      • Ok, that would rule out an issue with KMS then. I’d have to suspect an issue with group policy application then. When this issue occurs, does Get-DaClientExperienceConfiguration indicate the DirectAccess settings are still applied? If they are missing, it would indicate that the group policy wasn’t applying any longer.

        No doubt, these sorts of problems go away with Always On VPN. Of course you get a whole new set of problems too. 😉

Leave a Reply to Jason Hall Cancel reply

%d bloggers like this: