8/22/2019 2570 DirectAccessWSG External
1/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 1 of 7
Work Smart: Setting Up DirectAccessGet Started
About DirectAccessDirectAccess is a new feature in Windows
7 and Windows Server
2008
R2 that enables you to seamlessly connect to the corporate network from
any Internet-equipped remote location without having to establish a
Virtual Private Network (VPN) connection. DirectAccess provides increased
productivity for a mobile workforce by offering the same connectivity
experience both inside and outside of the office.
DirectAccess deployed at and is the preferred
and primary remote access solution.
Topics in this guide include:
About DirectAccess Prerequisites for DirectAccess Setting Up DirectAccess Troubleshooting DirectAccess Disabling DirectAccess
Customization note: This document contains guidance and/or step-by-step
installation instructions that can be reused, customized, or deleted entirely if
they do not apply to your organizations environment or installation
scenarios. The text marked in red indicates either customization guidance or
organization-specific variables. All of the red text in this document should
either be deleted or replaced prior to distribution.
About DirectAccessThe internal implementation of DirectAccess at, uses
your computers Trusted Platform Module (TPM) chip for strong
authentication. This means that you only have to use your smart card once
during the setup process. After setting up, you will not need your smart card
for remote access using DirectAccess.
Prerequisites for DirectAccessBefore you can configure and use DirectAccess:
Your computer must be running Windows 7 (Enterprise or Ultimate) You must have a smart card and a smart card reader. You must have RAS access. Your computer must be joined to a corporate domain. Your computer must have a Trusted Platform Module (TPM) chip. BitLocker Drive Encryption must be enabled on your computer. Your computer must be in compliance with Network Access Protection
(NAP).
Customization note: The above bullets represent the prerequisites currently
referenced in this guide; this list should be updated based on requirements
specific to your organization.
8/22/2019 2570 DirectAccessWSG External
2/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 2 of 7
Work Smart: Setting Up DirectAccessGet Started
Use a Smart Card with DirectAccess
You will need a smart card (identification badge with RAS access) to do the
initial certificate enrollment for DirectAccess. After DirectAccess is configured
successfully on your computer, you will not need your smart card when you
want to log in remotely.
You will also need a smart card reader to use your smart card. If your
computer does not have a built-in reader, contact your groups administrative
assistant to order one.
Check Your Computer for a TPM Chip
DirectAccess leverages a computers TPM chip for strong authentication. Ifyour computer does not have a TPM chip, you cannot use DirectAccess.
To check for a TPM chip:
1 Click Start, click Run, type tpm.msc, and then press ENTER.2 In the Trusted Platform Module (TPM) Management on Local
Computer window, check to see if a TPM chip is installed.
If the information in the TPM Management window indicates that your
computer does not have a TPM chip, you cannot use DirectAccess.
Enable BitLocker Drive Encryption
To use DirectAccess, you must enable BitLocker Drive Encryption with a
personal identification number (PIN) on all of your portable computers
(notebooks, laptops, netbooks, and so on). For non-portable computers, such
as desktop systems, BitLocker is mandatory, but setting up a PIN is optional.
If you do not have BitLocker enabled on your computer, you must enable it
while connected to the corporate network.
The process to enable BitLocker can take from one to five hours, depending
on your computers hard-disk size and the amount of free space. Its a good
idea to enable BitLocker ahead of time, independent of the DirectAccess
setup. However, if you run the DirectAccess Setup wizard without configuringBitLocker first, the Setup wizard will automatically configure your BitLocker
settings.
If your computer has multiple drives, requires that
you have BitLocker only on your System drive. It is highly encouraged that
you enable BitLocker on all drives as a security best practice, however.
To enable BitLocker:
1 Check to see if your portable computer is BitLocker-capable >.
2 If it is BitLocker-capable, enable BitLocker >.
If you have BitLocker enabled but without a PIN, the DirectAccess Setup
wizard will help you configure a PIN during the setup process.
http://itweb/v7/Pageshttp://itweb/v7/Pages8/22/2019 2570 DirectAccessWSG External
3/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 3 of 7
Work Smart: Setting Up DirectAccessGet Started
About NAP for DirectAccess
DirectAccess uses NAP for client health validation and enforcement. If your
computer is not compliant, you will receive a NAP pop-up message. However,
you will only be blocked from corporate network access while physically
outside of the corporate network. You will be able to access local and Internet
resources even if your computer is non-compliant.
Your computer must meet basic computer health requirements such as:
You must install the latest security patches on your computer. Toconfirm that your computer has the most current updates, click Start,
click All Programs, and then click Windows Update. In the Windows
Update window, click Check for Updates in the left pane. Check alsofor updates managed by your system administrator (as shown in the
following graphic) and install all Important/Critical updates.
Your computer must have Forefront EndPoint Protection 2010installed.
Once your computer has been configured for DirectAccess, BitLockerDrive Encryption must be enabled at all times. If you disable or
suspend BitLocker, NAP will identify your computer as non-compliant
for DirectAccess.
Setting Up DirectAccessTo set up DirectAccess on your computer, your computer must be connectedto the corporate network using a wired or wireless LAN connection or
through VPN.
1 Click Start, click All Programs, and then click DirectAccess Setup. Ifyou do not see the Setup wizard under All Programs:
a. Click Start, click All Programs, click Accessories, right-clickCommand Prompt, and then click Run as administrator.
b. In the Command Prompt window, type gpupdate/force, andthen press ENTER. (You must be connected to the corporatenetwork over a wired or wireless LAN connection, or over a VPN
connection to run this command.)
c. Once the command executes successfully, wait approximately 15minutes for your computer to receive the latest policy settings.
d. You will receive a pop-up notification to install DirectAccess. Ifyou do not receive this notification, click Start, click All
Programs, and then click DirectAccess Setup to manually
launch the Setup wizard.
Alternatively, when the group policy on your PC refreshes, you
will see a pop-up notification to enable DirectAccess in case it is
not already installed. Click the pop-up notification to launch the
DirectAccess Setup wizard.
2 Click Continue.The Privacy Notification is displayed.
http://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspxhttp://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspxhttp://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspxhttp://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspx8/22/2019 2570 DirectAccessWSG External
4/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 4 of 7
Work Smart: Setting Up DirectAccessGet Started
Customization note: The following screen capture represents a
customizable installation wizard for example purposes, you maychoose to replace this image with one specific to your organization.
3 Read the instructions carefully to ensure that your computer meets alllisted requirements, and then click Continue to proceed with the
installation.
NoteIf you accidentally click Disable, re-launch the Setup wizard.
The DirectAccess Setup wizard checks to see if the TPM chip on your
computer has the latest firmware. If it does, the wizard will skip the
next step. If not, the wizard displays the TPM Firmware dialog box.
Customization note: The following screen capture represents a
customizable installation wizard for example purposes, you maychoose to replace this image with one specific to your organization.
4 Click Fix to upgrade your firmware.The following dialog box is displayed to inform you that a reboot is
required for the TPM firmware upgrade to continue.
http://itweb/v7/dogfood/Windows7/directaccess/pages/beforeyoujoin.aspxhttp://itweb/v7/dogfood/Windows7/directaccess/pages/beforeyoujoin.aspx8/22/2019 2570 DirectAccessWSG External
5/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 5 of 7
Work Smart: Setting Up DirectAccessGet Started
5 Click OKto reboot your computer, and then log in after your computerreboots.
A pop-up notification appears and asks you to launch the DirectAccess
Setup wizard again. Click this notification to launch the wizard. The
Setup wizard checks to see if you have configured BitLocker correctly
on your computer. If so, the wizard skips the next step. If BitLocker is
not configured correctly, the BitLocker Configuration dialog box is
displayed.
Customization note: The following screen capture represents a
customizable installation wizard for example purposes, you may choose to
replace this image with one specific to your organization.
The BitLocker Configuration dialog box is displayed for any of the
following reasons:
BitLocker is not configured correctly or is not enabled. BitLocker is enabled, but it is not using the TPM chip. Your portable computer does not have a BitLocker PIN established. BitLocker is suspended. The BitLocker encryption process is not complete.
6 Click Fix to repair the BitLocker configuration.When the BitLocker configuration is complete, the DirectAccess Setup
wizard begins the certificate enrollment process.
7 When prompted by the wizard, insert your smart card into yourcomputers smart card reader and enter your smart card PIN.
8 Click Finish in the DirectAccess Setup Complete dialog box tocomplete the installation.
Notes
The DirectAccess Connectivity Assistant (DCA) can show you the status ofyour connection and help you troubleshoot problems. For more
information, see Troubleshooting DirectAccess later in this guide.
Once DirectAccess is set up on your computer, the computer willhibernate if it is running on battery power and inactive for over
minutes. However, if the computer is connected to a power outlet, it will
not hibernate during extended periods of inactivity. Likewise, if your
computer is put in sleep mode for more than minutes on
battery power, the DirectAccess policy will resume your computer and
hibernate it.
If you run into technical issues with DirectAccess, contact >.
8/22/2019 2570 DirectAccessWSG External
6/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 6 of 7
Work Smart: Setting Up DirectAccessGet Started
Troubleshooting DirectAccessThe DirectAccess Connectivity Assistant (DCA) gives you the ability to monitorconnectivity status to the corporate network over DirectAccess. The DCA is
automatically installed when you set up DirectAccess on your computer.
The DCA provides one of the three following status icons at all times.
Icon Description
Your connectivity to the corporate network over DirectAccess is
working correctly.
DirectAccess has malfunctioned, and your connection to the
corporate network is not working correctly. Contact >. for resolution. The Helpdesk
technician may ask you to generate DCA diagnostics logs and email
those logs to the Helpdesk (see procedure below).
There is an issue with your DirectAccess connectivity. If you click the
DCA icon, it will provide steps to resolve the issue.
Note
If the DCA icon does not appear in your notification area, in the Show hidden
icons portion of your notification area, click the up arrow. In the menu that
appears, click Customize. In the Notification Area Icons dialog box, in the
drop-down list to the right ofDirectAccess Connectivity Assistant, select
Show icon and notifications, and then click OK.
Generate a DCA Diagnostics Log for a Helpdesk
Technician
1 Right-click the DCA icon in the notification area, and then clickAdvanced Diagnostics.
2 In the Advanced Diagnostics dialog box, under Advanced Log File,click the link to the log file.
Windows Explorer opens and lists the logs.
3 Open Microsoft Office Outlook, compose a new email message, andthen attach the log file. The Helpdesk technician will provide an
address to send the log file to. Enter the Service Request number (SR#)in the subject line so the technician can associate your log file to your
issue.
Disabling DirectAccessBy default, all domain-joined Windows 7 clients will process DirectAccess
policies. If DirectAccess does not meet your needs, you can disable it
(preferred) or you can opt out completely.
To disable DirectAccess:
1 To disable a computer already provisioned with DirectAccess, clickStart, click All Programs, and then click DirectAccess Setup to run
the DirectAccess Setup wizard.
http://itweb/v7/Pageshttp://itweb/v7/Pages8/22/2019 2570 DirectAccessWSG External
7/7
More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 7 of 7
Work Smart: Setting Up DirectAccessGet Started
2 In the first screen of the wizard, click the Disable button.Customization note: The following screen capture represents a
customizable installation wizard for example purposes, you may
choose to replace this image with one specific to your organization.
If you want to use DirectAccess in the future, re-run the Setup wizard.
After disabling DirectAccess with this method, your computer will continue toprocess all DirectAccess group policies and will detect whether it is inside or
outside the corporate network. The DirectAccess Connectivity Assistant (DCA)
will show while your computer is on the corporate network and
when it is not on the corporate network. This is by design.
Opt Out of DirectAccess Completely
There are very few scenarios where a computer may need to completely opt
out of DirectAccess. If you have questions or if you require a security group
added to opt out, please contact > directly.
For More Information Microsoft DirectAccess
http://www.microsoft.com/en-us/windows/enterprise/products-and-
technologies/windows-7/features.aspx#directaccess
http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccess