Direct Access – Automatic GPO configuration set’s outdated and incorrect WMI filter

Just a quick post to inform you about the GPO’s that will be automatically configured when configuring Direct Access.

Today I’ve done a Server 2012 R2 Direct Access implementation, and part of this configuration is that the Direct Access Configuration Wizard will automatically create two Direct Access GPO’s in your Group Policy Management.

  • One for Servers
  • One for Clients
figure 1.1: Group Policy Management

gpo

However, the GPO for Clients is configured with a WMI filter, so that if the rules stated in the WMI filter apply, the policy will be set on the system.

figure 1.2: WMI Filters

gpo_wmi

The WMI filter containes two queries: The 1st query looks for the PCSystemType to match with the number 2, which represents an mobile device (either a laptop or tablet). The 2nd query verifies if the Operatingsystem ProductType, Version, and OperatingSystemSKU matches a number of possibilities:

as we can see here the second query, looks for machines which are: ProductType 3 (Server) which run: Version 6.2 (Windows 8) and have OperatingSystemSKU: 4 (Enterprise) or run Version 6.1 (Windows 7) and another set of SKU’s.

The odd thing here is that, although the Direct Access server runs on Windows Server 2012 R2, it configures WMI filters for Windows 8 and Windows 7, and not Windows 8.1. Also it configures in that same particular filter that the ProductType needs to match #3 which equals a server, and not a workstation (which represents the number 1)

Therefore I’ve modified this query into the following:

This way the WMI filter, filters accordingly to a Windows 8.1 Enterprise operatingsystem running on a Workstation.

Alternatively you can simplify, adapt er even completely remove the WMI query and just apply the GPO to a specific OU. However DirectAccess configures the GPO next to the default domain policy at the toplevel of the domain thus applying to all OU’s and Objects if it wasn’t for the WMI filter.

Hope this blog can be of use when configuring DirectAccess and prevent any delays when troubleshooting!

If there is anything you would like to share, please feel free to contribute in the comments

Thanks for reading! πŸ™‚

4 thoughts on “Direct Access – Automatic GPO configuration set’s outdated and incorrect WMI filter

  1. Hari

    Hi,

    Direct aces is working fine in Widnows7,but not in Widnows 10.

    Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE ‘6.2%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE ‘6.1%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

    We have the above query in the GP.

    Do i need to edit it to access the DA in windows 10.

    I think i need to add the below query.
    Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE ‘6.2%’ OR Version LIKE ‘6.3%’ OR Version LIKE ‘10.0%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE ‘6.1%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

    Please suggest me on this. If yes, do i need to delete the existing query & need to add this.

    Reply
    1. Rens Hollanders

      If you have a WMI filter on your policy that is preventing the policy from working, I would suggest to test your policy if it functions correctly prior to applying the filter.
      Windows 10 has versionnumber 10.0 or operatingsystemsku number 4

      Cheers! Rens

      Reply
      1. Hari

        Hi Rens,

        After added the below query,in Windows 10 DA is working fine.

        Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE β€˜6.2%’ OR Version LIKE β€˜6.3%’ OR Version LIKE β€˜10.0%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE β€˜6.1%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

        Please suggest me if any.

        Cheers,
        Hari Haran.

        Reply
        1. Hari

          Hi,

          The DA connected in windows 10,But after DA connects in windows 10 the Skype for business & Outlook are not working.I can see the connectivity rules in firewall.cpl. I am able to ping all the serves.I am able to RDP for my servers.

          But only skype,outlook are not working in Windows 10 after ocnnects DA.

          But there is no problem in windows7. Everything is working fine in win 7 after conects DA in win7.Please suggest me on this.

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *