Tag Archives: group policy management

Direct Access – Automatic GPO configuration set’s outdated and incorrect WMI filter

Published / by Rens Hollanders / 4 Comments on Direct Access – Automatic GPO configuration set’s outdated and incorrect WMI filter

Just a quick post to inform you about the GPO’s that will be automatically configured when configuring Direct Access.

Today I’ve done a Server 2012 R2 Direct Access implementation, and part of this configuration is that the Direct Access Configuration Wizard will automatically create two Direct Access GPO’s in your Group Policy Management.

  • One for Servers
  • One for Clients
figure 1.1: Group Policy Management

gpo

However, the GPO for Clients is configured with a WMI filter, so that if the rules stated in the WMI filter apply, the policy will be set on the system.

figure 1.2: WMI Filters

gpo_wmi

The WMI filter containes two queries: The 1st query looks for the PCSystemType to match with the number 2, which represents an mobile device (either a laptop or tablet). The 2nd query verifies if the Operatingsystem ProductType, Version, and OperatingSystemSKU matches a number of possibilities:

as we can see here the second query, looks for machines which are: ProductType 3 (Server) which run: Version 6.2 (Windows 8) and have OperatingSystemSKU: 4 (Enterprise) or run Version 6.1 (Windows 7) and another set of SKU’s.

The odd thing here is that, although the Direct Access server runs on Windows Server 2012 R2, it configures WMI filters for Windows 8 and Windows 7, and not Windows 8.1. Also it configures in that same particular filter that the ProductType needs to match #3 which equals a server, and not a workstation (which represents the number 1)

Therefore I’ve modified this query into the following:

This way the WMI filter, filters accordingly to a Windows 8.1 Enterprise operatingsystem running on a Workstation.

Alternatively you can simplify, adapt er even completely remove the WMI query and just apply the GPO to a specific OU. However DirectAccess configures the GPO next to the default domain policy at the toplevel of the domain thus applying to all OU’s and Objects if it wasn’t for the WMI filter.

Hope this blog can be of use when configuring DirectAccess and prevent any delays when troubleshooting!

If there is anything you would like to share, please feel free to contribute in the comments

Thanks for reading! 🙂