Sunday, 16 December 2012

DirectAccess Hotfix Summary

I thought it might be useful to provide a summary list of DirectAccess related hotfixes from the past and present that may be of use to those embarking on a DirectAccess deployment for the first time, or those experiencing problems that have been solved already!

PLEASE NOTE: Microsoft have now provided an official dynamic knowledgebase article which provides a summary of Windows 7, Windows 8 and Windows Server 2012 hotfixes which can be found here: and consequently supersedes the below information.

Last updated 14/08/13 with KB2849568.

Hotfixes: Windows 8 and Windows Server 2012

KB2859347: IPv6 address of a DirectAccess server binds to the wrong network interface in Windows Server 2012.

KB2855269: Error message when you use an account that contains a special character in its DN to connect to a Windows Server 2012-based Direct Access server.

KB2849568: Vulnerability in the Windows NAT driver could allow denial of service: August 13, 2013.

KB2845152: DirectAccess server cannot ping a DNS server or a domain controller when a DirectAccess client is pinging the same server in Windows Server 2012.

KB2844033: DirectAccess Setup Wizard fails on a Windows Server 2012-based server in a domain that has a disjoint namespace.

KB2836232: Subnet mask changes to an incorrect value and the server goes offline in DirectAccess in Windows Server 2012.

KB2796394: Error when you run the Get-RemoteAccess cmdlet during DirectAccess setup in Windows Server 2012 Essentials

KB2795944: Windows 8 and Windows Server 2012 cumulative update: February 2013. This update includes fixes for DA that provide stability under heavy load.

KB2788525: You cannot enable external load balancing on a Windows Server 2012-based DirectAccess server.

KB2782560: DNS64 does not resolve computer names when you use DirectAccess and external load balancing in Windows Server 2012.

KB2769240: You cannot connect a DirectAccess client to a corporate network in Windows 8 or Windows Server 2012.

KB2748603: The process may fail when you try to enable Network Load Balancing in DirectAccess in Window Server 2012.

KB2666914: DirectAccess Connectivity Assistant 2.0 is available.

Hotfixes: Windows 7, Windows Server 2008 R2 and Forefront UAG 2010

KB2797301: A Forefront Unified Access Gateway 2010 DirectAccess client experiences repeated OTP prompts.

KB2758949: You cannot build an IP-HTTPS protocol-based connection on a computer that is running Windows 7 or Windows Server 2008 R2.

KB2718654: You are prompted to enter credentials when you try to access a SharePoint server on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer.

KB2680464: Location detection feature in DirectAccess is disabled intermittently in Windows 7 or in Windows Server 2008 R2.

KB2663354: DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010.

KB2633127: DA client cannot reconnect to the UAG DA server when a Windows 7-based or Windows Server 2008 R2-based client computer is connected to the Internet.

KB2615847: "ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH" error when you try to start an IPsec connection between two computers that are running Windows 7 or Windows Server 2008 R2

KB2535133: IP-HTTPS clients may disconnect from Windows Server 2008 R2-based web servers intermittently after two minutes of idle time.

KB2444558: You cannot access a host that is hosting the IPv4 file share by using SMB v1 from a Windows 7-based or Windows Server 2008 R2-based DirectAccess client.

KB2288297: You are unexpectedly prompted to enter your credentials when you try to access a WebDAV resource in a corporate network by using a DirectAccess connection in Windows 7 or in Windows Server 2008 R2.

KB979373: The DirectAccess connection is lost on a computer that is running Windows 7 or Windows Server 2008 R2 that has an IPv6 address.

KB978738: You cannot use DirectAccess to connect to a corporate network from a computer that is running Windows 7 or Windows Server 2008 R2.

KB974080: DirectAccess Workaround for reaching IPv4 address checking sites.

KB973982: The certificate for IP-HTTPS does not rebind if the certificate is changed after the configuration is applied one time in Windows Server 2008 R2.

KB972516: A DirectAccess access failure occurs after the DNS servers that are running Windows Server 2008 return empty responses for AAAA queries in a WINS zone.

Security Updates: Windows Server 2008 R2 and Windows Server 2012

KB2765809: Vulnerability in IP-HTTPS component could allow security feature bypass (MS12-083).

Hope the list is useful!


  1. Thank you for this -- very helpful.

  2. Excellent work, only wish I had stumbled upon this earlier!

    1. Thanks...keeping it up to date can be a little challenging! :)

  3. I don't suppose there is an update for making "Remote Client Status" and "Reporting" pages work. All other aspects of my Server 2012 DirectAccess setup appear to be working fine but I never see any connected clients in the Remote Access Management Console. My clients are able to connect to network shares, perform gpupdate, RDP, etc. while roaming. On the "Reporting page, all of my Server Load Statistics report as "Unavailable". Is this a bug or is it just me? What am I missing?

    1. That definitely isn't normal so unlikely to be fixed by an update...I would suggest you log a support call with MS to investigate. Sorry, sounds like it is just you :(

  4. I found out what the problem was. I didn't realize that enabling the Windows Firewall on both the server and the client is required. Once I enabled the firewalls, I could see my clients in the console. Thanks for the prompt reply and for the vast amount of DirectAccess related information you have posted online.

    1. Ok, not sure how it was ever working without that enabled! :) Glad you got it fixed and you're welcome on the other stuff!

    2. Thanks for the solutions. I was having the same issue since I had the firewall off via GPO. I turned it on and started getting statistics. Thanks for sharing the knowledge!