Windows Server 2012/2012 R2 - DirectAccess - Configuring and using a Windows To Go client

Page 1 / 1

As explained earlier in our DirectAccess tutorial, this technology allows you to securely connect to your company's network from outside (Internet) and access its resources as if you were there.
In a previous article, we also talked about Microsoft's Windows To Go (WTG) technology that allows you to create a portable Windows 8 environment on a special USB 3.0 key (it must be compatible with Windows To Go ).

Because Windows To Go is a Windows 8 Enterprise environment and enterprise edition is required for DirectAccess clients, it's therefore possible to use this environment as a DirectAccess client.

If you are using your Windows To Go workspace in your organization's network, simply join it to your domain and then add the WTG computer account to the previously created group of DirectAccess clients.
However, if you want to configure a Windows To Go workspace as a DirectAccess client without once connecting it to your organization's network (for example, over the Internet), then you will need to join it to the domain in offline mode (Offline Domain Join).

To begin, we have created a Windows To Go workspace on a Kingston DataTraveler Workspace from a computer running Windows 8 Enterprise.

To join this Windows To Go workspace to the domain in offline mode and configure it as a DirectAccess client, you will need several information :

In the English version of Windows Server 2012/2012 R2, the group policy created for DirectAccess clients is called : DirectAccess Client Settings.

For the certificate template to use for client-server authentication, in our case it's called "ClientServerAuthentication".
Note that the name you need is the template name (so without spaces) and not the template display name.

Once you have all the necessary information, use the djoin command on the Active Directory server like this :


Djoin /provision /domain /machine win-to-go-pc /policynames "DirectAccess Client Settings" /certtemplate "ClientServerAuthentication" /savefile c:\WTG-blob.txt

Informations :

  • /provision : allows you to create the computer account in the Active Directory
  • /domain : indicates that the machine will be linked to the "" domain.
  • /machine win-to-go-pc : indicates that the machine that will be linked to the Active Directory is named "win-to-go-pc".
  • /policynames : allows you to apply the desired group policies to the PC that will be linked to your Active Directory domain. (This option is available only on Windows Server 2012.)
  • /certtemplate : allows you to specify which certificate template should be used by the PC that will be joined to the domain. (This option is available only on Windows Server 2012.)
  • /savefile : allows you to save the metadata in a text file that will be stored at the root of the "C" partition.

Note : as stated by Microsoft, the policynames and certtemplate options are used in particular to join and configure DirectAccess clients that would never have contacted the company network beforehand.

Executing the above command will have created a computer account in the Active Directory.

However, for this client to be allowed to automatically connect to the corporate network via DirectAccess, you will need to add this computer account to the group that you authorized in DirectAccess.

In our case, this group is named "DAclients".

Now, to join your Windows To Go PC to your domain, you will need to transfer the generated blob file on the PC to be linked to the Active Directory.

As you can see, our Windows To Go PC is not connected to the network at this time.

To join it to the domain in offline mode, you will need to use the djoin command again like this :


Djoin /requestODJ /loadfile c:\WTG-blob.txt /windowspath %systemroot% /localos

Informations :

  • /requestODJ : allows you to request a junction to the domain (in offline mode) at reboot.
  • /loadfile : allows to load metadata, created previously in the "WTG-blob.txt" file.
  • /windowspath : allows you to specify the path of the Windows directory. As indicated by Microsoft, if you also use the "/localos" parameter, you must specify %systemroot% or %windir% as the value for the "/windowspath" parameter.
  • /localos : lets you join the current Windows installation to the domain.

Restart the computer as required by the djoin command.

When you restart, log on with a domain account.

If the connection to the DirectAccess server was established in the background by Windows, you will be able to connect with an Active Directory account.
If this is not the case, refer to the "Verify Windows client configuration" section of our DirectAccess tutorial.

Once you arrive on the desktop, click the network icon in the taskbar.
As you can see, our Windows To Go workspace is connected :

  • to the AndroidAP Wifi network (which is a Wifi access point sharing the 3G connection of our smartphone)
  • to the DirectAccess server of our company thanks to this connection : Workplace Connection.

If you view the properties of the workspace connection, you will see that you are connected remotely.

Try to access a local site in your company's network.
If this client computer and the server are configured correctly, you can access your company's resources from the outside.

On the server, you will see that there is currently an active DirectAccess client.
Click the "Remote Client Status page" link.

As you can see, our Windows To Go PC is connected to the DirectAccess server with the "CORP\Administrateur" Active Directory account.