WorkPlace Join vs. DirectAccess

Previously, I discussed the differences and commonalities for WorkPlace Join and Domain Join. Today, I would like to discuss the differences and commonalities between two very similar and yet widely different remote access technologies: WorkPlace Join and DirectAccess.


Let’s start with the characteristics these two technologies have in common:

  1. WorkPlace Join and DirectAccess are both remote access methods to gain access to functionality on internal networks, using Microsoft products.
  2. WorkPlace Join and DirectAccess are both built-in into the latest version of Windows Server.
  3. WorkPlace Join and DirectAccess both do not require additional configuration or programs for end users to gain access to organizational resources.
  4. WorkPlace Join and DirectAccess both offer access to organizational resources supported by Single Sign-on.

Although WorkPlace Join and DirectAccess have a lot in common, they also differ widely:


DirectAccess follows a more secure model

DirectAccess is a technology, where Windows Servers, configured as DirectAccess servers, allow DirectAccess-enabled Windows devices to automatically connect to an organizations internal network based on tunneling. The tunneling technology is often seen in Virtual Private Networking (VPN) solutions. DirectAccess tunnels are automatically setup after a device connects to the Internet and are secured using IPSec. Traffic inside DirectAccess tunnels are encapsulated IPv6-based network packets into IPv4-based network packets.

WorkPlace Join, on the other hand, has a less strict model. Once a device is configured as a WorkPlace-joined device, access to corporate resources is based on authentication (and authorization) via Active Directory Federation Services (AD FS) and traffic flows as HTTP-based packets, ‘secured’ by SSL/TLS encryption. The claims-based AD FS authentication is based on open standards, like SAML and Oauth.


DirectAccess offers more on-premises functionality

DirectAccess offers seamless access to organizational resources. When DirectAccess functions, end users may have access to all organizational resources, even based on short hostnames for servers. Of course, access can be limited to only certain hosts on the network, certain network traffic and certain networks.

WorkPlace Join is confined to claims-aware applications. When WorkPlace Join is used in scenarios with Web Application Proxies, it also allows access to Kerberos-enabled web applications, that are able to offer Kerberos Constrained Delegation (KCD).


DirectAccess offers built-in management

In DirectAccess implementations Network Access Protection (NAP) can be implemented to automatically detect and remediate deviations of the corporate policy. For instance, when a device does not have the latest anti-malware update, it can be placed in a remediation network to update, before it gains access.

Since DirectAccess basically expands the internal corporate network on a per-device basis, it allows for Group Policy-based device management, the way administrators have been used to for the last decade-and-a-half. Group Policy can even be used to deploy DirectAccess to devices located on-premises and through Offline Domain Join.

WorkPlace Join, on the other hand, does not offer strong built-in management. In scenarios with WorkPlace Join, authentication and authorization may be governed using Issuance Authorization Rules, but these, for instance, won’t allow you to remediate outdated anti-malware definitions.

However, with the addition of a Mobile Device Management (MDM) solution, like Microsoft’s System Center Configuration Manager (ConfigMgr), and its IsManaged claimtype flowing back into the same Issuance Authorization Rules in AD FS, these scenarios are easily achieved too.


WorkPlace Join is available more widely

DirectAccess is supported on devices running Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Enterprise and Windows 8.1 Enterprise. Basically, this limits DirectAccess to organizations with Software Assurance on their Windows volume licenses.

WorkPlace Join is available on Windows 7, Windows 8.1, and iOS.

WorkPlace Join is not available on Windows 8. (8.0 RTM)

WorkPlace Join on Windows 7 requires a separate download.


WorkPlace Join offers more cloud interoperability

Where DirectAccess is focused on remote access to the internal network (and perhaps is the best technology at it), WorkPlace Join is not confined to mere seamless yet secure access to applications that live on-premises.

WorkPlace Join is just as easily used to provide Single Sign-on to on-premises apps, as it is to provide Single Sign-on to cloud-based apps. WorkPlace Join may be the bridge technology to enabling seamless yet secure access in a Software-as-a-Service world.



DirectAccess offers a convenient method to expand the internal network seamlessly to a remote device, allowing secure remote access to any kind of app or service on the internal network.

Although WorkPlace Join offers seamless access to only claims-aware resources, it is available on more platforms and based on open standards. As organizations continue to move towards Software-as-a-Service and web-based software, WorkPlace Join becomes the more appealing remote access technology.

Related blogposts

WorkPlace Join vs. Domain Join
New features in AD DS in Windows Server 2012 R2, Part 5: WorkPlace Join and Registered Device objects
KnowledgeBase: DirectAccess server cannot ping a DNS Server or a Domain Controller in Windows Server 2012

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.