Wireless Projection / Miracast option disappears from Microsoft Surface Pro 3 / Windows 8.1 after joining a Active Directory Domain

We recently deployed some Microsoft Surface Pro 3s (love these devices) for our Executive team along with some new equipment in meeting / board rooms with Wireless Display capabilities. During testing with my personal SP3 (not domain joined) the wireless display worked a treat, so I expected it to work fine on the ones we would be deploying.

After about a week, one of the managers shot me an e-mail saying he couldn’t see the option for wireless display, that night he had performed a reset of the device, came in and had the option, but once we joined it back to the domain, it disappeared. I started digging around Group Policy to see what was causing it to disappear and found that these devices were getting an old “XP” based Wireless Network Policy.  I upgraded the policy which then gave us some extra options, including allowing / disallowing Wi-Fi Direct.upgraded policy

Computer Configuration > Policies > Windows Settings >Security Settings > Wireless Network (IEEE 802.11) Policies

The setting Don’t allow Wi-Fi Direct groups which needs to be disabled can be found under the “Network Permissions” tab. From what I can see, any Wireless policy configured for XP doesn’t have this option and a machine will simply disallow it.

How is Miracast or WiDi related to Wi-Fi Direct?  Well basically Wi-Fi Direct allows devices to connect directly to each other, without the need for a Wi-Fi AP, which is exactly what your surface is doing when attempting to stream the display straight to a TV / Projector.

Once we had this option turned off, ran a gpupdate on the machine and viola, wireless display showed up and began working.


How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

TMG-EditSystemPolicyThere seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set.  This Computer set is used in a number of System Policies and if you ever do an IP address change of a DC contained in this group (which is what I needed to do), it needs to be changed for things to continue to function correctly.  Firstly, we will need to get into the Registry to verify the GUID of the Computer Set (be default it is generally {F77C3B63-0DD8-440B-9921-A9341533A9C6}).  Navigate to HKLM\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\RuleElements\ComputerSets and find the Domain Controllers computer set and note down the GUID.

Now we need to start-up ADSI Edit on the TMG / ISA machine.  Connect to localhost on port 2171 with the Naming Context CN=FPC2. Expand to the following CN=FPC2, CN=Array-Root, CN=Arrays, CN={3E5A92A0-0C54-4BD5-A8EB-1A0F1E77FF79}, CN=RuleElements, CN=ComputerSets.  Locate the GUID we found before and right-click and select properties.  Now under the Attribute Editor find msFPCPrefined attribute and set it from True to False.

Restart the TMG / ISA Console (no need to restart any services) and you should now be able to go into the Domain Controllers Computer Set and perform changes as required.