Windows 10 DirectAccess Collect logs not Working

Posted by Ahmed Nabil In | 1 comments»
Microsoft DirectAccess is an awesome technology that connect you seamlessly to your corporate network without installing any client or configuring any setting from the end user. Sometimes Direct Access doesn't get connected or stay in the "connecting" state for a long time and when you try to contact your Direct Access Administrator the first thing required will be collecting the DirectAccess logs and sending it to your administrator.

So if everything is configured correctly and you have an email client configured on your computer (whether its outlook or default Windows Mail), when you navigate to your modern Windows 10 Settings - Network & Internet - DirectAccess, you will find a button named "Collect" and when you hit collect it will open your configured mail client and attach the DirectAccess logs to this mail and you can enter your "TO" address (Example you administrator or Help Desk team) or it may be populated with this address if your administrator configured it from the server.

Super easy and very efficient and all you need from your user is to click on Collect and you will get his logs and analyze it, figure the problem and that's it.

So what is the catch ? Well its not working as designed ! this was noticed on several machines starting Windows 10 1703 where the users will hit "Collect" and nothing happens although they have everything configured correctly (Mail client and server side settings)

So upon checking this issue with Microsoft Support team it was concluded that this is a kind of a bug that started with Windows 10 1703 (earlier versions like Windows 10 1607 works fine) and only with Machines with memory more than 3.8 GB (Most of our new hardware Laptops and machines). It will work fine if you have 3.8 GB memory or Less

Reason of Problem:

The reason behind this bug is that starting with the creators update (Windows 10 1703) a new feature is introduced which is the split feature that allowed something like SVCHOST to run independent process for each service. So the one in question here is the Networking connectivity Assist "NCASVC" that runs under the NetSVC SVCHOST.

So the "NCASVC" will split into its own SVCHOST and log collection fails. The log collection process is series of powershell commands that runs on the machine to collect logs which it will fail to launch due to missing the privilege "SeAssignPrimaryTokenPrivilege" on this splitted new process.


So we have two workarounds/solutions provided by Microsoft which is either to stop/disable this split process or grant the needed privilege. To fix this issue you need to do just one of the below solutions:

  1. Disable the Split mentioned above by creating DWORD registry parameter "SvcHostSplitDisable" and set it to 1 under  "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc" - Need to restart your client machine                                                                                                                                                                                                                                                    
  2. Add the "SeAssignPrimaryTokenPrivilege" to "RequiredPrivileges"  in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc - Need to restart your client machine

So that's all you need to do on your client machine (Windows 10 1703 and above with more than 3.8 GB Memory). Test it on one machine and then you can distribute this Registry fix on all your DirectAccess machines using SCCM, Intune or any software distribution tool.

Hopefully this will help some of you facing this issue.



Tsvetalin Chikov Says:

Thanks a million!
Was scratching my head over this for hours!

Post a Comment