1. Windows Rights Management -- Prevent confidential data from leaving. Or prevent the computer from getting a virus by using OS X or Linux. The number of ways to prevent legitimate systems from compromising your systems is astounding. Infosec 101 -- Users are your worst enemies.

2. If you allow your users administrative access on a machine where they can bridge their connections then your already screwed.

I guess what I am trying to say is all of these challenges have been known to infosec forever. Now its just creating a strong department that follows good security guidelines.

That's because you are an idiot....... Along with everyone who didn't want to do any research, as @Kensai7 has already said ars has been over this extensively. It is not going away. Maybe another link to the article will help people understand: http://arstechnica.com/microsoft/news/2011/06/windows-8-for-software-developers-the-longhorn-dream-reborn.ars

As a user I think that not allowing use of my email address as a login name pisses me off to no end. Why should I have to remember a separate login name for each and every service? The service already has my email address because it is ALWAYS required so why not just use that. In addition, if you are still using an email address from your ISP then you already have some major issues. See http://mail.google.com/ for the correct alternative to ISP provided email.

I know its hard to let facts get in the way but here:

Firewall and Web Proxy Traversal

Because IPv6 is the initial Layer 3 transport and most remote computers are communicating across the IPv4 Internet, a DirectAccess client computer will attempt to use the 6to4 and Teredo IPv6 transition technologies to communicate with the DirectAccess server. However, Web proxy servers and some firewalls will not forward 6to4 and Teredo-encapsulated traffic. In this case, the DirectAccess client uses IP-HTTPS, a new protocol in Windows 7 and Windows Server 2008 R2 that tunnels IPv6 packets inside an IPv4-based HTTPS session.

Windows xp went RTM August 24, 2001 so not exactly ten years ago but with XP IPSec VPNs have been supported from the beginning. I hate to sound like a prick but when coming up against such sheer ignorance its hard not to.

1. IPsec requires a ton of ports being available and open which just isn't the case as often anymore when going to a hotel. Hence why a lot of corporations are looking at things like SSL-VPNS. Direct access overcomes this limitation by tunneling all their IPv6 traffic in standard HTTPS packets which is pretty universally allowed.
2. You can configure your vpn to connect to automatically but what if i have a public web server that I want to connect to and split DNS (or DNS client views) so the internal and external zones are the same. I don't want my stupid VPN client trying to connect every time I go to www.slashdot.org with direct access you specify internal zones or internal servers that it should connect for while allowing it to route all other traffic normally.
3. Microsoft's best practices on direct access say to use Network Access Protection to isolate the clients and force security scans just like most modern VPN clients except now its completely transparent to the user which saves time and money.

Ohh for frack's sake get over the dang Kerberos thing. They put vendor specific information in !!OMG!! vendor specific fields. All of which was documented in RFC4757. However, if Microsoft supported it I would assume they would just become another provider and refuse to accept others credentials like Myspace.