Workplace Join, introduced in Windows Server 2012 R2, is a new way to manage user devices. This article explains the function, benefits, and requirements of this new technology.

With Windows Server 2012 or below, domain privileges were essentially on or off. Devices were either members of your domain or not. Windows Server 2012 R2 introduces a new middle ground called WorkPlace Join.

WorkPlace Join login in Windows 8.1

WorkPlace Join login in Windows 8.1

WorkPlace Join achieves this balance between security and accessibility by streamlining access to approved devices. This includes access to domain resources with Single-Sign On whether a user is attempting to access company data or site wide web based applications.

Note: Windows Server 2012 R2 introduced two new “Work” technologies. WorkPlace Join is not to be confused with Work Folders. Work Folders offers an internal “Sky Drive”. When these technologies are joined together, users can seamlessly access data. You can view the TechEd video here.

What are the WorkPlace requirements?

WorkPlace join requires three Windows Server 2012 R2 servers. First, it is recommended to have a domain controller running Windows Server 2012 R2 with the certificate services role installed. Second, an organization would need a server running Active Directory Federation Services with the Device Registration Services component activated.

Device Authentication within Active Directory Federation Services

Device Authentication within Active Directory Federation Services

Finally, you will need an IIS/Web server that has the Windows Identity Foundation feature installed.

On the client side, you can use iOS devices and Windows 8.1 computers to test WorkPlace Join. Because the actual join process is certificate driven, some suspect that other device types will become officially supported.

Users on a Windows 8.1 machine can join an organization without any IT involvement. This is done through the Modern Control Panel under the WorkPlace Settings node.

WorkPlace Join in Windows 8.1

WorkPlace Join in Windows 8.1

Users on iOS devices will need to browse to corporate webpage (which is created during the IIS server configuration). They can then install an iOS profile that links their device to an organization.

How does device registration work?

The work horse of WorkPlace Join is the Device Registration Service that is installed with the Active Directory Federation Services role.

Whenever a user joins a personal device to your network, the device registration service will identify the user’s device as a known computer. A device object will be created in Active Directory and is stored in the RegisteredDevices container.

RegisteredDevices WorkPlace Join container

RegisteredDevices WorkPlace Join container

The device registration service will also provide a certificate to the user’s device. This certificate is used to uniquely identify the object within your organization and allows some limited management.

What kind of control will I have?

When Workplace Join was first announced, there were two really big questions:

  • What kind of privacy will your users have?
  • What kind of control will your IT department have?

As an IT Administrator, you will have complete control over the access provided to the registered device. Building on that, you can make use of Multifactor authentication. Multifactor authentication essentially allow you to define multiple AND statements for data and application access.

For example, you could require that all outside access to a particular application is only allowed if:

  • The authenticating device is a registered device AND
  • The User is a member of a particular security group.

From a user perspective, near complete privacy is maintained. The user is free to enter or leave the WorkPlace Join setup as they please. The user will also keep control over their device (in terms of local settings and management).

A replacement to domain joined computers?

If your company is currently trying to manage user devices with an all or nothing approach, WorkPlace Join will be a helpful addition to tackling BYOD challenges. However, it is not meant to be a replacement to traditional domain joined machines.

WorkPlace Join streamlines authentication for company resources. If your organization hosts web based applications or web based document access, WorkPlace Join allows Single Sign On. This effectively mimics a domain joined machine.

WorkPlace Join does not extend the functionality of Group Policy to offsite/non-domain machines. It is meant to simplify resource access; not to manage or secure non-company resources. DirectAccess, vastly improved since initial release, would provide some of that functionality.

Want to test it out?

Microsoft currently has four technical scenarios available that cover WorkPlace Join. If you do attempt these labs, be sure to setup a test domain from scratch and to use the exact domain name specified.

  1. Vanessa 7 years ago

    Can employers access, view or control other areas of the phone such as texts/imessages, voicemail, contacts, photos, video or downloaded applications like facebook?

  2. Vanessa 7 years ago

    Or GPS?

  3. Author

    Hi Vanessa – this is for computers, not phones.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account