Workplace Join for Windows 7
Published: February 28, 2014
Updated: April 29, 2014
Applies To: Windows 7, Windows Server 2012 R2
With Windows Server 2012 R2 Federation Services, customers can set conditional access policies based on known devices. This package is necessary to allow Domain joined Windows 7 machines access to resources that are protected by these policies. For more information on Workplace Join, see Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication across Company Applications.
Workplace Join for Windows 7 is available for machines that have been joined to an Active Directory Domain. These are typically corporate-owned machines that have been provided to information workers. You must also deploy Active Directory Federation Services (AD FS) and enable the Device Registration Service (DRS). For more information on deploying Active Directory Federation Services see, Windows Server 2012 R2 AD FS Deployment Guide.
Workplace Join for Windows 7 is available as a downloadable MSI package. The package must be installed on Windows 7 machines that are joined to an Active Directory Domain. You should deploy the package using a software distribution system such as System Center Configuration Manager. The MSI package supports the standard silent install options using the /quiet parameter.
The software package is available for download at the Microsoft Connect website.
Workplace Join for Windows 7 does not require or include a user interface. Once installed on the machine, any domain user that logs into the machine will be automatically and silently Workplace Joined with Active Directory.
The installer creates a Scheduled Task on the system that runs in the user’s context and is triggered on user sign-in. The task silently Workplace Joins the user and device with Active Directory after the user signs-in is complete. The Scheduled Task can be found in the Task Scheduler Library under Microsoft > Workplace Join
The task will run and Workplace Join any and all Active Directory users that log into the machine, provided the user has been granted rights to Workplace Join. By default, all Active Directory user accounts are allowed to Workplace Join.
The following illustration lists the step-by-step process for Automatic Workplace Join.
A user (information worker) logs on to a Windows 7 client computer using Active Directory domain credentials.
The Workplace Join scheduled task is executed.
The user is silently authenticated with AD FS using Windows Integrated Authentication.
The Windows 7 PC is registered to the user in Active Directory.
A device object and certificate is created in Active Directory. The object represents the user@device.
The Workplace Join certificate is stored on the machine.
Windows 7 machines can be removed from the workplace using the Workplace Join client executable. To leave the workplace, open a command prompt on the Windows 7 machine and execute the following command:
%ProgramFiles%\Microsoft Workplace Join\AutoWorkplace.exe /leave
This command must be run in the context of each Domain user that has signed into the machine and been automatically workplace joined. Once the command is complete, you must uninstall the software package using Control Panel > Programs > Programs and Features. If you do not uninstall the software package, the machine will become Workplace Joined the next time a domain user logs into the machine.
The Windows Event Log on the Windows 7 machine will display messages related to Workplace Join. You can find messages for both successful and unsuccessful Workplace Join events. The Event Log can be found in the Event Viewer under Applications and Services Logs > Microsoft-Workplace Join.
The Device Registration Service (DRS) is a new Windows service that is included with the Federation Services Role on Windows Server 2012 R2. The DRS must be installed and configured on all of the federation servers in your AD FS farm. For information on deploying DRS, see Windows Server 2012 R2 AD FS Deployment Guide
AD FS must be configured with a server SSL certificate that includes the names required for device registration and include a valid Certificate Revocation List (CRL) endpoint. For more information on the server SSL certificate requirements, see AD FS Design Guide in Windows Server 2012 R2
The AD FS Global Primary Authentication Policy must be configured to allow Windows Integrated Authentication for the Intranet (this is the default).
Internet Explorer on the Windows 7 machine must use the following settings for the Local intranet security zone:
Don’t prompt for client certificate selection when only one certificate exists: Enable
Allow scripting: Enable
Automatic logon only in Intranet zone: Checked
These are the default settings for the Internet Explorer Local intranet security zone. You can view or manage these settings in Internet Explorer by navigating to Internet Options > Security > Local intranet > Custom level. You can also configure these settings using Active Directory Group Policy.
Windows 7 machines must have connectivity to AD FS, DRS, and an Active Directory Domain Controller in order to Workplace Join. This typically means the machine must be connected to the corporate network. This can include a wired connection, a Wi-Fi connection, DirectAccess, or VPN. The Windows 7 machine will not be able to Workplace Join if it is connecting to the corporate network through a reverse proxy solution such as the Web Application Proxy.