Automatic and Silent Workplace Join
Published: April 29, 2014
Updated: April 29, 2014
Applies To: Windows Server 2012 R2
With Windows Server 2012 R2 Federation Services, customers can set conditional access policies based on known devices. Workplace Join is necessary to allow domain-joined Windows 8.1 machines access to resources that are protected by these policies.
Automatic Workplace Join is available for Windows 8.1 machines that have been joined to an Active Directory Domain. These are typically corporate owned machines that have been provided to information workers. You must also deploy Active Directory Federation Services (AD FS) with Windows Server 2012 R2 and enable the Device Registration Service (DRS).
Automatic Workplace Join is configured using Active Directory Group Policy. To configure the Group Policy, you must have at least one domain joined Windows Server 2012 R2 or Windows 8.1 machine with the Group Policy Management feature installed.
Once the Automatic Workplace Join Group Policy is enabled for your domain, any domain user that signs into a domain Joined Windows 8.1 machine that is connected to your organizations network will be automatically and silently Workplace Joined with Active Directory.
The Group Policy enables a Scheduled Task on the system that runs in the user’s context and is triggered on user sign-in. The task will silently Workplace Join the user and device with Active Directory after the User signs-in is complete. The Scheduled Task can be found on Windows 8.1 devices in the Task Scheduler Library under Microsoft > Windows > Workplace Join
The task will run and Workplace Join any and all Active Directory users that log into the machine, provided the user has been granted rights to Workplace Join. By default, all Active Directory user accounts are allowed to Workplace Join.
Warning You must have Domain Admin privileges.
Open Server Manager and navigate to Tools > Group Policy Management.
From Group Policy Management, navigate to the domain node that corresponds to the domain in which you would like to enable Automatic Workplace Join.
Right-click Group Policy Objects and select New. Give your Group Policy object a name, for example, Automatic Workplace Join. Click OK.
Right-click on your new Group Policy object and then select Edit.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join.
Right-click Automatically workplace join client computers and then select Edit.
Select the Enabled radio button and then click Apply. Click OK.
You may now link the Group Policy object to a location of your choice. To enable this policy for all of the domain joined Windows 8.1 devices at your organization, link the Group Policy to the domain.
You may choose to remove your domain joined Windows 8.1 devices from the workplace by doing the following:
Modify the Workplace Join Group Policy settings created in the previous section. Set the Automatically workplace join client computers policy to disabled. This will prevent new and existing devices from automatically joining the workplace.
Note If you simply remove or unlink the Group Policy object that holds the Workplace Join policies, the current Windows 8.1 client settings will not be changed.
Remove the existing domain joined Windows 8.1 machines from the workplace by following one of the two options below:
On the Windows 8.1 device, navigate to PC Settings > Network > Workplace.
This process must be repeated for each domain user that has signed into the machine and has been automatically workplace joined.
Domain joined Windows 8.1 machines can be removed from the workplace using the Workplace Join client executable. To leave the workplace, open a command prompt on the Windows 8.1 machine and execute the following command:
This command must be run in the context of each domain user that has signed into the machine and been automatically workplace joined.
The Windows Event Log on the Windows 8.1 machine will display messages related to Workplace Join. You will find messages for both successful and unsuccessful Workplace Join events. The Event Log can be found in the Event Viewer under Applications and Services Logs > Microsoft > Windows > Workplace Join.
The Device Registration Service (DRS) is a new Windows service that is included with the Federation Services Role on Windows Server 2012 R2. The DRS must be installed and configured on all of the federation servers in your AD FS farm. For information on deploying DRS, see Configure a federation server with Device Registration Service.
AD FS must be configured with a server SSL certificate that includes the names required for device registration and include a valid Certificate Revocation List (CRL) endpoint. For more information on the server SSL certificate requirements, see Workplace Join Requirements.
The AD FS Global Primary Authentication Policy must be configured to allow Windows Integrated Authentication for the Intranet (this is the default).
Internet Explorer on the Windows 8.1 machine must use the following settings for the Local intranet security zone:
Don’t prompt for client certificate selection when only one certificate exists: Enable
Allow scripting: Enable
Automatic logon only in Intranet zone: Checked
These are the default settings for the Internet Explorer Local intranet security zone. You can view or manage these settings in Internet Explorer by navigating to Internet Options > Security > Local intranet > Custom level. You can also configure these settings using Active Directory Group Policy.
Windows 8.1 machines must have connectivity to AD FS, DRS, and an Active Directory Domain Controller in order to Workplace Join. This typically means the machine must be connected to the corporate network. This can include a wired connection, a Wi-Fi connection, DirectAccess, or VPN. The Windows 8.1 machine will not be able to Workplace Join if it is connecting to the corporate network through a reverse proxy solution such as the Web Application Proxy.