Configure Workplace Join: Enable Device Registration and Enroll for Workplace Join

In the first part of this two-part series, I showed you how to set up Windows Server 2012 R2 Active Directory Federation Services (AD FS) for the purposes of enabling Workplace Join for Windows 8.x clients and supported clients. In this article we’ll enable device registration for Workplace Join in Windows Server 2012 R2, and prepare a client to sign up for Workplace Join.

The lab requires two servers: one Active Directory domain controller (DC) and an AD FS server. They must be running Windows Server 2012 R2. Additionally, you’ll need a device running Windows 8.x that is not joined to the AD domain.

Enable Device Registration in Active Directory

To enable Workplace Join, we need to enable device registration in Active Directory using PowerShell. Log on to your AD FS server with a domain administrator account.

  • Open a PowerShell console using the icon on the desktop taskbar or from the Start screen.
  • Type initialize-addeviceregistration -serviceaccountname “ad\fsgmsa$”in the PowerShell console, replacing ad with the NETBIOS name of your AD domain, and press Enter.
  • When prompted for confirmation, type y and press Enter.
  • PowerShell should report that the operation completed successfully.
  • Now type enable-adfsdeviceregistration and press Enter. After a few seconds, you should see a report saying that the operation completed successfully.
  • Open Server Manager using the icon on the desktop taskbar, or from the Start screen.
  • In Server Manager, click AD FS Management on the Tools menu.
  • In the AD FS console, click Edit Global Primary Authentication under Authentication Policies in the right pane.
  • In the Edit Global Primary Authentication dialog, check Enable device authentication on the Primary tab and click OK.
  • Close the AD FS console.

Enable device registration in ADFS

DNS Resolution

You need to make sure that enterpriseregistration resolves to the IP address of your ADFS server. To do this, add a CNAME record to DNS.

  • Log on to your DNS server using an account that has permission to add new DNS records.
  • Open Server Manager using the blue icon on the desktop taskbar or from the Start screen.
  • Select DNS from the Tools menu.
  • In the DNS management console, expand your DNS server in the left pane and click the AD DNS zone, in my case ad.contoso.com, under Forward Lookup Zones.
  • Right click the DNS zone in the left pane and select New Alias (CNAME) from the menu.
  • In the New Resource Record dialog, type enterpriseregistration in the Alias name box.
  • In the Fully qualified domain name (FQDN) for target host box, type the FQDN for your ADFS server, or browse to the server’s host (A) record using the Browse button.
  • Click OK and close the DNS management console.

Create a CNAME record in DNS

Install the CA Root Certificate on the Client Device

Any client device that wants to use Workplace Join must trust the enterprise certification authority we configured earlier. First we need to export the CA root certificate.

  • Log on to the certification authority using an administrator account.
  • Switch to the Start screen, type mmc and select MMC from the search results in the right pane.
  • In the MMC window, select Add/Remove Snap-in from the File menu.
  • In the Add or Remove Snap-ins dialog, select Certificates in the left pane and click Add.
  • In the Certificates snap-in dialog, select Computer account and click Next.
  • In the Select Computer window, select Local computer and click Finish.
  • Click OK in the Add or Remove Snap-ins dialog.
  • In the MMC window, expand Certificates (Local Computer), Trusted Root Certification Authorities, Certificates.
  • In the right pane of the MMC window, right click the root CA certificate and select All Tasks > Export from the menu.
  • Click Next on the welcome screen in the Certificate Export Wizard.
  • On the Export File Format screen, select DER encoded binary X.509 (.CER) and click Next.

Export the CA root certificate

  • On the File to Export screen, click Browse and save the file as rootcert to a convenient location on the server. Click Next to continue.
  • Click Finish to export the certificate to the file.
  • Click OK in the confirmation dialog.

Now log on to your Windows 8.1 client as a local administrator and import the CA root certificate. You will need access to the .cer file saved in the previous instructions.

  • Switch to the Start screen, type mmc and select MMC from the search results in the right pane.
  • In the MMC window, select Add/Remove Snap-in from the File menu.
  • In the Add or Remove Snap-ins dialog, select Certificates in the left pane and click Add.
  • In the Certificates snap-in dialog, select Computer account and click Next.
  • In the Select Computer window, select Local computer and click Finish.
  • Click OK in the Add or Remove Snap-ins dialog.
  • In the MMC window, expand Certificates (Local Computer), Trusted Root Certification Authorities, Certificates.
  • In the left pane of the MMC window, right-click the Certificates folder and select All Tasks > Import from the menu.
  • Click Next on the welcome screen in the Certificate Import Wizard.
  • Click Browse in the File to Import window and select the rootcert.cer file.
  • Click Next to continue.
  • On the Certificate Store screen, make sure Trusted Root Certification Authorities is selected as the certificate store and click Next.
  • Click Finish to import the certificate.
  • Click OK in the confirmation dialog.

Setup Workplace Join on the Windows 8.1 Client

Now that all the infrastructure components are in place, we can set up Workplace Join on the client. You must be signed on to the device using a Microsoft account.

  • Log on to your client device using a Microsoft account.
  • Click Windows + C to bring up the Charms bar.
  • Click Settings on the Charms bar.
  • At the bottom of the Settings panel, click Change PC settings.
  • In the PC settings app, click Network in the left pane.
  • Click Workplace on the Network screen.
  • On the Workplace screen, type your AD logon ID into the box and click Join.
  • Enter the password for the user ID when prompted.

Register Windows 8.1 in Active Directory using Workplace Join

When the join operation is complete, you will see a confirmation message stating that the device has joined your workplace network.