With Windows 2012 R2 and Windows 8.1, Microsoft starts to simplify the BYOD – Bring Your Own Device.
Indeed, on Windows 8.1 (this is not available with Windows 8, so upgrade for free your Windows 8 device 
), a new feature called Join Workspace allow end-users to connect and use corporate resources without being obliged to join the domain.
Prerequisites
To be able to use this feature, the following is required:
- Windows 8.1 client (off course) – all editions have this feature available
- Windows Server 2012 R2; this will be needed to host the ADFS service with the new ADFS feature
- DNS record that point to your ADFS server
- Certificate for SSL using the DNS record as common name
ADFS Installation and Configuration
- You must have a certificate available to configure ADFS – if you are using internal certificate authority you have to deployed as Trusted or Enterprise Trust the certificate of this CA. It is off course recommended to use a certificate issued by a public authority, like Digicert http://digicert.com/
- You must define 2 entries for the certificate: adfs.corporatedomain.com and enterpriseregistration.corporatedomain.com – off course, replace corporatedomain.com by your own public domain as well as the host name (adfs or enterpriseregistration); I’m using these ones for better understanding
- Deploy Windows Server 2012 R2 and enable ADFS – I would recommend to first enable the .Net Framework manually as you may have errors during the installation using Server Manager – see http://blog.hametbenoit.info/2012/03/10/windows-8-error-when-activating-.net-framework-feature/ to enable the .Net Framework
- Enable ADFS
- Configure ADFS and follow the wizard
- As this server is the first ADFS server, I’m choosing Create the first federation server; off course if you already have ADFS server deployed on Windows Server 2012 R2 – always use the same version of ADFS across an ADFS farm, choose the second option Add federation to a federation farm
- Ensure the user account used for connecting to your AD has appropriate permission
- Select the certificate to use and define the display name – Federation name will be automatically field based on the name used when generating the certificate
- Define the managed service account to use for running ADFS – you can choose an existing one or create a new one. In my case, I already created an MSA with the PowerShell command below; you may want to create manually the managed service account, if so open a Windows PowerShell windows (always run as administrator) and execute the following commands
- Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
- New-ADServiceAccount FsGmsa –DNSHostName <ADFS URL used when generating the certificate; same than the one defined in the wizard> -ServicePrincipalNames http/<ADFS URL used when generating the certificate; same than the one defined in the wizard>
- Then define the SQL instance to use; local with Windows Internal Database or a SQL Server. In my case I’ll use an existing SQL; for more information regarding using or not using WID for ADFS see http://technet.microsoft.com/en-us/library/gg982489.aspx
- Review the configuration summary to ensure you set all settings accordingly
- And after validating the configuration, finalize the process
Enable Device Registration
Once ADFS has been installed and configured, you must enable the feature called Device Registration.
To do so, open a Windows PowerShell window (run as administrator) and execute the following commands
- Initialize-ADDeviceRegistration; when prompted enter the managed service account defined during the ADFS configuration step – here <your domain>\fsgmsa$
- Enab