Windows 2012 R2 / Windows 8.1 – Bring your own device with Workplace Join

With Windows 2012 R2 and Windows 8.1, Microsoft starts to simplify the BYOD – Bring Your Own Device.

Indeed, on Windows 8.1 (this is not available with Windows 8, so upgrade for free your Windows 8 device Smile), a new feature called Join Workspace allow end-users to connect and use corporate resources without being obliged to join the domain.



To be able to use this feature, the following is required:

  • Windows 8.1 client (off course) – all editions have this feature available
  • Windows Server 2012 R2; this will be needed to host the ADFS service with the new ADFS feature
  • DNS record that point to your ADFS server
  • Certificate for SSL using the DNS record as common name

ADFS Installation and Configuration

  • You must have a certificate available to configure ADFS – if you are using internal certificate authority you have to deployed as Trusted or Enterprise Trust the certificate of this CA. It is off course recommended to use a certificate issued by a public authority, like Digicert
    • You must define 2 entries for the certificate: and – off course, replace by your own public domain as well as the host name (adfs or enterpriseregistration); I’m using these ones for better understanding
  • Deploy Windows Server 2012 R2 and enable ADFS – I would recommend to first enable the .Net Framework manually as you may have errors during the installation using Server Manager – see to enable the .Net Framework
  • Enable ADFS


  • Configure ADFS and follow the wizard


  • As this server is the first ADFS server, I’m choosing Create the first federation server; off course if you already have ADFS server deployed on Windows Server 2012 R2 – always use the same version of ADFS across an ADFS farm, choose the second option Add federation to a federation farm


  • Ensure the user account used for connecting to your AD has appropriate permission


  • Select the certificate to use and define the display name – Federation name will be automatically field based on the name used when generating the certificate


  • Define the managed service account to use for running ADFS – you can choose an existing one or create a new one. In my case, I already created an MSA with the PowerShell command below; you may want to create manually the managed service account, if so open a Windows PowerShell windows (always run as administrator) and execute the following commands
    • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
    • New-ADServiceAccount FsGmsa –DNSHostName <ADFS URL used when generating the certificate; same than the one defined in the wizard> -ServicePrincipalNames http/<ADFS URL used when generating the certificate; same than the one defined in the wizard>



  • Review the configuration summary to ensure you set all settings accordingly


  • And after validating the configuration, finalize the process


Enable Device Registration

Once ADFS has been installed and configured, you must enable the feature called Device Registration.

To do so, open a Windows PowerShell window (run as administrator) and execute the following commands

  • Initialize-ADDeviceRegistration; when prompted enter the managed service account defined during the ADFS configuration step – here <your domain>\fsgmsa$


  • Enab

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.