This is the first of three posts taking a closer look at specific mobile-management features in Windows 8.1 and Windows Server 2012 R2. For a high-level discussion of what is new for mobile management in these two operating systems, see What’s New for Windows Mobile Device Management. For a discussion on how to decide whether to manage a device like a mobile device or a domain-joined device, see Going Mobile? Decide How to Manage Windows Devices.

IT risk management for the mobile world

Back in the day, being connected to a corporate network was black or white: your computer was either joined to an Active Directory Domain Services (AD DS) domain or it wasn’t. Then along came the era of bring your own device (BYOD). BYOD was great because it gave employees the tools to be productive anywhere, but it also had the potential to put sensitive corporate data at risk because business users are using their personal devices for both work and play, without IT being able to lock down such devices as they would domain-joined hardware.

To help mitigate these risks, the Workplace Join feature in Windows Server 2012 R2 gives you a halfway house between being domain-joined and completely not joined. This gives you an extra level of security while providing the easy access that users need to do their jobs.

How it works

When you join a device to a workplace, you install a trusted certificate on that device, securing access and authenticating you in the future. In Windows 8.1, you can find the Workplace Join option in your PC settings. In the Workplace settings area, you join the device to the workplace simply by entering your domain credentials in the form of your corporate email address and password.

Workplace Join is also a means of enrolling mobile devices with third-party MDM solutions, such as AirWatch, and with support for additional MDM solutions coming in the future. Within Windows, a device with Workplace Joined enabled is registered with IT, but IT doesn’t have control of the device, as they would with a domain-joined PC. (Because, really, who wants to give complete control of a personal device to IT?) The join procedure does require an AD DS user account, but not a computer account.

Here are some other benefits provided by Workplace Join:

  • Workplace Join provides a single sign-on (SSO) to workplace resources and applications.
  • The attributes of joined devices are provided through claims and presented to AD DS, permitting dynamic access control (conditional access) to resources based on the user’s identity, the device they are using, and their location.
  • Workplace Join gives users access to file-based resources that require a user logon.
  • Workplace Join provides a built-in form of second-factor authentication.

Workplace Join relies on Windows Server 2012 R2, Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and AD DS.

For more information on mobile-friendly features in Windows 8.1 and Windows Server 2012 R2, check out our white paper Windows Device Management Goes Mobile on And stay tuned for my next post, where I will look at how you can synchronize data across multiple devices with greater security with Work Folders.

Share this: