Workplace Join was released in 2013 as a feature in Windows Server 2012 R2 and Windows 8.1. My colleague, David Jeppesen, wrote about it in his Thought Lab post published on November 8, 2013, “Workplace Join in Windows 8.1 Is Even Better Than You Think.” Almost four years later, Workplace Join remains relevant and useful. It’s also done some evolving.

In the Beginning of Workplace Join for BYOD

When it was first introduced, Workplace Join tackled the BYOD dilemma by letting users use personal Windows and iOS devices, such as smartphones and tablets, to access corporate network resources. The user installed a client on the device and was asked to provide corporate credentials. After those credentials were verified by using Active Directory Federation Services (AD FS), the corporate server called or texted the user at a specified phone number to confirm identity and grant the user “join” rights. Behind the scenes, a device object was created in AD and a certificate was installed on the device.

Two of the greatest benefits of Workplace Join are IT control and user convenience. IT retains control over which users have access to what information down to the level of application, individual user, device, and user location. And users can access resources they’re eligible for with their single network username and password, regardless of whether they’re using their company-provided device or a joined personal device.

Workplace Join Today

Workplace Join continues to give users the ability to use their personal devices to access corporate information. It also continues to give IT control over which resources can be accessed by whom based on application, user, device, and location.

Workplace Join has also evolved a bit. In early 2015, Workplace Join added support to join Android devices to network resources. That’s pretty important given that 81.7 percent of all smartphones sold in the last quarter of 2016 ran Android.[1]

It also works with Azure Active Directory by using the Azure AD device registration service. Authentication in Azure AD works differently than in traditional AD FS. Azure AD provisions a device object in Azure AD and sets a key on the user’s device that represents the device’s identity. That identity or key is used to determine which applications the user can access based on the rules set by IT. The key being set is transparent to the user.

Device Management Yes. BYOD No.

Workplace Join, as a feature on Windows Server 2012 R2, is not the same as Azure AD Join and Workplace Join for Windows 10. These solutions are specifically for use with company-owned end-user devices running Windows 10—they are not BYOD solutions. Both offer single sign-on to corporate resources (cloud and on-premises apps for Azure AD Join) by using a company-issued device. Azure AD Join offers other features that are outside the scope and intent of this article. Similarly, Workplace Join for a Windows 10 PC joins the PC to a corporate network, not the users’ smartphone or tablet.

Read On

Prowess Consulting posts a new Thought Lab article each week. Check back next week to see what technology is top of mind at the time.


[1] “99.6 percent of new smartphones run Android or iOS,”, Feb. 2017

Share this: