Share via


Workplace Join for Windows 7

Just a quick note about the just released Workplace Join for Windows 7.  You can read all the details here and download from here.

Workplace Join for Windows 7 is for domain joined machines, which means that we support the Professional SKU and above.

There is also no UI for Workplace Join on Windows 7, it is designed to be deployed and configured by administrators as part of desktop management solutions.

Once deployed, a scheduled task that runs at user logon will complete the Workplace Join on the users behalf, as you can see in my demo Win7 machine:

image

Events are logged so you can see results:

image

As with Workplace Join on Windows 8.1 and iOS, a certificate is installed onto the device, which is presented when AD FS conditional access policies are enforced to require device registration (i.e. IsRegisteredUser = True).

image

To leave the Workplace Join, you run this command:

%ProgramFiles%\Microsoft Workplace Join\AutoWorkplace.exe /leave

Note however that unless you uninstall Workplace Join for Windows 7, the machine will rerun the scheduled task at next user logon.

Enjoy!

A.

Comments

  • Anonymous
    January 01, 2003
    OK, I'll try again :) Lets drop Domain Join from this, as it's a red herring in the discussion. This is a deployment requirement, nothing to do with the solution. Take a look at AD FS, Workplace Join and what conditional access with claims, device registration and MFA looks like. Modern protocols (SAML, oAuth etc) and the way we can do claims rules for access, not just on/off which domain join provides. these are complimentary, not competitive.
  • Anonymous
    January 01, 2003
    Hi Mickey

    Yes, there is a lot of differences between domain join and Workplace Join. Domain Join is what we have had for a long time, tight admin control, group policy, desktop SSO etc. Workplace Join is much lighter, and is about authenticating an unknown device like a Surface RT, iOS or Android device. We put a certificate on the device, and can challenge the device for this as part of claims based authentication to applications or other resources such as data, plus there is no admin control of the device, it remains under the control of the end user. When coupled with BYO device management with a solution like Windows Intune, you can apply policy, deploy apps and control access to resources on machines that you otherwise have no control over.
  • Anonymous
    January 01, 2003
    @Thomas not at this stage
  • Anonymous
    January 01, 2003
    Adam, I'm going to add my name to the list of people who are a bit confused by the benefits of taking a PC that is already joined to the domain and then doing a Workplace Join on it. As Kenny indicated, Workplace Join, up until now, has been promoted as a way to bring devices into the fold that aren't joined to a domain or that cannot be joined to a domain. Now we're being told that Workplace Join is also for domain-joined systems (at least for Windows 7), but I'm unclear on what it gives me from a management perspective that I don't already have. Some real-life scenarios would go a long way here to help further understanding what this lets me do that I could not do before.
  • Anonymous
    January 01, 2003
    Hi Adam,
    "Workplace Join for Windows 7 is available for machines that have been joined to an Active Directory Domain."
    I use workplace join for my windows 7 computer, but is there any difference with full domian join?
    Thank you.
  • Anonymous
    January 01, 2003
    No, that is all correct. Workplace Join, or more specifically device registration is about device authentication. A Domain Joined machine can be authenticated by Active Directory ... but not in a claims aware way, or against cloud services and applications. Workplace Join is about enforcing conditional access policies and providing SSO against not just AD-integrated apps but also claims apps and cloud services.
  • Anonymous
    March 12, 2014
    Adam ,

    You just said in your article : Workplace Join for Windows 7 is for domain joined machines, which means that we support the Professional SKU and above --> Why do you need Workplace join then ? Is that a mistake ?

    I mean , the whole point of having W8.1 and Ipad being workplace join is because they are NOT member of a domain.

    Could you please advise ?
  • Anonymous
    March 17, 2014
    Same as the above - what are the benefits of Workplace Joining a device which is already domain joined? Does it mean the user can use SSO when offsite without any need for VPN etc?
  • Anonymous
    March 17, 2014
    I'm chiming in to add that I'm equally confused on the real-world scenarios where there would be benefits from being both workplace/domain joined.
  • Anonymous
    March 25, 2014
    We were waiting hard for workspace join for Windows 7.
    But we need it for not domain joined Windows 7 Prof clients due too our company structure. Is there any plan for that?
    Thanks,
    Thomas
  • Anonymous
    January 28, 2015
    Le précédent billet BYOD : Le “Workplace Join” de Windows Server 2012 R2 :