Turbulence

The bumpy world of clouds and applications

Workplace Join for Windows 7

  • Comments 10
  • Likes

Just a quick note about the just released Workplace Join for Windows 7.  You can read all the details here and download from here.

Workplace Join for Windows 7 is for domain joined machines, which means that we support the Professional SKU and above.

There is also no UI for Workplace Join on Windows 7, it is designed to be deployed and configured by administrators as part of desktop management solutions.

Once deployed, a scheduled task that runs at user logon will complete the Workplace Join on the users behalf, as you can see in my demo Win7 machine:

image

Events are logged so you can see results:

image

As with Workplace Join on Windows 8.1 and iOS, a certificate is installed onto the device, which is presented when AD FS conditional access policies are enforced to require device registration (i.e. IsRegisteredUser = True).

image

To leave the Workplace Join, you run this command:

%ProgramFiles%\Microsoft Workplace Join\AutoWorkplace.exe /leave

Note however that unless you uninstall Workplace Join for Windows 7, the machine will rerun the scheduled task at next user logon.

Enjoy!

A.

Comments
  • Hi Adam,
    "Workplace Join for Windows 7 is available for machines that have been joined to an Active Directory Domain."
    I use workplace join for my windows 7 computer, but is there any difference with full domian join?
    Thank you.

  • Hi Mickey

    Yes, there is a lot of differences between domain join and Workplace Join. Domain Join is what we have had for a long time, tight admin control, group policy, desktop SSO etc. Workplace Join is much lighter, and is about authenticating an unknown device like a Surface RT, iOS or Android device. We put a certificate on the device, and can challenge the device for this as part of claims based authentication to applications or other resources such as data, plus there is no admin control of the device, it remains under the control of the end user. When coupled with BYO device management with a solution like Windows Intune, you can apply policy, deploy apps and control access to resources on machines that you otherwise have no control over.

  • Adam ,

    You just said in your article : Workplace Join for Windows 7 is for domain joined machines, which means that we support the Professional SKU and above --> Why do you need Workplace join then ? Is that a mistake ?

    I mean , the whole point of having W8.1 and Ipad being workplace join is because they are NOT member of a domain.

    Could you please advise ?

  • No, that is all correct. Workplace Join, or more specifically device registration is about device authentication. A Domain Joined machine can be authenticated *by Active Directory* ... but not in a claims aware way, or against cloud services and applications. Workplace Join is about enforcing conditional access policies and providing SSO against not just AD-integrated apps but also claims apps and cloud services.

  • Adam, I'm going to add my name to the list of people who are a bit confused by the benefits of taking a PC that is already joined to the domain and then doing a Workplace Join on it. As Kenny indicated, Workplace Join, up until now, has been promoted as a way to bring devices into the fold that aren't joined to a domain or that cannot be joined to a domain. Now we're being told that Workplace Join is also for domain-joined systems (at least for Windows 7), but I'm unclear on what it gives me from a management perspective that I don't already have. Some real-life scenarios would go a long way here to help further understanding what this lets me do that I could not do before.

  • Same as the above - what are the benefits of Workplace Joining a device which is already domain joined? Does it mean the user can use SSO when offsite without any need for VPN etc?

  • I'm chiming in to add that I'm equally confused on the real-world scenarios where there would be benefits from being both workplace/domain joined.

  • OK, I'll try again :) Lets drop Domain Join from this, as it's a red herring in the discussion. This is a deployment requirement, nothing to do with the solution. Take a look at AD FS, Workplace Join and what conditional access with claims, device registration and MFA looks like. Modern protocols (SAML, oAuth etc) and the way we can do claims rules for access, not just on/off which domain join provides. these are complimentary, not competitive.

  • We were waiting hard for workspace join for Windows 7.
    But we need it for not domain joined Windows 7 Prof clients due too our company structure. Is there any plan for that?
    Thanks,
    Thomas

  • @Thomas not at this stage

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment