Windows Server 2012 R2 – User centric IT and BYOD (TechEd Europe – part 1)


In the bring-your-own-device trend, there were still a few disadvantages over domain joined machines. Access to resources had to be very well thought of. In the R2 release of Windows Server 2012 there’s now an interesting new feature called “workspace join”. In combination with products like Windows Intune or System Center Configuration Manager 2012 R2 it is now possible to add workgroup devices to Active Directory without needing a domain join. So the original user is still full owner of the device. Home-pc’s, tablets or smartphones, devices can be added to the Active Directory by using the workspace join to create a certificate based secure trust. Those certificates can be organised into multiple certificate templates and managed centrally.

To make sure that a device being added is not in malicious hands, a 2nd factor authentication request is sent to the user claiming to log on to Workplace Join service. A call will be made to the phone number of the user who’s credentials are used trying to log in. Answer the phone and follow 1 simple instruction and you’re done. This allows for opening up the service on the internet without compromising security.

Now the device gets an Active Directory object so admins can start administering the device from a centralized location instead of the old ad-hoc mode that often required devices to be physically accessible so a remote user had to rely on tutorials and documentation written by the IT-department or wait until the next visit of a support engineer onsite.

You can automatically push a wide range of settings and preferences on all the devices for a particular user like

  • wifi presets
  • vpn profiles to get the device ready for remote access to your company network
  • applications
  • shared folders
  • and more.

Those VPN profiles by the way are not limited to the traditional Windows VPN but third party VPN software from vendors like Cisco, Juniper, etc are also supported. Certainly a great feature and one to stay, imho.


Policies can be pushed to allow the use of certain applications, whether sideloaded or remotely available apps (SaaS). Break the trust and the apps are automatically de-installed. Users can access published apps from a kind of personalised appstore interface and choose to install certain published apps.

Folder Sync & RMS

Documents can be shared among devices by using “workfolders”. Documents on your device can be synced to a work location as a backup scenario or to access the documents from multiple locations / devices. Securing documents with rights management services makes sure that if a device is removed from the trust, the documents are also no longer accessible on the BYOD because the necessary key can not be validated anymore. The same applies to the company apps pushed as explained earlier.

Consumerization of IT-resources

This allows for the leveraging of an otherwise often underused device, therefor boosting productivity without violating any company security policies. BYOD did until now always have a big security impact on your network and services, unless you were running every single piece of data and application inside a sand-box environment like RDS or VDI.

And nice as well: these features are not limited to Windows devices (although only Windows and iOS have been highlighted so far).

As far as the demo showed, the “workplace join” seems like a mature solution with a bright future and we can certainly expect a lot more in this area in later releases. However there are some unanswered questions; f.e. can a user just add any device, do we want that from a administrative point of view or can we limit the user in that kind of behavior? And I’m not completely sure what versions of Windows (hopefully all) will support this feature.

A testversion of Windows Server 2012 R2 is of today downloadable from your msdn or technet subscription and we’ll see general availability (of the preview) undoubtedly soon. I’ll give it a testdrive asap and certainly get back on this…

(this is part 1 of several posts from Microsoft TechEd)

About Geert Baeten
IT service architect - cloud infrastructure solutions - datacenter infrastructure solutions - service design / governing processes

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: