Applies To: Windows Server 2016, Windows Server 2012 R2
Device Registration Technical Reference
The Device Registration Service (DRS) is a new Windows service that is included with the Active Directory Federation Service Role on Windows Server 2012 R2. The DRS must be installed and configured on all of the federation servers in your AD FS farm. For information on deploying DRS, see Configure a federation server with Device Registration Service.
Active Directory objects created when a device is registered
The following Active Directory objects are created as part of Device Registration Service.
Device Registration Configuration
The Device Registration Configuration is stored in the Configuration naming context of the Active Directory forest. (For example, CN=Device Registration Configuration,CN=Services,
The Device Registration Configuration includes the following elements:
The public and private keys used to issue the X.509 certificate that is associated with a registered device. The private keys are DKM protected.
Device Registration Service Configuration
Policies relating to the Device Registration Service.
Registered devices container
The device object container is created under one of the domains in the Active Directory forest. This object container will contain all of the device objects for the Active Directory forest.
By default, the container is created in the same domain as AD FS. (For example, CN=RegisteredDevices,DC=
Device objects are new, light weight objects in Active Directory. They are used to represent the relationship between: a user, a device, and the company. Device objects use a certificate signed by AD FS to anchor the physical device to the logical device object in Active Directory.
Registered devices includes the following elements:
Friendly name of the device. For windows devices, this is the host name of the computer.
A GUID that is generated by the Device Registration server.
The certificate thumbprint of the X.509 certificate that is used with the registered device.
The operating system type on the device.
The version of the operating system on the device.
A Boolean that indicates if the device is enabled in Active Directory. Only enabled devices are allowed to access to services.
Approximate Last Use Time
The approximate time the device was used to access a resource. To limit replication traffic, this is only updated once every 14 days.
The Security Identity (SID) of the user that joined this device to the workplace.
AD FS\/DRS Server SSL certificate revocation checking
The Workplace Join client checks the validity of the AD FS Server SSL certificate. If the AD FS Server SSL certificate includes a Certificate Revocation List (CRL) endpoint, the client must be able to reach the endpoint specified to validate the certificate.
If you are using a test environment and a test certificate authority (CA) to issue your server SSL certificates then you can choose to not include the CRL endpoint in the server certificates issued by your CA. Doing so will allow the Workplace Join client to bypass the CRL check.
This is never recommended for production systems