Your network contains an Active Directory domain named contoso.com. The domain contains a
member server named Server1 that has the Active Directory Federation Services server role
installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1.
You need to ensure that client devices on the internal network can use Workplace Join.
Which two actions should you perform on Server1? (Each correct answer presents part of the
solution. Choose two.)
A.
Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
B.
Edit the multi-factor authentication global authentication policy settings.
C.
Run Enable-AdfsDeviceRegistration.
D.
Run Set-AdfsProxyProperties HttpPort 80.
E.
Edit the primary authentication global authentication policy settings.
Explanation:
C)
To enable Device Registration Service
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm.E)
Enable seamless second factor authentication
Seamless second factor authentication is an enhancement in AD FS that provides an added level of
access protection to corporate resources and applications from external devices that are trying to
access them. When a personal device is Workplace Joined, it becomes a ‘known’ device and
administrators can use this information to drive conditional access and gate access to resources.
To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional
access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary
Authentication. Select the check box next to Enable Device Authentication, and then click OK.Configure a federation server with Device Registration Service.
I think, Workplace Join is not working in 2012 (not R2)!
Workplace join is enabled by a new AD Federation Service (ADFS) role service in Windows Server 2012 R2 called the Device Registration Service.) http://blogs.technet.com/b/keithmayer/archive/2013/11/08/why-r2-step-by-step-solve-byod-challenges-with-workplace-join.aspx
So the question isn’t correct!
http://blogs.technet.com/b/keithmayer/archive/2013/11/09/why-r2-step-by-step-solve-byod-challenges-with-workplace-join.aspx
C & E are correct. Scroll down that link about half way and it’s right there
To me “Edit the primary authentication global authentication policy settings” doesn’t seem to be the same as “Edit Global Primary Authentication”.
Luckily, on https://technet.microsoft.com/en-us/library/dn486781%28v=ws.11%29.aspx is says:
In the Primary Authentication section, click Edit next to Global Settings. You can also right-click Authentication Policies, and select Edit Global Primary Authentication, or, under the Actions pane, select Edit Global Primary Authentication.
Still, a bit confusing.
what about Initialize-ADDeviceRegistration ?
In my study I have 3 steps for it:
1º) In ADFS, select “Edit Global Primary Authentication…”, on the “Primary” tab select the check box “Enable device authentication”.
2º)run Initialize-ADDeviceRegistration
3º)run Enable-AdfsDeviceRegistration.
Since Initialize-ADDeviceRegistration is not an option in the answers, answer provided (step 1º and 3º) is correct.