none
Workplace enrollment for a domain joined Windows 8.1 Device RRS feed

  • Question

  • Hi All,

    I was successful in enrolling a non Domain-Joined Windows 8.1 device using workplace settings. However, when the device is domain joined there are certain restrictions. The device seems to hit for discovery on https://enterpriseenrollment.<mydomain>.com/EnrollmentServer/Discovery.svc and intially it does GET and I return 200 OK.

    Following which the device posts this soap body on Discovery endpoint:-

    <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover</a:Action>
    <a:MessageID>urn:uuid:748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
    <a:ReplyTo>
    <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">https://EnterpriseEnrollment.mydomain.com:443/EnrollmentServer/Discovery.svc</a:To>
    </s:Header>
    <s:Body>
    <Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
    <request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <EmailAddress>user23@mydomain.com</EmailAddress>
    <RequestVersion>1.0</RequestVersion>
    </request>
    </Discover>
    </s:Body>
    </s:Envelope>

    And as usual I repond to this SOAP request with:-

    <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse</a:Action>
    <ActivityId>48915517-66c6-4ab7-8f77-c8277e45b3cf</ActivityId>
    <a:RelatesTo>urn:uuid:748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <DiscoverResponse xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
    <DiscoverResult>
    <AuthPolicy>federated</AuthPolicy>
    <EnrollmentPolicyServiceUrl>https://enterpriseenrollment.mydomain.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC</EnrollmentPolicyServiceUrl>
    <EnrollmentServiceUrl>https://enterpriseenrollment.mydomain.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC</EnrollmentServiceUrl>
    <AuthUrl>prod</AuthUrl>
    <AuthenticationServiceUrl>https://enterpriseenrollment.mydomain.com/LOGINREDIRECT.aspx</AuthenticationServiceUrl>
    </DiscoverResult>
    </DiscoverResponse>
    </s:Body>
    </s:Envelope>

    The domain joined device never proceeds with enrollment after this step. I am using self-signed ROOT certificate which I imported into the 8.1 Machine so that it would trust the SSL of my server. If I dont import the ROOT cert, the first discovery itself would fail at SSL handshake. The fact that it is proceeding implies, certificate is not a problem.

    Could anybody help me out as to what else needs to be done to enroll already domain joined machine ?

    --DFriend

    Wednesday, October 8, 2014 7:07 AM

All replies

  • I haven't tried this scenario. Getting clarification regarding this .
    Thursday, October 9, 2014 7:10 PM
    Moderator
  • To reiterate the steps that I tried:-

    1. I named my server as "enterpriseenrollment.mdomain.com"

    2. I prepared a self-signed root certificate.

    3. I prepared an SSL certificate issued by my root certificate to "enterpriseenrollment.mdomain.com". I made my server listen on port 443 bound to this SSL cert.

    4. I joined an 8.1 machine into "mydomain". I imported the root certificate that I created in step 2 into this 8.1 machine under LocalMachine-> Trusted Root Certificate Authorities.

    5. I open workplace settings on 8.1 machine and clicked on "Turn ON" option which resulted in 2 requests to my server on the path /EnrollmentServer/Discovery.svc. The first one was GET for which I responded with 200 OK. The second request was SOAP discovery request that I posted above.

    6. After this step, the 8.1 device does not proceed with enrollment.

    However, if I don't domain join the 8.1 device, it proceeds with enrollment and even starts the SyncML session.

    --DFriend


    • Edited by DFriend Friday, October 10, 2014 5:10 AM
    Friday, October 10, 2014 5:08 AM
  • This limitation of not being able to enroll an already domain joined device is a big blocker because in real time, if not tablets (Windows RT devices), most of the desktops are already domain joined. And un-joining them for enrollment is not a solution.

    Hope that we get some clarity on this issue and any workarounds.

    --DFriend


    • Edited by DFriend Friday, October 10, 2014 5:25 AM
    Friday, October 10, 2014 5:25 AM
  • Any updates on this issue ?

    --DFriend

    Wednesday, October 15, 2014 5:21 AM
  • I hope someday we will get an answer to this problem.

    --DFriend

    Tuesday, October 21, 2014 8:28 AM
  • I guess everyone at Microsoft busy with Windows 10.

    They just don't seems to have time to look at these issues.

    Facing similar no-reply issue on my other threads. Do you know if there's a way to escalate the issue? Or if there's some SLA on how many days before we can expect a reply for sure.

    Wednesday, October 22, 2014 1:06 PM
  • You should be able enroll from a domain joined machine. Unfortuantely, I don't know the reason enrollment is failing.We will have to capture enrollment logs to troubleshoot this further. I would suggest opening a support incident.
    Wednesday, October 29, 2014 9:14 PM
    Moderator
  • A lot of things mentioned in the spec are supposed to work but they aren't working. For example, there are a few DeviceInventory classes listed out in the spec (Classes starting with Win32_). The Windows 8.1 Agent does NOT give values to some of the fields in these classes. Either it returns 4XX family of error while querying or gives a empty data.

    Coming to Windows 8.1 enrollment:-

    It does not enroll. What ever logs I got, I had already provided the Syncml responses issued by my Server on this thread.

    Secondly domain joined machine does not open a up a field to enter the Server name. There are too many constraints already which I discussed above. On top of them, the enrollment does not happen.

    Could you tell me how should I go about raising a support incident ? Is it a paid service ?

    --DFriend


    • Edited by DFriend Thursday, October 30, 2014 5:39 AM
    Thursday, October 30, 2014 5:29 AM