When we discussed the WorkPlace Join functionality in Active Directory Federation Services in Windows Server 2012 R2 (and up) and the accompanying Registered Device objects in Active Directory Domain Services, you might have gotten the feeling that the directory might get cluttered with Registered Devices.
Microsoft has built in a feature in the Device Registration Service (DRS) that makes it automatically clean up unused devices, by default. Its default setting is 90 days.
The Device Registration Service (DRS) is the part of Active Directory Federation Services that is responsible for WorkPlace Join. Since the Device Registration Service (DRS) is part of Active Directory Federation Services ‘unused days’ can best be interpreted as ‘the amount of days before a device object is removed because of inactivity in accessing claims-based resources involving the AD FS infrastructure the DRS is part of’. Popularly speaking, when you’re not using the single sign-on functionality of WorkPlace Join, Microsoft feels it can disable this functionality and clean up after 90 days of you not using it.
Now, don’t get me wrong. I feel 90 days is a perfectly healthy and balanced value for this behavior of the Device Registration Service (DRS) in most environments.
However, you might want to change it.
Changing the inactivity time-out
The Device Registration Service (DSR) is exposed for authentication and authorization in Active Directory Federation Services (AD FS), but has its own distinct endpoint and service. Much of that is controlled to DRS-specific PowerShell Cmdlets.
You can change the inactivity time-out with the following steps:
- Log in with an account that is a member of the Domain Admins group to a device capable of offering the Active Directory Federation Services 3.0 PowerShell module.
- Start PowerShell
- Perform this PowerShell one-liner:
Set-AdfsDeviceRegistration -MaximumInactiveDays n
You can specify a value between 0 and 1000 for n. When you specify 0, the Device Registration Service (DRS) will no longer clean up inactive WorkPlace-joined devices.
- Exit PowerShell and log off, or type logoff directly in PowerShell.
Tip!
You can check the current number of days before the Device Registration Service (DRS) in Active Directory Federation Services (AD FS) deletes Registered Devices using the Get-AdfsDeviceRegistration PowerShell Cmdlet. You can also use this Cmdlet to check your change.
Best practices
As noted earlier, I think the default 90 days value is a healthy and balanced value for the inactivity clean-up time-out for the Device Registration Service (DRS) within Active Directory Federation Services (AD FS).
You might want to clean up unused devices more frequently, because typically you use the WorkPlace Join functionality for contractors that are assigned for a far shorter period to your organization. In terms of security, you might also want the trusted combination of user and device to expire faster than 90 days of inactivity.
You could clean-up inactive user/device combinations faster, but configuring it too short might only prove it an inconvenience to colleagues using claims-based apps often, either because they want single sign-on functionality or either because you utilize WorkPlace Join as an authorization mechanism. Additionally, you run the risk of RID Pool depletion in Active Directory Domain Services.
You want to clean up unused devices less frequently, because you experience colleagues use claims-based application less frequently than 90 days and are prompted to WorkPlace-join devices. I can think of a couple of applications I only use once or twice per year.
This other side of the spectrum might also prove tricky. Not cleaning up inactive devices might expose single sign-on access to apps on devices that are no longer used, were lost or stolen (but never reported as such).
Concluding
You can change the inactivity clean-up time-out for the Device Registration Service (DRS) within Active Directory Federation Services (AD FS) with the Set-AdfsDeviceRegistration PowerShell Cmdlet. Use sensibly.
Related blogposts
Granularly permitting or denying the right to WorkPlace Join
WorkPlace Join vs. Domain Join
New features in AD DS in Windows Server 2012 R2, Part 5: WorkPlace Join and Registered Device objects
Further reading
Set-AdfsDeviceRegistration
Get-AdfsDeviceRegistration
ADFS 3.0: Enabling Device Registration Service (DRS)
AD FS W2012 R2 – Workplace Join via WAP
Conditional Access with Azure Device Registration Service (aka Workplace Join)
Hi
Nice articles on ADFS and workplace join.
With a windows 7 device I know it must be domain joined to be enrolled with device registration.
However, does the windows 7 device need to contact a domain controller once it is enrolled?
That is, if we set MaximumInactiveDays to 100 days for example, does that mean the Windows 7 device can be used by the user to access corporate applications by authenticating via ADFS in the usual way even if they do this remotely over the internet and not on the corporate domain? Or does the windows 7 device always try to contact a domain controller?
Cheers
Tony
Thank you for your question.
A domain-joined Windows 7-based device does not need to communicate with a Domain Controller constantly.
After it is WorkPlace-Joined, it acts the same way a WorkPlace-joined Windows 8.1 (or up)-based device would.