I came across an
interesting issue when deploying Workplace Join as part of a migration to ADFS
3. ADFS had been tested as working correctly with the Device Registration
service initialized and enabled, but I could not register Windows devices.
After running the
lab (which used different different host names!) and checking many settings I
decided to go back to the beginning (always a good place to start) and review
the Device
Registration requirements listed on TechNet. Surprise, I had missed
something really obvious in my clients choice of a wildcard SSL certificate -
something I normally dig my heels in over.
Solution: You must add
enterpriseregistration. (i.e. enterpriseregistration.noak.es
where dan@noak.es is the UPN) to the certificate used for Device Registration
as a SAN for each UPN suffix in use.
Straight
from the horse's mouth, "AD FS must be configured with a server SSL
certificate that includes the well-known Device Registration server names" and this is followed by an example, "enterpriseregistration." .
Ah, that explains it, but then somewhat confusingly TechNet states:
"You can satisfy this requirement in two ways.
You can use a wildcard certificate that covers all of the possible names used
at your company or you can add the additional names as subject alternative
names."
Important: The first way above
is not true, at least for now, either that or the Device Registration service
is not implemented as designed with all devices in mind.