Hey, here’s Martin again. Today I have the pleasure to implement a very nice new Feature to my LAB: Work Folders. They are now available in Windows Server 2012, and those are the requirements:

• A server running Windows Server 2012 R2 for hosting sync shares and user files
• A volume formatted with the NTFS file system for storing user files
• Windows 8.1 and Windows RT 8.1 (There should come apps for other Device OS)

With the hole Bring your one device (BYOD) Story that is going on, lot of companies are unsure, how to bring the data secure to the Devices of the users. There exist many opportunities to use a public cloud, but to be honest, I don’t want to save my private data out there, and same happens to Company data. Microsoft is hardly working on this Limitation, as we can see what was Happening in SCCM 2012. And now also the Server part gets a huge step Forward, they are no longer dumb SMB File Servers, they can now serve Clients through a secure manner with their personal data, Microsoft calls this Work Folders.
This Blog Post describes, how to implement this new Feature.

We can start by adding the Work Folder Feature of the Role “File and Storage Services”:

This could also easily be done with this Powershell command
Add-WindowsFeature FS-SyncShareService

You can then start to add a new Work Folder by using the Wizard though the Server Manager:

You can then choose to use an already created File Share, or to create a new one. I created a new Volume and a new Folder to use Work Folders:

In the next Screen of the wizard, you’d be asked for the naming Format of the users Folders. If you use your existing Homedrive Share, it would be recommended to use “User alias” as naming Format. You can also choose to allow synchronization only with a subfolder of the Users Directory.
In my case, I use the second Option:

You are then asked to give a Name for the sync share:

Next page of the wizard enables you to assign permission to the newly created work Folder. The wizard will afterwards set the required permissions to the Folder, see the two permission ACLs below. If you want to give Access to the Administrators, uncheck the box “Disable inherited permission and grant users exclusive Access to their files:

The left security Tab Shows the Folder permissions before, and the right one after the activation:

Now you have to specify the policies for the devices that are connected through Work Folders. Choose to encrypt Work Folders, if you Need, and choose to require a Password for the lock Screen:

Now confirm the Settings, and the Work Folder will be created:

This all can also be done through Powershell:
New-SyncShare workfolders -path "E:workfolders" -User "DOMAINLG-WorkFolder-M" -RequireEncryption $true -RequirePasswordAutoLock $true -InheritParentFolderPermission
(The Switch -InheritParentFolderPermission does not need a value or bool)

And your Work Folder is created and operational 🙂

Next steps are:

1. How will I get data to this share?
2. How will Clients connect

For question 1, that’s quite easy: You can add SMB Sharing to the created Work Folder:

Whe you adding a SMB Share to your Work Folder, Work Folders will then check every 5 Minutes (Default Value) for Changes on the Disk. You can Change this behaviour with the cmdlet Set-SyncServerSetting, you can also disable this check fully.

And now finally, the answer for question 2, how do Clients connect, well, easy as that:
Navigate on you Window 8.1 to Control Panel, and search for “Work Folders”, click on “Manage Work Folders”:

The “Manage Work Folders” Panel appear, click then on “Set up Work Folders”:

The wizard will ask you first for your work E-Mail address, to get this working, you have to create an Alias in your public DNS Domain of the users UPN like: WorkFolders.hosebei.ch . So this brings you to the point, to get a SSL Certificate from a public CA for this URL. If you already have Setup Work Folder with a wrong Certificate, and for more information about Certificate Management and work Folders you can look here: http://blogs.technet.com/b/filecab/archive/2013/08/09/work-folders-certificate-management.aspx
If you don’t want to use this already, an it’s OK for you to go with a certificate from your own CA, so then just go ahead and choose “Enter a Work Folder URL instead”:

In the next window you have to enter the URL of the Work Folder Server. Thus I use this Server for other Services, it has already installed a certificate with correct Subject and is also from a third Party CA:

The following message can appear, when it should take a while to connect your Work Folder:

When this message appears, Work Folder are Setting up correctly, and you get informed what it means, to use Work Folders on your Device. You can also Change the Location for the Work Folder:

The final Screens Show what effective policies will be applied afterwards, and you have to accept this by giving administrative permission to Change Screensaver behaviour etc:

You have successfully set up your first Work Folder:

When you go to the Work Folders again after the configuration, you’ll see the available space and the last sync time. You can also activate to sync files over a metered Connection:

The last two Screenshots Show the file on the Client (left) and the file on the Server (right):

See this page for the official TechNet Information:
http://technet.microsoft.com/en-us/library/dn265974.aspx