Windows Server 2012 R2 – Deploying and using Work Folders

Hey, here’s Martin again. Today I have the pleasure to implement a very nice new Feature to my LAB: Work Folders. They are now available in Windows Server 2012, and those are the requirements:

  • A server running Windows Server 2012 R2 for hosting sync shares and user files
  • A volume formatted with the NTFS file system for storing user files
  • Windows 8.1 and Windows RT 8.1 (There should come apps for other Device OS)

With the hole Bring your one device (BYOD) Story that is going on, lot of companies are unsure, how to bring the data secure to the Devices of the users. There exist many opportunities to use a public cloud, but to be honest, I don’t want to save my private data out there, and same happens to Company data. Microsoft is hardly working on this Limitation, as we can see what was Happening in SCCM 2012. And now also the Server part gets a huge step Forward, they are no longer dumb SMB File Servers, they can now serve Clients through a secure manner with their personal data, Microsoft calls this Work Folders.
This Blog Post describes, how to implement this new Feature.

We can start by adding the Work Folder Feature of the Role “File and Storage Services”:
Add Role Feature Work Folders
This could also easily be done with this Powershell command
Add-WindowsFeature FS-SyncShareService

You can then start to add a new Work Folder by using the Wizard though the Server Manager:
Add Work Folder
You can then choose to use an already created File Share, or to create a new one. I created a new Volume and a new Folder to use Work Folders:
Select the server and path
In the next Screen of the wizard, you’d be asked for the naming Format of the users Folders. If you use your existing Homedrive Share, it would be recommended to use “User alias” as naming Format. You can also choose to allow synchronization only with a subfolder of the Users Directory.
In my case, I use the second Option:
Naming Schema Work Folder
You are then asked to give a Name for the sync share:
Sync Share Name
Next page of the wizard enables you to assign permission to the newly created work Folder. The wizard will afterwards set the required permissions to the Folder, see the two permission ACLs below. If you want to give Access to the Administrators, uncheck the box “Disable inherited permission and grant users exclusive Access to their files:
Work Folder permissions
The left security Tab Shows the Folder permissions before, and the right one after the activation:
Work Folder beforeWork Folder after

Now you have to specify the policies for the devices that are connected through Work Folders. Choose to encrypt Work Folders, if you Need, and choose to require a Password for the lock Screen:
Device Policies

Now confirm the Settings, and the Work Folder will be created:
Cornfirm
This all can also be done through Powershell:
New-SyncShare workfolders -path "E:workfolders" -User "DOMAINLG-WorkFolder-M" -RequireEncryption $true -RequirePasswordAutoLock $true -InheritParentFolderPermission
(The Switch -InheritParentFolderPermission does not need a value or bool)

And your Work Folder is created and operational 🙂

Next steps are:

  1. How will I get data to this share?
  2. How will Clients connect

For question 1, that’s quite easy: You can add SMB Sharing to the created Work Folder:
Share Work Folder

Whe you adding a SMB Share to your Work Folder, Work Folders will then check every 5 Minutes (Default Value) for Changes on the Disk. You can Change this behaviour with the cmdlet Set-SyncServerSetting, you can also disable this check fully.

And now finally, the answer for question 2, how do Clients connect, well, easy as that:
Navigate on you Window 8.1 to Control Panel, and search for “Work Folders”, click on “Manage Work Folders”:
Work Folders on Windows 8.1
The “Manage Work Folders” Panel appear, click then on “Set up Work Folders”:
Work Folders 8.1 Client

The wizard will ask you first for your work E-Mail address, to get this working, you have to create an Alias in your public DNS Domain of the users UPN like: WorkFolders.hosebei.ch . So this brings you to the point, to get a SSL Certificate from a public CA for this URL. If you already have Setup Work Folder with a wrong Certificate, and for more information about Certificate Management and work Folders you can look here: http://blogs.technet.com/b/filecab/archive/2013/08/09/work-folders-certificate-management.aspx
If you don’t want to use this already, an it’s OK for you to go with a certificate from your own CA, so then just go ahead and choose “Enter a Work Folder URL instead”:
Work Folder URL
In the next window you have to enter the URL of the Work Folder Server. Thus I use this Server for other Services, it has already installed a certificate with correct Subject and is also from a third Party CA:
Work Folder URL
The following message can appear, when it should take a while to connect your Work Folder:
Work Folder setting up delay
When this message appears, Work Folder are Setting up correctly, and you get informed what it means, to use Work Folders on your Device. You can also Change the Location for the Work Folder:
Work Folder Success
The final Screens Show what effective policies will be applied afterwards, and you have to accept this by giving administrative permission to Change Screensaver behaviour etc:
Work Folder Policy Accept
You have successfully set up your first Work Folder:
Final message
When you go to the Work Folders again after the configuration, you’ll see the available space and the last sync time. You can also activate to sync files over a metered Connection:
Work Folders overview on client
The last two Screenshots Show the file on the Client (left) and the file on the Server (right):
Work Folder File CLientWorkFolders23

See this page for the official TechNet Information:
http://technet.microsoft.com/en-us/library/dn265974.aspx

One thought on “Windows Server 2012 R2 – Deploying and using Work Folders

  1. Hi! very nice article, thanks. Is there a way to change the “User folder structure” once the setup of the work folder is done? I mean to change the naming of the folder from “user alias” to “user alias@domain”. Thanks a lot!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s