How to Set Up Work Folders on Windows Server 2012 R2

November 20, 2025
Tutorials
Comment off

How to Set Up Work Folders on Windows Server 2012 R2

Work Folders is a file synchronization service introduced in Windows Server 2012 R2 that allows users to store and sync work files from personal devices or corporate computers, even when they are not connected to the corporate network. Unlike traditional folder redirection which requires direct corporate network connectivity, Work Folders uses HTTPS for synchronization, making it accessible from any internet-connected device. Users get a local copy of their work files on each device, and changes synchronize automatically when connectivity is available. This makes Work Folders an alternative or complement to Dropbox, OneDrive for Business, and other cloud sync tools, while keeping all data on-premises.

Prerequisites

You need Windows Server 2012 R2 with the Work Folders role service available. An SSL/TLS certificate trusted by client devices is required — either from a public CA or your internal Enterprise CA. A DNS record must exist that resolves the Work Folders URL to the server’s external IP. The server must be accessible over TCP port 443 from external networks. Active Directory Domain Services is required for user account authentication. Client devices must run Windows 8.1 or Windows 10 (Work Folders client is built in). iOS and Android clients were added via app store apps separately.

Step 1: Install the Work Folders Role Service

Install Work Folders on the server that will host user data:

Install-WindowsFeature FS-SyncShareService -IncludeManagementTools

Verify the installation:

Get-WindowsFeature FS-SyncShareService | Select-Object Name, InstallState

Step 2: Install and Configure the SSL Certificate

Work Folders requires HTTPS, so an SSL certificate must be installed. If using your internal CA, request a certificate for the Work Folders URL:

$workFoldersDns = "workfolders.contoso.com"

$cert = Get-Certificate -Template "WebServer" `
    -DnsName $workFoldersDns `
    -CertStoreLocation Cert:LocalMachineMy

Write-Host "Certificate Thumbprint: $($cert.Certificate.Thumbprint)"

Verify the certificate is in the machine store:

Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*workfolders*"} | Select-Object Subject, Thumbprint, NotAfter

Step 3: Configure Work Folders Binding

Bind the SSL certificate to IIS for Work Folders. Work Folders uses IIS internally for HTTPS transport:

# Bind certificate to HTTPS
$certThumbprint = (Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*workfolders*"}).Thumbprint

netsh http add sslcert ipport=0.0.0.0:443 certhash=$certThumbprint appid="{CE66697B-3AA0-49D1-BDBD-A25C8359E4B8}"

Step 4: Create Sync Share Data Directories

Create directories to store user data. Best practice is a dedicated volume for Work Folders data:

New-Item -Path "E:WorkFolders" -ItemType Directory
New-Item -Path "E:WorkFoldersUserData" -ItemType Directory

Set NTFS permissions on the root folder — only the Sync Share service account and administrators should have access (user folders will be created automatically with appropriate permissions):

$acl = Get-Acl "E:WorkFoldersUserData"
$acl.SetAccessRuleProtection($true, $false)

$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)

$acl.AddAccessRule($adminRule)
$acl.AddAccessRule($systemRule)

Set-Acl -Path "E:WorkFoldersUserData" -AclObject $acl

Step 5: Create a Sync Share

A sync share defines the data path and synchronization policies for Work Folders. Create a sync share using PowerShell:

New-SyncShare -Name "UserWorkFolders" `
    -Path "E:WorkFoldersUserData" `
    -Description "Work Folders for all domain users" `
    -User "Domain Users" `
    -FolderName "Work Folders" `
    -RequireEncryption $true `
    -RequirePasswordAutoLock $true

The RequireEncryption setting forces devices to encrypt the Work Folders directory, while RequirePasswordAutoLock requires a device lock screen to be configured. These are important security policies for protecting corporate data on personal devices.

Verify the sync share:

Get-SyncShare | Select-Object Name, Path, Description, UserFolderName, RequireEncryption, RequirePasswordAutoLock

Step 6: Configure Work Folders URL via Group Policy

To automatically configure Work Folders on domain-joined Windows 8.1 and Windows 10 clients, use Group Policy. Create a GPO linked to the appropriate OU:

$gpo = New-GPO -Name "Work Folders Configuration" -Comment "Automatically configure Work Folders for domain users"

New-GPLink -Guid $gpo.Id -Target "OU=Users,DC=contoso,DC=com"

Configure the Work Folders URL policy setting. Navigate in the Group Policy Management Editor to:

User Configuration → Policies → Administrative Templates → Windows Components → Work Folders

Enable Specify Work Folders settings and set the Work Folders URL to https://workfolders.contoso.com.

Alternatively, configure via PowerShell using the Group Policy registry settings:

Set-GPRegistryValue -Name "Work Folders Configuration" `
    -Key "HKCUSoftwarePoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "ServerList" `
    -Type String `
    -Value "https://workfolders.contoso.com"

Set-GPRegistryValue -Name "Work Folders Configuration" `
    -Key "HKCUSoftwarePoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "AutoProvision" `
    -Type DWord `
    -Value 1

Step 7: Configure Windows Firewall for Work Folders

Ensure port 443 is open for Work Folders HTTPS traffic:

New-NetFirewallRule -DisplayName "Work Folders HTTPS" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 443 `
    -Action Allow `
    -Profile Domain,Private,Public

Step 8: Verify and Test Work Folders

Start the Work Folders service and verify it is running:

Start-Service SyncShareSvc
Set-Service SyncShareSvc -StartupType Automatic

Get-Service SyncShareSvc | Select-Object Name, Status, StartType

Check sync share status and user connections:

Get-SyncShare | Format-List *

Get-SyncUserStatus | Select-Object UserName, DeviceCount, LastSyncTime

From a client machine, manually connect to Work Folders to test:

# Open Work Folders control panel
control.exe /name Microsoft.WorkFolders

Or navigate to Control Panel → System and Security → Work Folders and enter the Work Folders URL to start syncing.

Monitoring and Troubleshooting

Monitor Work Folders sync activity through Event Viewer:

Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" -MaxEvents 50 | Select-Object TimeCreated, Id, Message

Check for sync errors per user:

Get-SyncUserStatus | Where-Object {$_.SyncErrors -gt 0} | Select-Object UserName, SyncErrors, LastSyncTime

Summary

Work Folders on Windows Server 2012 R2 delivers an on-premises file synchronization solution that balances user flexibility with corporate data governance. By hosting user data internally, enforcing device encryption and lock screen policies, and deploying configuration automatically via Group Policy, administrators maintain control over corporate data while providing users with the device-agnostic file access experience they expect from modern cloud services.

Links

Newsletter

Contact