How to Set Up Work Folders Sync with AD Integration on Windows Server 2012 R2
Work Folders is a file synchronization feature introduced in Windows Server 2012 R2 that allows users to sync work files to personal devices and PCs without requiring corporate network connectivity. Unlike traditional folder redirection, Work Folders works over HTTPS on any network — including home networks and cellular connections — and integrates with Active Directory for user discovery, authentication, and policy enforcement. This guide covers deploying Work Folders on a Windows Server 2012 R2 file server with AD integration, SSL configuration, and device policy enforcement.
Prerequisites
– Windows Server 2012 R2 with File and Storage Services role
– An Active Directory domain with user accounts
– A valid SSL certificate for the Work Folders server FQDN (e.g., workfolders.corp.com)
– DNS record pointing the Work Folders URL to the server
– Port 443 open inbound for external access (via reverse proxy or directly)
– NTFS volumes with sufficient storage for user sync data
– Windows 8.1 or Windows 10 clients (or iOS/Android with Work Folders app)
Step 1: Install the Work Folders Role Service
# Install the Work Folders role service
Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementTools
# Verify installation
Get-WindowsFeature FS-SyncShareService
# Import the SyncShare module
Import-Module SyncShare
# Start the Work Folders service
Start-Service WorkFolderssvc
Set-Service WorkFolderssvc -StartupType Automatic
Get-Service WorkFolderssvc | Select-Object Status, StartType
Step 2: Configure SSL Certificate
# Import the SSL certificate for workfolders.corp.com
$certPwd = ConvertTo-SecureString "CertPassword123!" -AsPlainText -Force
$cert = Import-PfxCertificate -FilePath "C:Certsworkfolders_corp_com.pfx" `
-CertStoreLocation "Cert:LocalMachineMy" `
-Password $certPwd
Write-Host "Certificate imported: $($cert.Thumbprint)"
Write-Host "Subject: $($cert.Subject)"
Write-Host "Expires: $($cert.NotAfter)"
# Bind the certificate to the Work Folders HTTPS endpoint
# Work Folders uses port 443 by default
$appID = "{CE46D352-8F04-4D0B-A19B-AE48EF28F7D3}"
netsh http add sslcert hostnameport=workfolders.corp.com:443 `
certhash=$($cert.Thumbprint) appid=$appID certstorename=MY
# Verify the binding
netsh http show sslcert hostnameport=workfolders.corp.com:443
Step 3: Create the Work Folders Storage Location
# Create the base storage directory for Work Folders
$wfBase = "D:WorkFolders"
New-Item -ItemType Directory -Path $wfBase -Force
# Set NTFS permissions — SYSTEM and Administrators need full control
# Individual user folders will be created automatically with proper ACLs
$acl = Get-Acl $wfBase
$acl.SetOwner([System.Security.Principal.NTAccount]"BUILTINAdministrators")
# Disable inheritance and set explicit permissions
$acl.SetAccessRuleProtection($true, $false)
$rules = @(
New-Object System.Security.AccessControl.FileSystemAccessRule(
"SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow"),
New-Object System.Security.AccessControl.FileSystemAccessRule(
"BUILTINAdministrators","FullControl","ContainerInherit,ObjectInherit","None","Allow"),
New-Object System.Security.AccessControl.FileSystemAccessRule(
"CREATOR OWNER","FullControl","ContainerInherit,ObjectInherit","InheritOnly","Allow")
)
foreach ($rule in $rules) { $acl.AddAccessRule($rule) }
Set-Acl -Path $wfBase -AclObject $acl
Write-Host "Work Folders storage created at $wfBase"
Step 4: Create Sync Shares
A Sync Share is the server-side configuration that maps an AD user to a storage location. You can create a single share for all users or multiple shares for different departments:
Import-Module SyncShare
# Create a single Sync Share for all domain users
New-SyncShare -Name "WorkFolders" `
-Path "D:WorkFolders" `
-UserFolderName "username" ` # Creates D:WorkFolders%username% per user
-User @("CORPDomain Users") `
-Description "Corporate Work Folders sync location"
# Verify the share was created
Get-SyncShare | Format-List *
# Create department-specific shares (optional)
New-SyncShare -Name "FinanceWorkFolders" `
-Path "D:WorkFoldersFinance" `
-UserFolderName "username" `
-User @("CORPFinance-Users") `
-Description "Finance department Work Folders"
# List all sync shares
Get-SyncShare | Select-Object Name, Path, UserFolderName | Format-Table -AutoSize
Step 5: Configure Work Folders Policies
Work Folders supports device encryption and lock screen policies to ensure synced data on personal devices is protected:
Import-Module SyncShare
# Enable device encryption requirement for the sync share
# Users must have BitLocker/device encryption enabled to sync
Set-SyncShare -Name "WorkFolders" `
-RequireEncryption $true `
-RequirePasswordAutoLock $true ` # Require a lock screen password/PIN
-PasswordAutoLockGracePeriodMinutes 15
# Verify policy settings
Get-SyncShare -Name "WorkFolders" | Select-Object Name, RequireEncryption, RequirePasswordAutoLock
# Allow selective wipe (remote data removal from lost/stolen devices)
# This is configured per-device and triggered via the Work Folders management console
# or PowerShell after the device has synced at least once
Step 6: Configure Auto-Discovery via Active Directory
AD auto-discovery allows Windows 8.1 and later clients to automatically find the Work Folders server by querying a DNS SRV record or an AD attribute on the user’s account. The simplest method is the DNS SRV record:
# Create the DNS SRV record for Work Folders auto-discovery
# Format: _workfolders._tcp. SRV 443
Add-DnsServerResourceRecord -ZoneName "corp.local" `
-Srv -Name "_workfolders._tcp" `
-DomainName "workfolders.corp.com" `
-Priority 0 -Weight 0 -Port 443
# Verify the record
Resolve-DnsName "_workfolders._tcp.corp.local" -Type SRV
# Alternatively, configure the msDS-SyncServerUrl attribute on user accounts
# This lets individual users have different Work Folders servers
$users = Get-ADUser -SearchBase "OU=Users,DC=corp,DC=local" -Filter *
foreach ($user in $users) {
Set-ADUser -Identity $user -Add @{
"msDS-SyncServerUrl" = "https://workfolders.corp.com/WorkFolders"
}
}
Step 7: Configure Group Policy for Client Deployment
Import-Module GroupPolicy
# Create a GPO to auto-configure Work Folders on domain-joined clients
$wfGPO = New-GPO -Name "WorkFolders - Client Configuration"
New-GPLink -Name "WorkFolders - Client Configuration" `
-Target "OU=Workstations,DC=corp,DC=local" -LinkEnabled Yes
# Configure the Work Folders URL via GPO
# User Configuration > Administrative Templates > Windows Components > Work Folders
# "Specify Work Folders settings" = Enabled
# Work Folders URL = https://workfolders.corp.com
# Enable sync on metered connections (optional, user-controlled)
# Also configure firewall rules to allow Work Folders traffic
# Set the Work Folders location on client machines via GPO
$wfGPO | Set-GPRegistryValue `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
-ValueName "ServerList" `
-Type String `
-Value "https://workfolders.corp.com/WorkFolders"
$wfGPO | Set-GPRegistryValue `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
-ValueName "AutoProvision" `
-Type DWord -Value 1
gpupdate /force
Step 8: Monitor Work Folders Sync Activity
# View sync share usage
Get-SyncShare | ForEach-Object {
$share = $_
Write-Host "=== $($share.Name) ===" -ForegroundColor Cyan
Write-Host "Path: $($share.Path)"
# Count user folders
$userFolders = Get-ChildItem $share.Path -Directory
Write-Host "User count: $($userFolders.Count)"
# Calculate total usage
$totalSizeGB = ($userFolders | Get-ChildItem -Recurse -File |
Measure-Object Length -Sum).Sum / 1GB
Write-Host "Total size: $([math]::Round($totalSizeGB,2)) GB"
}
# Check Work Folders event logs
Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" -MaxEvents 20 |
Format-Table TimeCreated, LevelDisplayName, Message -Wrap
# Check for sync errors
Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" -MaxEvents 100 |
Where-Object { $_.Level -le 3 } |
Format-Table TimeCreated, LevelDisplayName, Message -Wrap
# View devices registered for each user
$syncShare = Get-SyncShare -Name "WorkFolders"
# User devices are stored in: D:WorkFolders.workfoldersmeta
Verification
# Verify Work Folders deployment
Write-Host "=== Work Folders Health Check ===" -ForegroundColor Cyan
# Service status
$svc = Get-Service WorkFolderssvc
Write-Host "Service Status: $($svc.Status)"
# SSL binding
$binding = netsh http show sslcert hostnameport=workfolders.corp.com:443
Write-Host "SSL Binding: $(if ($binding -match 'Certificate Hash') {'OK'} else {'MISSING'})"
# Sync shares
$shares = Get-SyncShare
Write-Host "Sync Shares: $($shares.Count)"
$shares | Select-Object Name, Path, RequireEncryption | Format-Table -AutoSize
# DNS SRV record
try {
$srv = Resolve-DnsName "_workfolders._tcp.corp.local" -Type SRV -ErrorAction Stop
Write-Host "DNS SRV record: $($srv.NameTarget):$($srv.Port)" -ForegroundColor Green
} catch {
Write-Host "DNS SRV record: MISSING" -ForegroundColor Red
}
# Test HTTPS endpoint
try {
$r = Invoke-WebRequest "https://workfolders.corp.com/WorkFolders" -UseBasicParsing
Write-Host "HTTPS endpoint: OK ($($r.StatusCode))" -ForegroundColor Green
} catch {
Write-Host "HTTPS endpoint test: $($_.Exception.Message)" -ForegroundColor Yellow
}
Summary
Work Folders on Windows Server 2012 R2 provides a native Microsoft solution for syncing corporate files to user devices over HTTPS without requiring VPN. By installing the FS-SyncShareService role, configuring SSL certificates, creating storage directories with proper NTFS permissions, setting up Sync Shares with encryption policies, configuring AD auto-discovery via DNS SRV records, and deploying client settings via Group Policy, you deliver a secure, centrally managed sync solution. Work Folders integrates naturally with Active Directory for authentication, supports selective wipe for lost devices, and provides audit logging for compliance requirements — making it a practical alternative to third-party sync solutions for organizations already invested in Windows Server infrastructure.
