How to Set Up Work Folder Sync with AD Integration on Windows Server 2025

How to Set Up Work Folder Sync with AD Integration on Windows Server 2025

Work Folders is a Windows Server role service that gives users a consistent, policy-controlled location to store work files and synchronise them across domain-joined and non-domain-joined devices. Unlike consumer sync services, Work Folders operates entirely within your organisation’s infrastructure and integrates natively with Active Directory, Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), and Group Policy. On Windows Server 2025, Work Folders benefits from improved sync reliability, better support for large file sets, and streamlined integration with Microsoft Intune for mobile device management. This tutorial walks through an enterprise-grade Work Folders deployment: obtaining a trusted SSL certificate from AD CS, publishing Work Folders through Web Application Proxy with AD FS pre-authentication, deploying sync settings via Group Policy, managing quotas and access controls, and monitoring the sync environment with PowerShell.

Prerequisites

• Windows Server 2025 file server to host the Work Folders role
• Active Directory Domain Services (AD DS) with Windows Server 2025 functional level
• Active Directory Certificate Services (AD CS) with an Enterprise CA already deployed
• Active Directory Federation Services (AD FS) for pre-authentication through the Web Application Proxy (optional but strongly recommended for external access)
• Web Application Proxy (WAP) server in the DMZ for reverse-proxy publishing
• A public DNS A record pointing workfolders.contoso.com to the WAP server’s external IP
• Domain Admin and local administrator rights on the file server

Step 1: Install the Work Folders Role

# Install the Work Folders role service on the file server
Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name FS-SyncShareService | Select-Object Name, DisplayName, InstallState

# Start and set the SyncShareService to automatic startup
Set-Service -Name SyncShareSvc -StartupType Automatic
Start-Service -Name SyncShareSvc

# Confirm service is running
Get-Service -Name SyncShareSvc | Select-Object Status, StartType

Step 2: Request a Trusted SSL Certificate from AD CS

Work Folders requires HTTPS. Using a self-signed certificate causes certificate warnings on non-domain-joined devices and is rejected by iOS and Android clients. Request a certificate from your Enterprise CA using a web server template, with the Work Folders FQDN as the subject name:

# Request a certificate from the enterprise CA using the WebServer template
# The certificate subject must match the URL users will use to reach Work Folders

$certParams = @{
    DnsName           = "workfolders.contoso.com"
    CertStoreLocation = "Cert:LocalMachineMy"
    KeyLength         = 2048
    KeyAlgorithm      = "RSA"
    HashAlgorithm     = "SHA256"
    KeyUsage          = "DigitalSignature","KeyEncipherment"
    # EnhancedKeyUsage for SSL/TLS server authentication
    TextExtension     = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}

# Submit a certificate request to the enterprise CA
$cert = Get-Certificate -Template "WebServer" -SubjectName "CN=workfolders.contoso.com" `
    -DnsName "workfolders.contoso.com","workfolders.corp.contoso.com" `
    -CertStoreLocation Cert:LocalMachineMy

# Record the thumbprint for binding
$certThumbprint = $cert.Certificate.Thumbprint
Write-Host "Certificate thumbprint: $certThumbprint"

# Bind the certificate to the Work Folders HTTPS listener (port 443)
# Work Folders uses the HTTPS binding registered in HTTP.sys
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certThumbprint appid="{CE66697B-3AA0-49D1-BDBD-A25C8359E925}"

Step 3: Create and Configure Sync Shares

A Sync Share defines the root folder on the file server that is synchronised for each user. The recommended model is a sync share per user based on their Active Directory user alias, which automatically creates a subfolder named after each user.

# Create the root data directory on a volume with sufficient space
New-Item -Path "D:WorkFolders" -ItemType Directory -Force

# Create the sync share
# -User @() = empty array means all domain users are eligible
# -InheritParentFolderPermission $false = enforce explicit permissions
New-SyncShare `
    -Name "UserWorkFolders" `
    -Path "D:WorkFolders" `
    -UserFolderName "User alias" `
    -Description "Enterprise Work Folders sync share" `
    -RequireEncryption $true `
    -RequirePasswordAutoLock $true

# Restrict the sync share to a specific AD security group (recommended for large environments)
Set-SyncShare -Name "UserWorkFolders" -User "CONTOSOWorkFoldersUsers"

# Configure device policy: encrypt device storage and set auto-lock screen after 15 minutes
Set-SyncShare -Name "UserWorkFolders" `
    -RequireEncryption $true `
    -RequirePasswordAutoLock $true `
    -PasswordAutoLockIdleTimeoutSeconds 900

# Confirm sync share configuration
Get-SyncShare -Name "UserWorkFolders" | Format-List *

Step 4: Apply NTFS Permissions and Quotas

# Set NTFS permissions on the Work Folders root
# Full Control for SYSTEM and Administrators; Read/Write for domain users (ACE applied to subfolders)
$acl = Get-Acl -Path "D:WorkFolders"

# Remove inherited permissions
$acl.SetAccessRuleProtection($true, $false)

# Add explicit rules
$adminRule  = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "BUILTINAdministrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "NT AUTHORITYSYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$usersRule  = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CONTOSOWorkFoldersUsers", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")

$acl.AddAccessRule($adminRule)
$acl.AddAccessRule($systemRule)
$acl.AddAccessRule($usersRule)
Set-Acl -Path "D:WorkFolders" -AclObject $acl

# Apply a File Server Resource Manager quota of 10 GB per user subfolder
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools

# Create a 10 GB soft quota template
New-FsrmQuotaTemplate -Name "WorkFolders-10GB" -Size 10GB -SoftLimit

# Apply the quota to the root (FSRM auto-applies to new subfolders via auto-quota)
New-FsrmAutoQuota -Path "D:WorkFolders" -Template "WorkFolders-10GB" -Enabled

Step 5: Configure Web Application Proxy with AD FS Pre-Authentication

Publishing Work Folders through WAP with AD FS pre-authentication means that external users must authenticate against AD FS before the WAP server forwards their request to the Work Folders server. This keeps the Work Folders server completely isolated from direct internet exposure.

# On the WAP server (in the DMZ) — publish Work Folders with AD FS pre-authentication
# Prerequisite: WAP server already joined to domain, AD FS proxy trust configured

# Install WAP role
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

# Configure the WAP-to-ADFS trust (run once)
Install-WebApplicationProxy -FederationServiceTrustCredential (Get-Credential) `
    -CertificateThumbprint "" `
    -FederationServiceName "adfs.contoso.com"

# Publish the Work Folders application through WAP
Add-WebApplicationProxyApplication `
    -Name "Work Folders" `
    -ExternalPreAuthentication ADFS `
    -ADFSRelyingPartyName "WorkFolders" `
    -ExternalUrl "https://workfolders.contoso.com/" `
    -ExternalCertificateThumbprint "" `
    -BackendServerUrl "https://workfolders.corp.contoso.com/" `
    -BackendServerCertificateValidation ValidateCertificate

# Confirm the published application
Get-WebApplicationProxyApplication -Name "Work Folders" | Format-List *

Step 6: Deploy Work Folders via Group Policy

Group Policy can silently configure the Work Folders sync URL on all managed domain-joined Windows 10/11 and Windows Server 2025 clients, removing the need for user intervention:

# On a domain controller — create a GPO for Work Folders auto-configuration
# Path: Computer Configuration → Administrative Templates → Windows Components → Work Folders

# The Group Policy setting is:
# "Specify Work Folders settings"
# SetupUrl: https://workfolders.contoso.com
# ForceSetupForAllUsers: Enabled

# Using PowerShell to configure via Group Policy Management (GPMC) cmdlets
Import-Module GroupPolicy

$gpoName = "WorkFolders-AutoConfig"
New-GPO -Name $gpoName -Comment "Automatically configure Work Folders for all managed devices"
New-GPLink -Name $gpoName -Target "OU=ManagedDevices,DC=contoso,DC=com"

# Set the Work Folders URL registry-based policy via ADMX
Set-GPRegistryValue -Name $gpoName `
    -Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "AutoProvision" `
    -Type DWord -Value 1

Set-GPRegistryValue -Name $gpoName `
    -Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "SetupUrl" `
    -Type String -Value "https://workfolders.contoso.com"

Step 7: Monitor Sync Shares and User Sync Health

# List all sync shares and their configuration
Get-SyncShare | Format-Table Name, Path, User, RequireEncryption -AutoSize

# Check all users currently syncing through a specific sync share
Get-SyncUser -SyncShareName "UserWorkFolders" | 
    Select-Object UserName, LastSyncTime, DeviceCount, DataSize |
    Format-Table -AutoSize

# Check for sync errors and conflicts
Get-SyncUserErrorRecord -SyncShareName "UserWorkFolders" |
    Select-Object UserName, DeviceName, ErrorCode, ErrorDescription, EventTime |
    Where-Object { $_.ErrorCode -ne 0 } |
    Format-Table -AutoSize

# Review Work Folders event log for warnings and errors
Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" |
    Where-Object { $_.Level -le 3 } |
    Select-Object TimeCreated, LevelDisplayName, Message |
    Select-Object -First 20 |
    Format-List

Work Folders with full AD and PKI integration on Windows Server 2025 provides an enterprise-grade file sync solution that meets compliance requirements, integrates cleanly with your existing identity infrastructure, and gives IT full control over data location and device policies. By anchoring the SSL certificate to your internal CA, pre-authenticating external access through AD FS, enforcing encryption and auto-lock via sync share policies, and deploying configuration silently through Group Policy or Intune, you create a sync environment that is both seamless for end users and fully auditable for your security and compliance teams. Monitor sync health weekly with Get-SyncUser and review the SyncShare Operational event log after any server update to catch configuration regressions early.