Introduction to Work Folders on Windows Server 2019

Work Folders is a role service in Windows Server 2019 that allows users to synchronise work files between corporate servers and their personal devices (Windows, iOS, and Android). Unlike traditional file shares that require a VPN connection, Work Folders uses HTTPS for synchronisation, making it accessible from any internet connection. Work Folders are stored on the server in per-user folders and are synchronised to a local copy on the user’s device, allowing offline access.

Work Folders was introduced in Windows Server 2012 R2 and Windows 8.1, and Windows Server 2019 continues to support it as a lightweight alternative to SharePoint/OneDrive for organisations that need on-premises file synchronisation. It is well suited for small and medium organisations that want simple, policy-controlled file synchronisation without third-party tools.

Installing the Work Folders Role Service

Install the Work Folders role service from the File and Storage Services role:

Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementTools

This installs the Work Folders service and the management tools. Start the Sync Share Service:

Start-Service -Name SyncShareSvc
Set-Service -Name SyncShareSvc -StartupType Automatic

Work Folders uses HTTPS on port 443, so you need an SSL certificate bound to IIS. Install IIS if it is not already installed:

Install-WindowsFeature -Name Web-Server, Web-Cert-Auth, Web-Windows-Auth -IncludeManagementTools

Configuring the SSL Certificate

Work Folders requires a valid SSL certificate for the server’s fully qualified domain name (e.g., workfolders.contoso.com). Import a certificate from a PFX file:

Import-PfxCertificate -FilePath "C:Certsworkfolders.pfx" -CertStoreLocation Cert:LocalMachineMy -Password (ConvertTo-SecureString "CertPassword!" -AsPlainText -Force)

Get the certificate thumbprint:

Get-ChildItem -Path Cert:LocalMachineMy | Where-Object {$_.Subject -like "*workfolders.contoso.com*"} | Select Subject, Thumbprint

Bind the certificate to HTTPS in IIS for the Work Folders site. Work Folders creates its own IIS site, or you can bind via netsh:

netsh http add sslcert ipport=0.0.0.0:443 certhash=YOURCERTTHUMBPRINT appid="{CE66697B-3AA0-49D1-BDBD-A25C8359FEA5}"

Creating a Sync Share

A sync share is a folder on the server that is synchronised to users’ devices. Create the base directory for user folders:

New-Item -Path "D:WorkFolders" -ItemType Directory

Create the sync share. Work Folders creates per-user subfolders automatically. Use the %username% variable for the subfolder:

New-SyncShare -Name "WorkFolders" -Path "D:WorkFolders" -Description "User Work Folders" -User "CONTOSODomain Users" -FolderName "%username%"

The FolderName parameter specifies the subfolder structure. With %username%, each user gets a folder like D:WorkFoldersJohnSmith. Verify the sync share was created:

Get-SyncShare

Configuring Sync Share Policies

Configure device policies that Work Folders enforces on client devices. Require encryption on client devices and set auto-lock policies:

Set-SyncShare -Name "WorkFolders" -RequireEncryption $true -RequirePasswordAutoLock $true -PasswordAutoLockIdleTimeout 15 -PasswordMinimumLength 8

Configure quota limits for user folders (optional but recommended to prevent individual users from filling the disk):

# Use File Server Resource Manager quotas
New-FsrmQuotaTemplate -Name "Work Folders Quota" -Size 10GB -SoftLimit
New-FsrmQuota -Path "D:WorkFolders*" -Template "Work Folders Quota"

Configuring DNS and Firewall

Create a DNS record pointing workfolders.contoso.com to the server’s public IP or load balancer:

Add-DnsServerResourceRecordA -ZoneName "contoso.com" -Name "workfolders" -IPv4Address "203.0.113.50"

Open TCP port 443 in Windows Firewall:

New-NetFirewallRule -DisplayName "Work Folders HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

Enabling Work Folders on Windows Client

On a Windows 10 or Windows 11 client, configure Work Folders via Group Policy or manually. Via PowerShell:

# Enable Work Folders on the client
Set-WorkFolders -ServerUrl "https://workfolders.contoso.com" -LocalFolder "C:WorkFolders"

Alternatively, users can set it up manually via Control Panel > Work Folders > Set up Work Folders, entering the server URL. To configure Work Folders via Group Policy for all domain users, use the policy at User Configuration > Policies > Windows Settings > Work Folders and set the Work Folders URL to https://workfolders.contoso.com.

Monitoring and Managing Work Folders

View synchronisation activity and connected devices:

Get-SyncShare | Select Name, Path, UserFolderName, Enabled

View sync share users and their folder paths:

Get-SyncUser -SyncShareName "WorkFolders" | Select UserPrincipalName, LastSyncTime, DeviceCount

Check Work Folders event logs:

Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" | Select TimeCreated, LevelDisplayName, Message | Select-Object -First 30

Work Folders provides a simple, server-managed synchronisation solution that keeps user data on-premises while making it available from anywhere over HTTPS without requiring VPN configuration on each client device.