How to Set Up Work Folders for Data Synchronisation on Windows Server 2016
Work Folders is a role service in Windows Server 2016 that allows users to synchronise work files between their devices and a centralised server, similar in concept to consumer services such as Dropbox or OneDrive, but hosted entirely within your own infrastructure. Work Folders supports Windows, iOS, and Android clients, making it a practical solution for organisations that want to provide file synchronisation capabilities without relying on cloud services. Unlike redirected folders or offline files, Work Folders uses an HTTPS-based synchronisation protocol that works well across the internet.
How Work Folders Works
Work Folders stores a copy of a user’s synchronised files on the server in a per-user folder called a sync share. Client devices connect to the Work Folders server over HTTPS (port 443) and synchronise their local Work Folders directory with the server copy. Changes made on any device are uploaded to the server and then synchronised to all other devices that have Work Folders configured. The server also enforces security policies such as requiring device encryption and setting screen lock timeouts.
Step 1: Install the Work Folders Role Service
Work Folders is a role service within the File and Storage Services role. Install it using PowerShell or Server Manager:
Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementToolsVerify the installation completed successfully:
Get-WindowsFeature -Name FS-SyncShareServiceStep 2: Obtain an SSL Certificate
Work Folders requires an SSL certificate because it communicates over HTTPS. The certificate must be issued to the FQDN that clients will use to connect to Work Folders. Obtain a certificate from your internal CA or a commercial CA:
$cert = Get-Certificate -Template "WebServer" -CertStoreLocation "Cert:LocalMachineMy" -DnsName "workfolders.company.com"
Write-Host "Thumbprint: $($cert.Certificate.Thumbprint)"Alternatively, for environments using Let’s Encrypt or other external CAs, import the PFX certificate:
Import-PfxCertificate -FilePath "C:Certsworkfolders_company_com.pfx" -CertStoreLocation "Cert:LocalMachineMy" -Password (ConvertTo-SecureString "CertPassword!" -AsPlainText -Force)Step 3: Create the Sync Share Root Directory
Create the directory that will store all user sync shares. Each user will get a subfolder within this directory. Choose a drive with sufficient capacity for all users’ synchronised data:
New-Item -ItemType Directory -Path "D:WorkFolders"Set appropriate NTFS permissions on the root. The Work Folders service creates per-user subfolders automatically with correct permissions, but the root needs to be accessible by the service account:
$acl = Get-Acl "D:WorkFolders"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Set-Acl "D:WorkFolders" $aclStep 4: Create a Sync Share
A sync share defines which user directories are synchronised and what policies are applied to devices. Create a sync share using the New-SyncShare cmdlet. The -User parameter specifies which users or groups are permitted to synchronise:
New-SyncShare -Name "WorkFolders" -Path "D:WorkFolders" -User "Domain Users" -Description "Employee Work Folders" -RequireEncryption $true -RequirePasswordAutoLock $trueThe -RequireEncryption parameter ensures that only devices with BitLocker or device encryption enabled can synchronise data. The -RequirePasswordAutoLock parameter enforces a screen lock policy on client devices.
Step 5: Configure HTTPS Binding
Bind the SSL certificate to the Work Folders service on port 443. Work Folders uses IIS internally, so configure the HTTPS binding through IIS or PowerShell:
Import-Module WebAdministration
# Get the certificate thumbprint
$thumb = (Get-ChildItem "Cert:LocalMachineMy" | Where-Object {$_.Subject -like "*workfolders.company.com*"}).Thumbprint
# Set the HTTPS binding for Work Folders
netsh http add sslcert ipport=0.0.0.0:443 certhash=$thumb appid="{CE66697B-3AA0-49D1-BDBD-A25C8359FEA5}" certstorename=MYStep 6: Configure DNS and Firewall
Create a DNS record for the Work Folders server so clients can discover it automatically:
Add-DnsServerResourceRecordA -ZoneName "company.com" -Name "workfolders" -IPv4Address "192.168.1.60"Enable the HTTPS firewall rule:
New-NetFirewallRule -DisplayName "Work Folders HTTPS" -Protocol TCP -LocalPort 443 -Action Allow -Direction InboundFor automatic discovery, Work Folders uses a DNS SRV record lookup. Configure auto-discovery by adding a TXT record:
Add-DnsServerResourceRecord -ZoneName "company.com" -Name "workfolders" -Txt -DescriptiveText "https://workfolders.company.com"Step 7: Configure Work Folders on a Windows Client
On a Windows 10 or Windows 8.1 client, open Work Folders from the Control Panel or Settings. Enter the server URL when prompted. Via PowerShell on the client:
Set-WorkFolders -ServerURI "https://workfolders.company.com" -SyncFolder "C:Work Folders" -PolicyApplied $trueStep 8: Monitor and Manage Sync Shares
Monitor synchronisation activity and manage sync shares using PowerShell:
Get-SyncShare
Get-SyncShare -Name "WorkFolders" | Select-Object *
Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" | Select-Object -First 20 TimeCreated, MessageWork Folders on Windows Server 2016 provides a secure, self-hosted alternative to consumer file synchronisation services. With HTTPS encryption, device policy enforcement, and seamless integration with Active Directory, it enables organisations to provide modern file synchronisation capabilities while maintaining full control over their data and infrastructure.
