Microsoft's Enterprise Mobility Solution (EMS) allows organizations to enable its employees to achieve secure access to company apps and data on any of their devices in any location, Work Folders, introduced in Windows Server 2012 R2, furthers that enablement as it allows an organization's users to their work related files on the devices configured, regardless if the device is joined to a domain or not and/or the device is connected directly to the company's private LAN or over the internet.
In light of the recent release of Work Folders for iOS, we at #CANITPRO thought it would be prudent to update Jane Yan's lab regarding Work Folders. This Step-By-Step on how to create a work folders test lab deployment in Windows Server 2012 R2 will provide a great foundation in understanding future deployment across iOS.
Step 1: Getting Started
- Download Windows Server 2012 R2
- Download Windows 8.1 or Download Windows 10 TP
- Setup you test lab by creating the following computers or VMs
Active Directory Domain Services domain controller (DC)
File server running Windows Server 2012 R2
2 client PCs running Windows 8.1 or Windows RT 8.1 (to observe documents sync between 2 devices)
Step 2: Configure Network
- In the Hyper-V Manager console, create a Virtual Switch marked as Private.
- Configure the VMs to use the Private network.
Step 3: DC setup
- Create a VM using Windows Server 2012 R2
- Rename the VM to DC.
- Configure the IP of the server as 10.10.1.10
- After the VM setup, open Server Manager, and then add the following roles:
- Active Directory Domain Services
- DHCP Server (Note: this role is optional. You can also configure static IP for each VM without enabling DHCP)
- DNS Server
- Complete the wizard, then click on promote DC link “Promote this server to a domain controller”
- Use the wizard to create a new forest as “Contoso.com”, and configure the DC appropriately.
- Add a new scope in DHCP, such that other machines on the network can get IP address automatically. Note: this is optional, you can also manually configure other machines with static IP.
Step 4: Server setup
- Create a VM using Windows Server 2012 RS.
- Rename the VM to SyncSvr.
- Join the SyncSvr machine to the domain Contoso.com
Step 5: Client setup
- Create 2 VMs using Windows 8.1
- Rename VM1 to OfficePC
- Rename VM2 to HomePC
- Join OfficePC to the contoso.com domain.
Step 6: User and Security group creation
Work Folders can be configured to domain users, you need to create a few test users in the AD. For testing purposes, let’s create 10 domain users (U1 to U10).
It is recommend that controlling access to Work Folders through security groups. Create one group named “Sales”, with scope “Global” and type “Security”, and add the 10 domain users (U1 to U10) in the Sales security group.
Step 7: Sync Server configuration
For all the operations performed on the server, the UI will be shown through Server Manager, and followed by the equivalent Windows PowerShell cmdlet.
Enabling the Work Folders role
Step 8: Using Server Manager UI
- Launch the Server Manager on SyncSvr.
- On the dashboard, click “Add roles and features”.
- Follow the wizard, on the Server Role selection page, choose Work Folders under File and Storage Services:
- Complete the wizard.
Using PowerShell cmdlet: PS C:\> Add-WindowsFeature FS-SyncShareService
Create Sync Share
Step 9: Using Server Manager UI
A sync share is the unit of management on the sync servers. A sync share maps to a local path where all the user folders will be hosted under, and a group of users who can access the sync share.
1. Launch New Sync Share Wizard from Server Manager
2. Provide the local path where user folders will be created under, type C:\SalesShare, and then click next.
Note: There are 2 options to specify the local path:
If you have a local path that is configured to be an SMB share, such as a folder redirection share, you can simply select the first option “Select by file share”. For example, as the screenshot shown above, I had one SMB share created on this server, which points to the C:\finshare location. I can simply enable the path “c:\finshare” for sync by select the first radio button.
If it is a brand new server, and you only creating sync shares, you can provide the local path directly in the second option, which is being demoed in this Step-By-Step.
Creating a sync share simply allows user to access the data hosted on the file server through the Sync protocol, in addition, the same data set can be accessed through SMB or NFS. The wizard makes it easy when creating the sync share, as you can pick the location by either knowing the local path or through a SMB (or NFS) share name. If you are enabling sync share first to a local path, I will also illustrate the steps to enable SMB to the same location, so the legacy client without Work Folders can access the data set through SMB.
Sync share requires the local path to be hosted on NTFS volumes. If the local path is created as part of the UI wizard or cmdlet, the permissions will get inherited from the parent folder by default. After the wizard completes, additional permissions will be added to the local path to ensure users assigned to the sync share can create/access the folder/files under the user folder. The table below shows the minimum NTFS permissions required on the local path, and will be configured by the sync share creation:
Minimum permissions required (configured by Sync Share setup)
Full control, subfolders and files only
Security group of users needing sync to the share
List Folder/Read data, Create Folders/Append data, Traverse folder/execute file, Read/Write attributes – this folder only
Full control, this folder, subfolders and files
Read, this folder only
Additional permissions may present on the local path as a result of inheritance, you need to make sure the user accounts listed in the table have the correct permissions after the sync share is created.
3. Select the user folder format, choose the default user alias, and click Next.
Note: There are 2 options you can select from the UI:
|Options||View in Explorer|
|Using user alias. This is selected by default, and it is compatible with other technologies such as folder redirection or home folders.||
|Using alias@domain. This option ensures the uniqueness of the folder name for users across domains.|
Sync only the following subfolder: By default, all the folders/files under the user folder will be synced to the devices. This checkbox allows the admin to specify a single subfolder to be synced to the devices. For example, the user folder might contain the following folders as part of a Folder Redirection deployment:
Admin can choose a subfolder “Document” as the folder to be synced to devices, and leaving other folders still functioning with Folder redirection. To do so, check “Sync only the following subfolder”
4. Provide the sync share name and description (optional), and click Next
5. Assign security groups for sync share access by clicking the Add button and entering the Sales security group (created in section User and Security group creation). Then click Next
Note: By default, the admin will not be able to access the user data on the server. If you want to have admin access to user data, uncheck the “Disable inherited permissions and grant users exclusive access to their files” checkbox.
6. Define device policies, and then click Next.
Note: Encryption policies request that the documents in Work Folders on the client devices be encrypted with the Enterprise ID. The Enterprise ID by default is the user primary SMTP email address, (aka proxyAddresses of the user object in AD). Using a different key to encrypt Work Folders ensures that personal documents on the same device are preserved if an admin wipes Work Folders on the device (for example, if the device is stolen).
The password policy enforces the following configuration on user PCs and devices:
- Minimum password length of 6
- Autolock screen set to be 15 minutes or less
- Maximum password retry of 10 or less
If the device doesn’t meet the policy, user will not be able to configure the Work Folders.
7. Check the sync share settings, and click Create.
Using PowerShell cmdlet: PS C:\>New-SyncShare SalesShare –path C:\SalesShare –User Contoso\Sales -RequireEncryption $true –RequirePasswordAutoLock $true
Enable SMB access
If you want to enable the sync share for SMB access, you can open the Windows Explorer, and navigate to the “This PC” location. Right click on the “SalesShare” folder, and select “Share with” -> “Specific people”. Add Contoso\Sales and change the permission level to “Read/Write”, as shown below:
Complete the UI by clicking on “Share” button.
Now user can also access the dataset through UNC path.
Note: Once the server is enabled for SMB access, server will check for data changes every 5 minutes by default. You can decrease the enumeration time (such as to 1 minute) by running the following cmdlet on the server:
PS C:\> Set-SyncServerSetting -MinimumChangeDetectionMins 1
It increases the server load each time the server enumerates files to detect changes, on the other hand, the changes done locally on the server through SMB can only be detected at each enumeration time. It is a balance act to tolerate change detection delay and the load server can handle.
Since we prepared 2 VMs as the client machines, you will need to repeat the following setup on both client machines.
Step 10: Lab testing specific settings
Caution: The following regkey settings are only for lab testing, and should not be configured on any production servers.
1. Allow unsecure connection
By default, client always connect to the server using SSL, which requires the server to have SSL certificate installed and configured. In lab testing, you can configure the client to use http by running the following command on the client:
Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v AllowUnsecureConnection /t REG_DWORD /d 1
2. Converting from Email address to Server Url
When user enters the email address, such as Jane@contoso.com, the client will construct the Url as https://WorkFolders.contoso.com, and use that Url to communicate with the server. In production environment, you will need to publish the Url for the client to communicate to the server through reverse proxy. In testing, we’ll bypass the Url publication by configure the following regkey:
Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\WorkFolders /v ServerUrl /t REG_SZ /d http://syncServer.contoso.com
With this key set, the client will bypass the email address user entered, and use the Url in the regkey to establish the sync partnership.
Also note that, this key will not be present in the RTM release.
3. Change the client polling frequency
By default, client device will poll for change to the server every 10 minutes if there is no local changes under the Work Folders. You can configure the following regkey to speed up the polling to 5 seconds:
Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v PollingInterval /t REG_DWORD /d 5
Step 11: WorkFolders setup
1. User can find the setup link in Control Panel->System and Security->Work Folders
2. Provide the user email address, and then click Next.
Note: If the client machine is domain joined, user will not be prompted for credentials.
3. Specify where to store Work Folders on the device
Note: Users cannot change the Work Folder location in the preview release of Windows 8.1. This will be changed in the final RTM release.
4. Consent to the device policy, and then click Setup Work Folders.
Work Folders is now configured on the device. You can open File Explorer to see Work Folders.
Once you have configured both client machines, user can access the documents under the Work Folders location from any devices, and the documents will be kept in sync by Work Folders.
Sync in action
To test Work Folders, create a document (using Notepad or any other app) on one of the client machines and save the document under the Work Folders location. In a few moments, you should see the document get synced to the other client machine
Since the sync location was also enabled with SMB access, user can also view the data on computers without Work Folders by typing the UNC path in the explorer: