Hi all,
I’m Jeff Patterson, Program Manager for Work Folders and Offline Files.
Jane wrote a blog last year which covers how to use Folder Redirection with Work Folders. The blog is great for new environments. If Folder Redirection and Offline Files are currently used, there are some additional steps that need to be performed which are covered in this migration guide.
Overview
This blog covers migrating from Offline Files (a.k.a. Client Side Caching) to Work Folders. This guidance is specific to environments that are using Folder Redirection and Offline Files and the user data is stored on a Windows Server 2012 R2 file server.
When using Folder Redirection and Offline Files, the user data in special folders (e.g., Documents, Favorites, etc.) is stored on a file server. The user data is cached locally on the client machine via Offline Files so it’s accessible when the user is working offline.
Folder Redirection policy with Offline Files
After migrating to Work Folders, the user data in special folders (e.g., Documents, Favorites, etc.) is stored locally on the client machine. The Work Folders client synchronizes the user data to the file server.
Folder Redirection policy with Work Folders
After migration, the user experience will remain unchanged and companies will benefit from the advantages of Work Folders.
Why Migrate?
Reasons to migrate from Offline Files to Work Folders:
- Modern file sync solution that was introduced in Windows Server 2012 R2
- Supports security features to protect user data such as selective wipe, Windows Information Protection (WIP) and Rights Management Services (RMS)
- Familiar file access experience for users, same as OneDrive and OneDrive for Business
- User data can be accessed outside of the corporate network (VPN or DirectAccess is not required)
- User data can be accessed using non-Windows devices: Android, iPhone and iPad
- Future investments (new features) are focused on Work Folders
For the complete list of benefits, please reference the Work Folders Overview.
Supported Migration Scenarios
This migration guide is intended for the following configurations:
- User data is hosted on a file server that is running Windows Server 2012 R2 or later
- Windows clients are Windows 7, Windows 8.1 and Windows 10
- Offline Files is used with Folder Redirection
Unsupported Migration Scenarios
The following configurations or scenarios are not currently supported:
| Configuration or Scenario | Reason |
| User data is stored on a network attached storage (NAS) device | Work Folders requires the user data stored on the file server via direct attached storage (DAS), storage area network (SAN) or iSCSI |
| File server is running Windows Server 2012 or Windows Server 2008 R2 | The Work Folders server component is only supported on Windows Sever 2012 R2 or later |
| Offline Files is used for multiple file shares (e.g., team shares) | Work Folders supports one sync partnership. It is intended for user data only and does not support team shares or collaboration scenarios. |
If the requirements listed above are not met, the recommendation is to continue to use Offline Files or evaluate using OneDrive for Business.
Overview of the Offline Files to Work Folders migration process
High-level overview of the Offline Files to Work Folders migration process:
- On the file server, install the Work Folders feature and configure the Work Folders Sync Share to use the existing file share used for Folder Redirection.
- Deploy Work Folders on the Windows clients via group policy.
- Update the existing Folder Redirection group policy to redirect the special folders (e.g., Documents, Desktop, etc.) to the local Work Folders directory on the client machine.
- Optional: Disable Offline Files on the Windows clients.
Planning the migration
The following considerations should be reviewed prior to starting the Offline Files to Work Folders migration:
- Work Folders requirements and design considerations: https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx
- Client disk space requirements: During the migration process, existing client machines will need additional disk space to temporarily store the user data using both Offline Files and Work Folders. Once the migration is complete, the user data stored in Offline Files will be deleted.
- Network traffic: Migrating from Offline Files to Work Folders requires redirecting the special folders (e.g., Documents, Favorites, etc.) to the client machine. The user data that is currently stored on the file server will be synced to the Windows client using Work Folders. The migration should be done in phases to reduce network traffic. Please reference the performance considerations and network throttling blogs for additional guidance.
- RDS and VDI: If users are accessing user data in Remote Desktop Services (RDS) or Virtual Desktop Infrastructure (VDI) environments, create a separate Folder Redirection group policy for RDS and VDI. Work Folders is not supported for RDS and is not recommended for VDI environments. The recommendation is to continue to redirect the special folders to the file server since the users should have a reliable connection.
Example – Create two Folder Redirection group policies:
Desktops and Laptops Folder Redirection group policy – The root path in the Folder Redirection policy will point to the local Work Folders directory: %systemdrive%\users\%username%\Work Folders\Documents
RDS and VDI Folder Redirection group policy – The root path in the Folder Redirection policy will point to the file server: \\fileserver1\userdata$\%username%\Documents
Note: The group policy loopback processing (replace mode) setting should be enabled on the RDS and VDI group policy
Note: Offline Files (CSC) should be disabled for RDS and VDI environments since the user should have a reliable connection to the file server
- Existing Windows clients: If you do not want to migrate existing clients to Work Folders (only new clients), you can create separate Folder Redirection group policies as covered in the “RDS and VDI” section. The legacy clients will continue to access the user data on the file server. The new clients will access the user data locally and sync the data to the file server.
Migrating from Offline Files to Work Folders
To migrate from Offline Files to Work Folders, follow the steps below.
Note: If the root path in the Folder Redirection policy is \\fileserver1\userdata$, the steps below should be performed on the file server named FileServer1.
-
On the Windows Server 2012 R2 file server, install and configure Work Folders by following steps 1-10 in the TechNet documentation.
Note: Several of the steps (6, 8, 9, 10) are optional. If you want to allow users to sync files over the internet and you plan to have multiple Work Folders servers, steps 1-10 should be completed.
Important details to review before following the TechNet documentation:
Obtain SSL certificates (Step #1 in the TechNet documentation)
The Work Folders Certificate Management blog provides additional info on using certificates with Work Folders.
Create DNS records (Step #2 in the TechNet documentation)
When Work Folders clients use auto discovery, the URL used to discover the Work Folders server is https://workfolders.domain.com. If you plan to use auto discovery, create a CNAME record in DNS named workfolders which resolves to the FDQN of the Work Folders server.
Install Work Folders on file servers (Step #3 in the TechNet documentation)
If the existing file server is clustered, the Work Folders feature must be installed on each cluster node. For more details, please refer to the following blog.
Create sync shares for user data (Step #7 in the TechNet documentation)
When creating the sync share, select the existing file share that is used for the user data.
Example: If the special folders path in the Folder Redirection policy is \\fileserver1\userdata$, the userdata$ file share should be selected as the path.
Note: All user data stored on the file share will be synced to the client machine. If this path is used to store user data in addition to the redirected special folders (e.g., home drive), that user data will also be synced to the client machine.
When specifying the user folder structure, select “User alias” to maintain compatibility with the Folder Redirection folder structure.
If you select the “Automatically lock screen, and require a password” security policy, the user must be an administrator on the local machine or the policy will fail to apply. To exclude this setting from applying to domain join machines, use the Set-SyncShare -PasswordAutolockExcludeDomain cmdlet (see TechNet content for more info).
-
Deploy the Work Folders client using group policy
To deploy Work Folders via group policy, follow Step #11 in the TechNet documentation.
For the “Work Folders URL” setting in the group policy, the recommendation is to use the discovery URL (e.g., https://workfolders.domain.com) so you don’t have to update the group policy if the Work Folders server changes.
Note: Using the discovery URL requires the “workfolders” CNAME record in DNS that is covered in the “Create DNS records” section.
-
Update the existing Folder Redirection group policy to redirect the special folders to the local Work Folders directory on the client machine
Note: All special folders (e.g., Documents, Desktop, Favorites, etc.) can be redirected to the local Work Folders directory except for AppData (Roaming). Redirecting this folder can lead to conflicts and files that fail to sync due to open handles. The data stored in the AppData\Roaming folder should be roamed using Enterprise State Roaming (ESR), UE-V or Roaming User Profiles.
To update the Folder Redirection policy, perform the following steps:
- Open the existing Folder Redirection group policy
-
Right-click on a special folder (e.g., Documents) that’s currently redirected to a file share and choose properties
- Change the Target folder location setting to: Redirect to the following location
-
Change the Root Path to: %systemdrive%\users\%username%\Work Folders\Documents
- Click the Settings tab and un-check the “Move the contents of Documents to the new location” setting.
Note: The “Move the contents of Documents to the new location” setting should be un-checked because Work Folders will sync the user data to the client machine. Leaving this setting checked for existing clients will cause additional network traffic and possible file conflicts.
- Click OK to save the settings and click Yes for the Warning messages.
- Repeat steps (1-6) for each special folder that needs to be redirected
-
Optional: Disable Offline Files on the Windows clients
After migrating to Work Folders, you can prevent clients from using Offline Files by setting the “Allow or Disallow use of the Offline Files feature” group policy setting to Disabled.
Note: Offline Files should remain enabled if using BranchCache in your environment.
Validate the migration
Verify the Work Folders clients are syncing properly with the Work Folders server
- To verify the Work Folders clients are syncing properly with the Work Folders server, review the Operational and Reporting event logs on the Work Folders server. The logs are located under Microsoft-Windows-SyncShare in Event Viewer.
- On the Work Folders client, you can check the status by opening the Work Folders applet in the control panel:
Example: Healthy status
If the sync status is orange or red, review the error logged. If additional information is needed, review the Work Folders operational log which is located under Microsoft-Windows-WorkFolders in Event Viewer.
The “Troubleshooting Work Folders on Windows client” blog covers common issues.
Verify the special folders are redirected to the correct location
- Open File Explorer on a Windows client and access the properties of a special folder that’s redirected (e.g., Documents).
- Verify the folder location is under %systemdrive%\users\Work Folders
If the special folder is still redirected to the file share, run “gpupdate /force” from a command prompt to update the policy on the client machine. The user will need to log off and log on for the changes to be applied.
Additional Information
Special folders that can be redirected via Folder Redirection policy
The following special folders can be redirected to the local Work Folders directory:
- Contacts
- Desktop
- Documents
- Downloads
- Favorites
- Links
- Music
- Pictures
- Saved Games
- Searches
- Start Menu
- Videos
Considerations for the Root Path in the Folder Redirection policy
The Folder Redirection root path in the migration guide (Step# 3) assumes multiple special folders are redirected. The root path can vary for each special folder as long as the folders are redirected under the Work Folders directory.
Example #1: If Documents is the only folder that is redirected, the root path could be the Work Folders root directory: %systemdrive%\users\%username%\Work Folders
Example #2: If you do not want the special folders in the root of the Work Folders directory, use a sub-directory in the path: %systemdrive%\users\%username%\Work Folders\Profile\Favorites
Known issues
The following issue has been identified when redirecting special folders to the Work Folders directory:
| Folder | Issue | Cause | Solution |
| Favorites | Unable to open Favorites in Internet Explorer when using Windows Information Protection | Internet Explorer does not support encrypted favorite files | Use Edge or a 3rd party browser |
Congratulations! You’ve now completed the Offline Files to Work Folders migration!
I would appreciate any feedback (add a comment) on the migration process and if any steps need to be clarified.
Thanks,
Jeff
Does Work Folders require ADFS and WAP if we are joining just domain connected systems? I am looking at deploying this and having to deploy 4 systems just for this seems overkill.
1. Domain Controller
2. File Server/Work Folders
3. ADFS Server
4. WAP server
is it possible to do this with just a domain controller and a file server and still allow domain connected computers on the internet connect without a VPN or direct access?
In my test deployment I needed neither WAP nor ADFS for access over the Internet. The Work Folders file server is joined to the domain and has a wildcard SSL certificate. I just port-forwarded 443 and created the public workfolders.mydomainname.com A record.
I seemed to be able to authenticate using domain credentials just fine over the Internet from a non-domain-joined Windows 10 client and the IOS app. I haven’t tried Windows 7 or 8 yet.
There are three options to enable users to sync to the Work Folders server when outside of the corporate network:
Option #1: Use a reverse proxy solution (Azure AD Application Proxy, Web Application Proxy with AD FS authentication, or a 3rd party solution)
Option #2: Have remote users connect to the corporate network via VPN or DirectAccess to sync to the Work Folders server
Option #3 (less secure): Work Folders supports digest authentication so you can sync directly to the Work Folders server (via port 443). However, the Work Folders server needs to be accessible from the internet or you need to configure a WAP server with pass-through authentication. If digest authentication is not working, enable the “Store passwords using reversible encryption” policy setting on the domain controller. Please review the security considerations documented on TechNet before you enable the “Store passwords using reversible encryption” policy setting.
I do not have “Store passwords using reversible encryption” enabled. I checked this via gpresult on both my domain controllers and my work folders server, as well as the Active Directory user properties. It’s interesting that it still seems to work over the Internet without WAP or ADFS. Does a typical router port-forward/inbound-NAT configuration count as a “third-party reverse proxy solution” in this context?
Mark, did you ever try it out? I’m curious what your experience was.
Jeff,
The ‘Windows IT Pro Insider – August 2016 Edition’ email which linked me to this article says:
“Learn how Work Folders were updated in Windows 10 to support Windows Information Protection, and why older file sync solutions, like Offline Files, are not supported.”
So, let me get this straight:
1. We redirect our user folders to enterprise-class NAS so, if we deploy Windows 10 1607 or later, it will be unsupported unless we deploy 2012 R2 (or later) file servers in front of that NAS?
2. We use VDI so, if we deploy Windows 10 1607 or later, it will be unsupported – period?
Can you see why we might be extremely unhappy about this situation?
Patrick,
Folder Redirection and Offline Files are supported on Windows 10 1607.
Using Windows Information Protection (a.k.a. Enterprise Data Protection) with Offline Files is not supported and is documented in the following blog.
Regarding Work Folders support for NAS and VDI:
• NAS: We currently have an SMB gateway private package that I can share for testing purposes only. If you’re interested, please send me mail at jeffpatt at microsoft dot com.
• VDI: Work Folders supports VDI environments but it’s not recommended since the user should have a reliable connection to the file server and for non-persistent environments, the files would be resynced every session.
Thanks,
Jeff
I think the redirection to “%systemdrive%\users\%username%\Work Folders\” can be problematic. I have seen in several environments that the local user profile is named this way. There could be various reasons for this:
Rename of SamAccountName without recreating the user profile.
Migration between domains with ADMT and change of SamAccountName.
When there is an existing folder with %Username% a profile with %username%.%userdomain% might be created.
And I’m pretty sure there are a lot of other reasons, why the path “%systemdrive%\users\%username%\Work Folders” will not work as desired.
I think the best would be to use “%USERPROFILE%\Work Folders”. But when I enter this path in the GPO the option changes to “Redirect to the local profile location”. So currently I’m edition the fdeploy1.ini in the GPO file directory “User\Documents & Settings\” directly in a text editor, as this seems the only way to get this done.
Frank,
Thanks for the feedback! To work around this issue, change the root path in the Folder Redirection policy to use the %userprofile% variable.
Example: To redirect the Documents folder, use “%userprofile%\Work Folders\Documents” as the root path.
Note: You need to use quotes in the root path or the changes will not be saved. Also, the Folder Redirection policy user interface will change to “Redirect to the local userprofile location” so you need to verify the path is correct by viewing the group policy settings in the Group Policy Management console.
Thanks,
Jeff
Hi Jeff. Thanks for the response. I tried the workaround and it works. Thank you very much. Frank
This works not for my enviroment:
Note: The “Move the contents of Documents to the new location” setting should be un-checked because Work Folders will sync the user data to the client machine. Leaving this setting checked for existing clients will cause additional network traffic and possible file conflicts.
If I leave this box un-checked I became “empty” work folders. There was no sync back process from the old destination (CSC Share on the Server). Why?
All other step worked fine.
Oliver,
I suspect the existing file share wasn’t selected when creating the sync share. Please review the “Create sync shares for user data (Step #7 in the TechNet documentation)” section in the migration guide. If the file share is configured and you continue to experience issues, please send me mail at jeffpatt at microsoft dot com.
Thanks,
Jeff