It sounds great, right? A file syncing solution built right into the operating system, but this one would be enterprise-ready with support for dynamic access control policies and rights management.
Trouble is, nothing is ever as simple as it seems.

Work Folders in Windows 8.1

Prowess Consulting engineers stood up a Windows 8.1 lab where we test endpoint features for enterprise use, and we’ve gotten down and dirty with Work Folders, Workplace Join, Mobile Device Management, and other features of Windows 8.1.
That’s how we know what it takes to get Work Folders running.
This guide walks you through the process of setting up and configuring Work Folders in your own lab environment.
Note: Names and IPs used in this guide are for reference only. Substitute these values with your own so long as you are able to track the correlation with the values used here.
Starting Server Infrastructure:

    • OS: Windows Server 2012 R2 Preview (Version 6.3, Build 9431)
    • Installed Roles and Services:
      • Active Directory Domain Services (AD DS) (
      • Active Directory Certificate Services AD CS (Authority name: prowesslabs-DC-CA)
      • DNS
    • Networks: Internal –
    • Startup RAM: 2GB (Dynamic)
    • OS: Windows Server 2012 R2 Preview (Version 6.3, Build 9431)
    • Installed Roles and Services: N/A
    • Networks: Internal –
    • Startup RAM: 2GB (Dynamic)
    • OS: Windows Server 2012 R2 Preview (Version 6.3, Build 9431)
    • >Installed Roles and Services: Web Application Proxy
    • Networks: Internal –, External – (DHCP)
    • Startup RAM: 2GB (Dynamic)

Before we begin we’ll need to perform a number of tasks on the server intended to host our Work Folders.

  • Create required DNS records.
  • Install the Work Folders Role.
  • Install a Server Certificate.
  • Configure a Sync Share.
  • Publish Work Folders via Web Application Proxy
  • Configure Work Folders on a Windows 81. Domain Client

Important: This guide assumes that you have a virtual machine (Sync) running Windows Server 2012 R2 Preview, with no other role or features installed, and joined to a domain (


Step 1: Create an internal DNS record for work.

  1. Log on to the AD DS virtual machine ( as a domain administrator.
  2. Open the DNS Console.
  3. Expand DC, and then expand Forward Lookup Zones.
  4. Right-click, and then select New Alias (CNAME).
  5. In the Alias name field, type:
  6. In the Fully qualified domain name field, type, and then click OK.


Step 2: Install the Work Folders Server Role.

  1. Log on to the Sync virtual machine as a domain administrator.
  2. Open Server Manager if it does not automatically load.
  3. From the Dashboard page, click Add role and features.
  4. Click Next on the Before You Begin page.
  5. Leave Role-based or feature based installation selected, and then click Next.
  6. Confirm that the Sync server is selected, and then click Next.
  7. In the Roles list, expand File and Storage Services.
  8. Expand File and iSCSI Services.
  9. Select the Work Folders check box.
  10. Click Add Features to install the required Roles and Features, and then click Next.
  11. Click Next to skip installing any additional features.
  12. Click Next on the Web Server Role information page.
  13. Click Next to skip installing any additional IIS features.
  14. Click Install to complete the Role installation.
  15. After complete, click Close.


Step 3. Install a Web Server Certificate.

  1. While on the Sync virtual machine, open the IIS Manager console.
  2. In the left navigation pane, select SYNC (PROWESSLABS).
  3. In the center pane, double-click Server Certificates.
  4. In the Actions pane, click Create Domain Certificate.
  5. Fill in the Distinguished Name Properties fields as follows:
    1. Common Name:
    2. Organization: Prowess Labs.
    3. Organizational Unit: Computers
    4. City: Seattle
    5. State: WA
  6. Click Next.
  7. On the Online Certification Authority page, click Select.
  8. Click the appropriate Certificate Authority, and then click OK.
  9. In the Friendly Name field, type, and then click Finish.
  10. In the Server certificates pane, double-click the certificate.
  11. Switch to the Details tab, and click Copy to File.
  12. Click Next.
  13. Select Yes, export the private key, and then click Next.
  14. Leave Personal Information Exchange selected, and then click Next.
  15. Click the check box for Password and supply a password (for example, Pass@word1).
  16. In the File name field, type C:CertificatesWorkFolders.pfx, and then click Next.
  17. Click Finish, and then click OK.
  18. Click OK to close the Certificate properties window.
  19. In the left navigation pane, right-click Default Web Site, and then select Edit Bindings.
  20. Click Add.
  21. In the Type drop-down menu, select https.
  22. In the SSL Certificate drop-down menu, select the certificate previously created, and then click OK.
  23. Click Close and then close the IIS Manager.


Step 4. Configure the Work Folders Server Role.

  1. Open Windows Explorer.
  2. Create a folder to contain the synchronized folders, for example, C:ProwessLabs.
  3. If closed, re-open Server Manager.
  4. In the left navigation plane, click File and Storage Services.
  5. Select Work Folders.
  6. In the Work Folders pane, click the link “To create a sync share for Work Folders, start the New Sync Share Wizard.”
  7. Click Next on the Before you begin page.
  8. At the bottom of the Select the server and path page, type or browse to the folder you previously created.
  9. Click Next.
  10. Select the radio button for User alias@domain, and then click Next.
  11. Provide a name for the Sync share, and then click Next.
  12. Click Add to grant access to domain users or security groups within your domain (for example, prowesslabsemployees).
  13. On the Specify Device Policies page you can require enable additional security if desired. In this case, clear all check boxes, and then click Next.
  14. Review the Sync Share settings and then click Create.
  15. Click Close.


Step 5. Import the Work Folders Server Certificate on the Web Application Proxy Server.

  1. Log on to the FS2 virtual machine as a domain administrator.
  2. Open Windows Explorer, and then open sync.prowesslabs.comc$certificates.
  3. Copy the WorkFolders.pfx certificate to C:Certificates on the FS2 server.
  4. Right-click WorkFolders.pfx, and then click Install PFX.
  5. On the Welcome to the Certificate Import Wizard page, select the Store Location Local Machine, and then click Next.
  6. Click Yes if prompted by User Account Control.
  7. Confirm the correct path and filename is specified, and then click Next.
  8. Type the password specified during export, and then click Next (for example, Pass@word1).
  9. Select Place all certificates in the following store, and then click Browse.
  10. Select Personal, and then click OK.
  11. Click Next.
  12. Click Finish to complete the wizard.
  13. Click OK when notified of a successful import.


Step 6. Configure Web Application Proxy to allow access to Work Folders.

  1. Open the Remote Access Management Console.
  2. In the Tasks pane, click Publish.
  3. On the Welcome page, click Next.
  4. On the Preauthentication page, select Pass-through, and then click Next.
  5. In the Name field, type Work Folders.
  6. In the External URL field, type
  7. Toggle the External Certificate drop-down menu and select the certificate.
  8. Click Next.
  9. Review the web application settings, and then click Publish.
  10. Click Close.


Step 7. Configure the Work Folders on a domain-joined client running Windows 8.1.

  1. Log on to a domain-joined client as a normal domain user (for example,
  2. Open Control Panel, and then click System and Security.
  3. Click Work Folders.
  4. Click Setup Work Folders.
  5. Type your email address (for example,, and then click Next.
  6. Review your Work Folders location, and then click Next.
  7. Click to select the check box for I accept these polices on my PC, and then click Set up work Folders.
  8. From this section, you can review your folder usage and any sync errors that may be occurring.


Step 8. Browse to your synchronized Work Folders.

  1. Switch to the InternalClient virtual machine.
  2. Open Windows Explorer.
  3. In the left navigation pane, click This PC.
  4. Under Folders, double-click Work Folders.

Share this: