ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Configure Secure File Sync with Work Folders on Windows Server 2025

How to Configure Secure File Sync with Work Folders on Windows Server 2025

Set up Work Folders on Windows Server 2025 for secure file synchronization between servers and client workstations with HTTPS, quotas, and GPO deployment.

April 10, 2026 15 min
mediumwindows-server 8 steps 15 min

Why Deploy Work Folders on Windows Server 2025?

Work Folders provides enterprise-grade file synchronization that bridges the gap between traditional file servers and modern cloud storage solutions. Unlike consumer sync services, Work Folders gives IT administrators complete control over data location, security policies, and user access while maintaining the convenience of automatic synchronization across devices.

In Windows Server 2025, Work Folders continues to offer robust security features including mandatory encryption, device policies, and integration with Active Directory. This makes it ideal for organizations that need to maintain data sovereignty while providing users with seamless access to their files from multiple devices.

What Security Features Does Work Folders Provide?

Work Folders implements multiple layers of security to protect your organization's data. All data transmission occurs over HTTPS, ensuring encryption in transit. On client devices, Work Folders can enforce encryption at rest, automatic screen locking, and password requirements. The integration with Active Directory provides centralized authentication and authorization, while quota management prevents storage abuse.

How Does Work Folders Compare to Cloud Storage Solutions?

Unlike cloud-based alternatives, Work Folders keeps your data entirely within your organization's infrastructure. This provides complete control over data location, compliance with regulatory requirements, and eliminates ongoing subscription costs. The solution scales efficiently within your existing Windows Server infrastructure and integrates seamlessly with existing Active Directory security groups and policies.

Implementation Guide

Full Procedure

01

Install the Work Folders Role on Windows Server 2025

Start by installing the Work Folders role through Server Manager. This role provides the core functionality for secure file synchronization across your enterprise network.

Open Server Manager and navigate to the dashboard. Click Add roles and features to launch the installation wizard.

# Alternative PowerShell installation method
Install-WindowsFeature -Name WorkFolders -IncludeManagementTools -Restart

In the wizard, select Role-based or feature-based installation, choose your target server, then expand File and Storage ServicesFile and iSCSI Services. Check the Work Folders checkbox and click Add Features when prompted.

Complete the installation and restart the server if required. The installation includes the SyncShare PowerShell module automatically.

Verification: Run this command to confirm the role is installed:

Get-WindowsFeature -Name WorkFolders

The InstallState should show Installed.

02

Configure SSL Certificate and DNS for HTTPS Access

Work Folders requires HTTPS for secure synchronization in production environments. You'll need to obtain an SSL certificate and configure DNS records for your server's FQDN.

First, create a DNS A record pointing to your server. For example, if your server IP is 192.168.1.100:

# Add DNS record (run on DNS server or domain controller)
Add-DnsServerResourceRecordA -ZoneName "contoso.com" -Name "workfolders" -IPv4Address "192.168.1.100"

Next, obtain your SSL certificate. For testing purposes, you can create a self-signed certificate:

# Create self-signed certificate for testing
$cert = New-SelfSignedCertificate -DnsName "workfolders.contoso.com" -CertStoreLocation "Cert:\LocalMachine\My"

For production, request a certificate from your Certificate Authority or use Let's Encrypt. Once you have the certificate, bind it to the Work Folders service through Server Manager.

Navigate to Server ManagerFile and Storage ServicesWork Folders. Right-click your server name and select Bind certificate. Choose your SSL certificate from the list.

Pro tip: Always use a certificate from a trusted CA in production. Self-signed certificates will trigger security warnings on client devices.

Verification: Test the certificate binding:

Get-SyncServerCertificate
03

Create Active Directory Security Groups for Work Folders Access

Organize user access by creating dedicated security groups in Active Directory. This approach simplifies permission management and allows for granular control over who can access Work Folders.

Open Active Directory Users and Computers or use PowerShell to create the security groups:

# Create security group for Work Folders users
New-ADGroup -Name "WorkFolders-Users" -GroupScope Universal -GroupCategory Security -Path "OU=Groups,DC=contoso,DC=com" -Description "Users with access to Work Folders synchronization"

Add users to the group:

# Add users to the Work Folders group
Add-ADGroupMember -Identity "WorkFolders-Users" -Members "jdoe", "asmith", "mwilson"

For organizations with multiple departments, consider creating separate groups:

# Create department-specific groups
New-ADGroup -Name "WorkFolders-Finance" -GroupScope Universal -GroupCategory Security -Path "OU=Groups,DC=contoso,DC=com"
New-ADGroup -Name "WorkFolders-HR" -GroupScope Universal -GroupCategory Security -Path "OU=Groups,DC=contoso,DC=com"

This structure allows you to create separate sync shares with different policies for each department.

Warning: Don't add users directly to sync shares. Always use security groups to maintain scalability and security best practices.

Verification: Confirm group creation and membership:

Get-ADGroup -Filter "Name -like 'WorkFolders*'" | Select-Object Name, GroupScope
Get-ADGroupMember -Identity "WorkFolders-Users"
04

Create and Configure the Primary Sync Share

Now create the sync share that will store user data and define synchronization policies. This involves setting up the storage location, user access, and security policies.

First, create a dedicated folder on an NTFS volume with sufficient space:

# Create the Work Folders directory
New-Item -Path "E:\WorkFolders" -ItemType Directory -Force

# Set appropriate NTFS permissions
icacls "E:\WorkFolders" /grant "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "WorkFolders-Users:(OI)(CI)M"

Launch the New Sync Share Wizard from Server ManagerFile and Storage ServicesWork FoldersSharesCreate Sync Share.

Alternatively, use PowerShell to create the sync share:

# Create sync share with PowerShell
New-SyncShare -Name "CompanyData" -Path "E:\WorkFolders" -User "WorkFolders-Users" -RequireEncryption $true -RequirePasswordAutoLock $true

Configure the sync share policies in the wizard:

  • Path: E:\WorkFolders
  • Users: WorkFolders-Users security group
  • Device Policies: Enable "Encrypt Work Folders on devices" and "Automatically lock screen and require password"
  • User Quota: Set to 5GB per user (adjust based on your requirements)

The sync share URL will be https://workfolders.contoso.com/WorkFolders.

Pro tip: Start with conservative quota limits. You can always increase them later, but reducing quotas after users have stored data can cause synchronization issues.

Verification: Confirm the sync share is created and accessible:

Get-SyncShare -Name "CompanyData"
Get-SyncShare -Name "CompanyData" | Select-Object Name, Path, UserQuotaGB, RequireEncryption
05

Configure User Quotas and Storage Policies

Implement quota management to control storage usage and prevent any single user from consuming excessive server resources. Work Folders provides flexible quota options at both the share and user level.

Set individual user quotas using PowerShell:

# Set quota for all users in the sync share
Set-SyncShare -Name "CompanyData" -UserQuotaGB 5

# Set quota in MB for more precise control
Set-SyncShare -Name "CompanyData" -UserQuotaInMB 5120

# View current quota settings
Get-SyncShare -Name "CompanyData" | Select-Object Name, UserQuotaGB, UserQuotaInMB

For different user groups with varying storage needs, create separate sync shares:

# Create executive sync share with higher quota
New-SyncShare -Name "ExecutiveData" -Path "E:\WorkFolders\Executive" -User "WorkFolders-Executives" -RequireEncryption $true
Set-SyncShare -Name "ExecutiveData" -UserQuotaGB 20

# Create standard user share with lower quota
New-SyncShare -Name "StandardData" -Path "E:\WorkFolders\Standard" -User "WorkFolders-Users" -RequireEncryption $true
Set-SyncShare -Name "StandardData" -UserQuotaGB 2

Monitor quota usage across all sync shares:

# Check quota usage for all shares
Get-SyncShare | ForEach-Object {
    $share = $_
    Write-Host "Share: $($share.Name)"
    Write-Host "Quota: $($share.UserQuotaGB) GB per user"
    Write-Host "Users: $($share.User)"
    Write-Host "---"
}

Configure storage reports to track usage patterns:

# Enable storage reporting (requires File Server Resource Manager)
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
Warning: Quota changes take effect immediately but may not be reflected on client devices until the next synchronization cycle. Users may experience sync errors if they exceed new quota limits.

Verification: Test quota enforcement by checking user storage allocation:

# View detailed quota information
Get-SyncUserSettings -SyncShare "CompanyData" | Select-Object User, QuotaGB, UsedStorageGB
06

Deploy Work Folders via Group Policy

Automate Work Folders deployment across your organization using Group Policy. This eliminates the need for manual configuration on each client workstation and ensures consistent settings.

Open the Group Policy Management Console and create a new GPO or edit an existing one. Navigate to Computer ConfigurationPoliciesAdministrative TemplatesSystemWork Folders.

Configure the following policy settings:


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkFolders]
"WorkFoldersUrl"="https://workfolders.contoso.com/WorkFolders"
"AutoProvision"=dword:00000001
"AllowUntrustedCerts"=dword:00000000

Enable the "Specify Work Folders settings" policy and configure:

  • Work Folders URL: https://workfolders.contoso.com/WorkFolders
  • Force automatic setup: Enabled
  • Allow untrusted certificates: Disabled (for production)

For testing environments, you can temporarily allow untrusted certificates:

# PowerShell command to configure Work Folders via registry (for testing)
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkFolders"
New-Item -Path $regPath -Force
Set-ItemProperty -Path $regPath -Name "WorkFoldersUrl" -Value "https://workfolders.contoso.com/WorkFolders"
Set-ItemProperty -Path $regPath -Name "AutoProvision" -Value 1 -Type DWord

Link the GPO to the appropriate Organizational Units containing your target computers. Consider creating separate GPOs for different user groups if they need different Work Folders configurations.

Pro tip: Test GPO deployment on a small group of computers first. Use gpupdate /force on client machines to immediately apply the policy without waiting for the next refresh cycle.

Verification: Check GPO application on client computers:

# Run on client computer to verify GPO settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkFolders" -ErrorAction SilentlyContinue

# Force Group Policy update
gpupdate /force
07

Configure Client Workstations for Work Folders Synchronization

Set up Work Folders on Windows 10/11 client workstations to enable secure file synchronization. This can be done manually or automatically through Group Policy deployment.

For manual setup, open Control PanelWork Folders on the client computer. Click Set up Work Folders and enter the server URL.

Alternatively, use PowerShell to configure Work Folders programmatically:

# Configure Work Folders on client (run as administrator)
$workFoldersUrl = "https://workfolders.contoso.com/WorkFolders"
$localPath = "$env:USERPROFILE\Work Folders"

# Register Work Folders
Register-SyncShare -SyncShareUrl $workFoldersUrl -LocalPath $localPath

For bulk deployment, create a PowerShell script that can be deployed via Group Policy or SCCM:

# WorkFolders-Setup.ps1
param(
    [string]$ServerUrl = "https://workfolders.contoso.com/WorkFolders",
    [string]$LocalPath = "$env:USERPROFILE\Work Folders"
)

try {
    # Check if Work Folders is already configured
    $existingSync = Get-SyncShare -ErrorAction SilentlyContinue
    
    if (-not $existingSync) {
        Write-Host "Configuring Work Folders..."
        Register-SyncShare -SyncShareUrl $ServerUrl -LocalPath $LocalPath
        Write-Host "Work Folders configured successfully"
    } else {
        Write-Host "Work Folders already configured"
    }
} catch {
    Write-Error "Failed to configure Work Folders: $($_.Exception.Message)"
}

Monitor synchronization status on client computers:

# Check Work Folders sync status
Get-SyncShare | Select-Object SyncShareUrl, LocalPath, SyncStatus, LastSyncTime

# View sync statistics
Get-SyncStatistics

The default local synchronization folder is %USERPROFILE%\Work Folders. Users can access their synchronized files through File Explorer or by navigating to this location.

Warning: Ensure client computers have sufficient local storage for synchronized files. Work Folders will fail to sync if the local drive runs out of space.

Verification: Test file synchronization between server and client:

# Create test file on client
New-Item -Path "$env:USERPROFILE\Work Folders\test-sync.txt" -ItemType File -Value "Test synchronization"

# Force immediate sync
Invoke-SyncShareSync

# Check sync status
Get-SyncShare | Select-Object SyncStatus, LastSyncTime
08

Monitor and Troubleshoot Work Folders Synchronization

Implement monitoring and troubleshooting procedures to maintain reliable Work Folders operation. Regular monitoring helps identify issues before they impact users.

Check the Work Folders service status and restart if necessary:

# Check service status
Get-Service -Name "WSSCSVC" | Select-Object Name, Status, StartType

# Restart the service if needed
Restart-Service -Name "WSSCSVC" -Force

# Set service to automatic startup
Set-Service -Name "WSSCSVC" -StartupType Automatic

Monitor sync share health and user activity:

# View all sync shares and their status
Get-SyncShare | Select-Object Name, Path, User, Enabled, RequireEncryption

# Check user sync statistics
Get-SyncUserSettings | Select-Object User, LastSyncTime, SyncStatus, UsedStorageGB

# View sync share events
Get-WinEvent -LogName "Microsoft-Windows-SyncShare/Operational" -MaxEvents 50 | Select-Object TimeCreated, LevelDisplayName, Message

Common troubleshooting commands for client-side issues:

# Reset Work Folders on client (run as administrator)
Unregister-SyncShare -Force
Register-SyncShare -SyncShareUrl "https://workfolders.contoso.com/WorkFolders"

# Clear Work Folders cache
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\WorkFolders\*" -Recurse -Force

# Check client-side sync logs
Get-WinEvent -LogName "Microsoft-Windows-WorkFolders/Operational" -MaxEvents 20

Set up automated monitoring with PowerShell scripts:

# WorkFolders-Monitor.ps1
$shares = Get-SyncShare
$issues = @()

foreach ($share in $shares) {
    if (-not $share.Enabled) {
        $issues += "Share '$($share.Name)' is disabled"
    }
    
    $users = Get-SyncUserSettings -SyncShare $share.Name
    foreach ($user in $users) {
        if ($user.SyncStatus -ne "Success") {
            $issues += "User '$($user.User)' sync status: $($user.SyncStatus)"
        }
    }
}

if ($issues.Count -gt 0) {
    Write-Warning "Work Folders issues detected:"
    $issues | ForEach-Object { Write-Warning $_ }
} else {
    Write-Host "All Work Folders shares are healthy" -ForegroundColor Green
}
Pro tip: Schedule the monitoring script to run every 15 minutes using Task Scheduler. Set up email alerts for critical issues to ensure rapid response to synchronization problems.

Verification: Test the complete synchronization workflow:

# Comprehensive health check
Get-Service WSSCSVC | Select-Object Status
Get-SyncShare | Select-Object Name, Enabled
Test-NetConnection -ComputerName "workfolders.contoso.com" -Port 443

Frequently Asked Questions

What are the system requirements for Work Folders on Windows Server 2025?+
Work Folders requires a domain-joined Windows Server 2025 (Standard or Datacenter edition) with the File and Storage Services role installed. You need an NTFS volume for storage, SSL certificate for HTTPS, and client computers running Windows 8.1 or later. Active Directory integration is mandatory for user authentication and policy management.
Can Work Folders sync files when users are offline?+
Yes, Work Folders maintains a local copy of synchronized files on each client device, allowing users to access and modify files while offline. Changes are automatically synchronized when the device reconnects to the network. The offline files are stored in the user's profile under the Work Folders directory and remain accessible through File Explorer.
How do I troubleshoot Work Folders synchronization failures?+
Common sync issues include certificate problems, network connectivity, and quota exceeded errors. Check the Windows Sync Share Services (WSSCSVC) service status, verify HTTPS certificate binding, and review event logs in Microsoft-Windows-SyncShare/Operational. Use PowerShell commands like Get-SyncShare and Get-SyncUserSettings to diagnose specific user or share issues.
What's the difference between Work Folders and traditional file shares?+
Work Folders provides automatic bidirectional synchronization, offline access, and device-specific security policies, while traditional file shares require constant network connectivity. Work Folders also includes built-in encryption, quota management, and mobile device support. However, traditional shares offer broader application compatibility and don't require local storage on client devices.
Can I migrate existing file server data to Work Folders?+
Yes, you can migrate existing data by copying files to the Work Folders sync share directory and setting appropriate NTFS permissions. Use robocopy or PowerShell to preserve file attributes and timestamps. Plan the migration carefully considering user quotas, folder structure, and initial sync time. Consider migrating in phases to minimize network impact and user disruption.
Tags
#windows-server#file-synchronization#active-directory

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Block Soft and Hard Match in Microsoft Entra ID for Enhanced Security
tutorial
Cybersecurity

How to Block Soft and Hard Match in Microsoft Entra ID for Enhanced Security

Deep Dive
How to Configure Secure File Sync with Work Folders on Windows Server 2025
tutorial
Networking

How to Configure Secure File Sync with Work Folders on Windows Server 2025

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account