How to deploy Work Folders with Windows Server 2019

What if your organization is not using Microsoft OneDrive (yet) and you want to give users the possibilities to access corporate files that are stored on-premises on a file server from BYOD devices? You also want to stay in control of the corporate data and want to enforcing device policies like encryption and screen lock settings? In that case Work Folders can be a good solution for you.

In this blog I will show you step-by-step how to deploy Work Folders on Windows Server 2019.

My environment

Before we start, let me tell you some more about my test/demo environment. I have a new Windows Server 2019 (EMSFile01) with the File Server role installed and configured on it. The IP address of this server is I also have a fresh installed Windows 10 device that I will use to test the results of the configuration in this blog.

The internal domain of this test environment is a “.local” domain. The external domain name is a “.nl” domain. On the internal DNS servers, there is also a DNS zone for the external domain. All test users have a primary UPN prefix of the external domain name. I have a wildcard certificate available for the external domain that I will use for the Work Folders server.

All devices are joined to the local domain (remote access will be covered in the next blog).

In this blog

I will cover the following steps in this blog;

  1. Create a DNS record for the Work Folders
  2. Install the Work Folder server role
  3. Install and configure the SSL Certificate
  4. Configure the Work Folders server
  5. Testing the results

Step 1 : Create a DNS record for the Work Folders

To use Autodiscover for Work Folders during the Work Folders setup on a client device, a DNS record must exist. If the DNS record exist within the domain a user can setup Work Folders based on his/her email address / UPN.

To add the correct DNS record login to a domain controller and open the DNS Manager.

Add a new A record for the relevant domain and fill in the following information;

Name : workfolders (otherwise Autodiscovery will not work!)
IP address : The IP address of the server you will be use as Work Folder server

Click Add Host

Note: If you have a different internal and external domain name you can add the DNS record for both domains so users can setup Work Folders with both UPN prefixes.

Click OK

Step 2 : Install the Work Folder server role

In the following steps I will install the Work Folders server role. I will also install the IIS role. IIS is not a requirement for Work Folders, it is just an easy way for me to use it for installing the  SSL certificate. For the following steps, login to the new installed server and start the Server Manager.

Click Add roles and features

Select Role-based or feature-based installation and click Next

Make sure that the local server is selected and click Next

Expand Files and Storage Services > File and iSCSI Services and select Work Folders

Click Add Features

Scroll down and select Web Server (IIS) (once again this one is optionally)

Click Add Features

Click Next

Click Next

Click Next

Leave everything default and click Next

Click Install

Click Close

Step 3 : Install and configure the SSL Certificate

In the first step we have created a DNS record. To secure the connection between the Work Folders server and the clients, we need a SSL Certificate. In this case I will import an SSL certificate I already have (wildcard certificate). You can also request a new certificate, but I will not cover the steps to do that is this blog.

In the next few steps, I show you how to make the necessary steps for configure an existing SSL Certificate for use with the Work Folders server. There are several ways to do this, I will do this via IIS as you can see in the steps below.

Op the Internet Information Service (IIS) Manager and select the server name. From the Home blade open Server Certificates.

At the right click Import

Browse to your certificate file, fill in the password and click Ok

The certificate will now be displayed.

Open the Default Web Site, at the right click Bindings

Click Add…

Fill in the following information;

Type : https
IP address : All Unassigned
Port : 443
Host name : workfolders.<domain name>
SSL certificate : select the just imported SSL certificate

Click OK

Click Close

On the Default Web Site blade, click Stop at the right.

Step 4 : Configure the Work Folders server

Login to the server where the Work Folders role is installed. I will create a new folder for the Work Folders first.

On the E drive of my server I will create a new folder in the root with the name WorkFolders.

Now we need to add folder permissions for users to this folder. A best practice is to create an AD Security Group for the Work Folders users, but for this demo I will give the Domain Users group the Full control permissions.

Open the Server Manager and click File and Storage Services

Click Work Folders

At the right, click TASKS and New Sync Share…

Click Next

Select Enter a local path and click Browse…

Select the E:\workfolders folder and click Next

Select User alias@domain if you want to make Work Folders available for different domains and click Next.

Give the sync share a name and click Next

Click Add to grant sync access to the users

In this demo I will add the Domain Users group, but a best practice is to have a separate security group for it. Click Next.

Here you have the option to apply device policies like to Encrypt Work Folder on the client and to enforce a lock screen and password policy. For this demo I do not enforce device policies. Click Next.

Click Create

Click Close

Step 5 : Testing the results

In this final part I will test the results on a fresh installed Windows 10 machine.

On a Windows device, search for Work Folders

Click Set up Work Folders

Fill in the user’s email address (you must have created the DNS record for that domain as described in step one of this blog). Click Next

Select if files needs to be available on-demand or not (if not selected, all files will be downloaded to the client). In this case I will not enable on-demand file access. Click Next

Select I accept these policies on my PC and click Set up Work Folders

Click Close

I have copied some files onto the Work Folders and as you can see in the Status column,  all the files are synced with the Work Folders server.

You can also check the status here; Control Panel > System and Security > Work Folders

On the Work Folders server you can see that there is now a sub folder with the username@domain with his/her files in it.


Your email address will not be published. Required fields are marked *

  • Hi,

    how can i transfer files from smb share to the workfolder.
    Only copy and paste, or can i sync workfolder to smb share folder?
    Or must i use third party tools for syncing these to folders, to obtain the correct version on both sides.

    Thanks and Best regards
    Matthias Keller

      • Thanks for your reply.
        Ok, for example to understood for me.
        I copy the files from my SMB Share from my Fileserver to the Workfolder.
        We used One Note Files on the SMB Share for Secretary and Human Resources.
        When i copy those excel files to the workfolder, and changed anything in this One Note file on, what happens then, the file will be automatically transferred back from my workfolder to the SMB Share.
        What happens when the files on my workfolder and on the share have different size?
        Sorry for the many questions.

        Best Regards
        Matthias Keller

  • Hi,

    1) Is workfolders create folder on client computers when I created team folder shared on server for users?

    2) Is workfolder running on like Onedrive? Sync files and folders instantly?

    3) Can users check their files on their browsers like onedrive?


    • Hi Mustafa, if you are using OneDrive, than use OneDrive instead of Work Folders. Work Folders do sync files and folders like OneDrive, but has no webinterface and has no team folders support. Work Folders are stored on-premises on a file server and not in the cloud like OneDrive.

  • Hi Robin,
    Did you try to use policy’s and redirect your known folders to the local Work Folders ? There seem to be issues when using server2019 , workfolders, win10 1903 and redirecting document folders.

About Robin Hobo

I am a Technology Specialist Cloud Endpoint working for Microsoft. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.