What are Workfolders?
Workfolders is a new feature of Windows Server 2012 R2 that works in a similar way to well-known applications such as Dropbox and Onedrive, and is designed to replace or work alongside the older 'offline files' seen in previous versions of Windows Server. Users have their own area on the server, similar to the old style 'home folders', and access is restricted to the specific user and administrators if required.
You can create a group of users or allow everyone to connect to the Workfolder server, and also set quotas on their folders to ensure running out of space is not an issue.
Initially it was designed to work only with Windows 8.1 machines, but if you wanted to take advantage of Workfolders and use them on your production servers, not only would you need to have a 2012 R2 server but you would also need to upgrade all the client machines which could prove costly.
However, Microsoft have now released an update package for Windows 7 clients which adds the necessary feature set and allows Windows 7 clients to connect to Workfolders on a 2012 R2 server.
There are, however, some differences between the way Windows 8 and Windows 7 interact with the feature, and also some issues you could encounter by enabling Workfolders on your server.
Why would you use the Workfolders feature?
Imagine this scenario:
You spend your day working on an Excel spreadsheet compiling your monthly figures, but distractions in the office are slowing you down. You decide that working from home would help you to concentrate and get more done, but you only have a desktop machine in the office so can't use offline files and take it away on a laptop to work on. You also can't take the file away on USB as that would breach company security policy.
You do however have a Windows 8.1 PC at home (more on Windows 7 later) and this is where Workfolders comes in. You save the file in your Workfolder on the desktop machine at the office which then synchronises with the 2012 R2 server. You go home and fire up your home PC and connect to the company Workfolders using your company email address and domain credentials and hey presto! There is your spreadsheet. You work on it in peace and quiet, save it, and on your return to the office the next day all the changes you made to the spreadsheet at home are there. (Any changes made will synchronise with the server as soon as an internet connection is detected, so you can work offline if no internet connection is available.)
All sounds great, right?
Well yes, but there are a few things to be aware of before enabling Workfolders on your server:
Client computers must be running one of the following operating systems:
- Windows 8.1
- Windows RT 8.1
- Windows 7
Windows 7 PCs must be running one of the following editions of Windows with Service Pack 1 and the update package installed:
- Windows 7 Professional
- Windows 7 Ultimate
- Windows 7 Enterprise
Windows 7 PCs must be joined to your organisation's domain (for this reason home users are required to upgrade to Windows 8.1, or have a domain joined laptop running one of the versions of Windows listed above)
Workfolders uses the IIS Hostable Web Core feature which is not the same as the full IIS role. This means that you are unable to manage workfolders through the IIS console and must use Powershell to make configuration changes.
The Workfolders feature uses port 443 (https) and port 80 (http) as default which will conflict with Exchange (OWA) or many other web applications you may have on your server, so you will need to change the port if 443 is already in use, or use a dedicated Workfolders server. (Tune in next time for instructions on how to do this.)
Workfolders requires an SSL certificate so that non-domain joined PCs are able to authenticate using a trusted certificate. A self-signed certificate will work but it will need to be manually installed on any device that requires a Workfolder connection.
So how does this comply with your company security policy?
Workfolders are stored on the file server and a copy stored on the client machine. The copy stored locally on client machines is encrypted meaning that they can only be viewed on devices that are authorised to do so. You can also revoke access remotely if it is stolen to prevent data falling into the wrong hands (Windows 8.1 only), where the encyption key is removed making the files unreadable, but this is by no means a simple process so dont be fooled into thinking its a simple click of a button!
When you configure Workfolders on a Windows 8.1 PC additional security policies will be enforced. The client PC will be configured to lock after an idle time of 15 minutes, the logon retry will be set to 10, and a minimum password length of 6 will be required if it doesn't already exist. These settings are not configurable by the user and are enforced by the Workfolders policy.
Windows 7 works slightly differently in that the Workfolders security policy cannot be enforced when configuring for Workfolders access. You need to configure the server to ignore machines on the domain where the Windows 7 machines are installed when applying the workfolders policy (instructions in part 2). This means if you have a mix of Windows 7 and Windows 8.1 machines, you will have to manually configure these machines, or create domain policies to ensure all machines meet the requirements before Workfolders will sync.
During testing I found that users were able to right click the properties of files and folders in their Workfolders and disable encryption. This is an issue that cannot be controlled by the administrator as Workfolders can be accessed by machines not on the domain.
Also, if your company uses a TS (or RDS server as it is now called) it is not a good idea to enable workfolders unless you have enough space on the server for the files to be stored, or if you make use of the quotas to stop the server from running out of space. This only applies if you have a virtual desktop environment with Windows 7 or 8.1 clients as Server 2012R2 does not support Workfolders in session mode.
The reason for this is that as default, Workfolders creates a folder in the root of the users' profile and stores the data there. You can of course set Workfolders up via group policy, but this does not provide the option to specify the storage location and enforces the default. You cannot use UNC paths or mapped drives as the storage location, it MUST be local to the machine. The answer to this is to configure the Workfolder location on the server to be an SMB share so that users can browse to it from the TS and drop files in there to access when out of the office. However you need to be able to access their own folder.
Workfolders can be a great addition to your company network. If your users work on a TS (now RDS server) in a virtual desktop environment in the office you will need to plan for extra local storage and be aware that the backups of the TS will increase in size. When you have more than one TS this becomes a huge issue as the data will need to be synced across all servers, unless of course your data is stored on a SAN or if you are using another of Server 2012's new features, Shared VHDX!
In part 2 of this blog I will show you how to configure Workfolders on the server, and connect a Windows 8.1 machine and a Windows 7 PC.