Overview
When we introduced Work Folders in Windows Server 2012 R2, we included support for PCs running Windows 8.1 and Windows RT 8.1. However, we knew that we needed to continue releasing support for other clients, and the number one request was to support the large number of enterprise deployments of Windows 7.
We heard the feedback and we are excited to announce that we have just released the packages of Work Folders for Windows 7 on the Download Center! There are 2 packages:
This blog post will focus specifically on the differences between Work Folders on Windows 7 and Windows 8.1 as well as deployment considerations. You can find more general information on Work Folders here in the Work Folders Overview
What’s the difference between the Windows 7 and Windows 8.1 releases?
Windows 7 is still our most widely deployed operating system, especially in the enterprise, which is the group of customers who have been most interested in Work Folders support on Windows 7. So we created this release focusing on our enterprise customers.
Supported Windows Editions
Given the enterprise focus, the Work Folders for Windows 7 package can be installed only on PCs running the following editions of Windows 7:
- Windows 7 Professional
- Windows 7 Enterprise
- Windows 7 Ultimate
This package can be installed only on these editions of Windows 7, no other operating system is supported by this package. The package also requires Windows 7 Service Pack 1.
For home users with Windows 7 PCs, we recommend upgrading to Windows 8.1.
Setup
To set up Work Folders on Windows 7, the client PC must be joined to your organization’s domain. If not, Setup will fail with the following error:
Policy enforcement
Work Folders provides two device policies that administrators can control. The policies are enforced on the Windows 8.1 clients before data sync is allowed:
- Encrypt Work Folders All the Work Folders data on a user’s PC will be encrypted using the Windows 8.1 Selective Wipe technology
- Automatically lock screen, and require a password Applies the following three policies to a user’s PC:
- Password minimum length is 6 characters
- Device idle auto lock is 15 minutes or less
- Logon retry is set to 10 or less
The policy settings are not configurable, and they are enforced on the devices running with Windows 8.1 through the EAS Engine.
Work Folders on Windows 7 can’t enforce the lock screen and password policy due to missing feature (EAS Engine) support in the operating system. This can be easily mitigated with Group Policy to enforce password policies on their domain-joined PCs. Since Work Folders on Windows 7 is supported only on domain-joined PCs, you (as the admin) still have control over the password policies of all your Work Folders users.
You should continue using Group Policy to manage password policies for all the domain-joined PCs. For PCs and devices that aren’t joined to a domain (Windows 8.1 devices only), Work Folders will enforce its password policy as set on each sync share.
To do so, you’ll need to run the Set-SyncSharecmdlet to add the domain in which all of your Windows 7 PC computer accounts are located to a domain-exclusion list. We describe how to do that in the Server Configuration section below.
If you use the Work Folders password policy but do not configure the excluded domain list on the server, the user will see the following error during Work Folders setup:
Encryption is different on Windows 7, as the Windows 8.1 Work Folders encryption mechanism (selective wipe) is not available. On Windows 7, the files in Work Folders are encrypted using EFS, which does not have remote wipe capability.
Status notification area of the taskbar
On Windows 8.1 clients, users can view the sync status in the File Explorer status bar, and are notified of sync issues through the Action Center. On Windows 7, Work Folders can’t integrate into Windows Explorer and the Action Center, so we added a Work Folders icon to the notification area of the taskbar.
The Work Folders taskbar icon shows sync status, and also a convenient menu option to open Work Folders in Windows Explorer. The icon by default will only show notifications, and is not present on the taskbar. A user can choose to always show the icon by opening Control Panel, searching for “notification” and then using the Notification Area Icons Control Panel item, as shown below.
Server configurations
As mentioned above in the Policy enforcement section, if the administrator wants to enforce Work Folders password policies on Windows 7 PCs, the computer accounts must be in an excluded domain list. An administrator can configure the excluded domain list by using the following cmdlet:
Set-SyncShare <share name> -PasswordAutolockExcludeDomain <domain list>
For example, you can use the following cmdlet to exempt all computer accounts (this doesn’t apply to user accounts) of the contoso.com domain from the Work Folders password policy for the FinShare sync share:
Set-SyncShare FinShare -PasswordAutolockExcludeDomain “Contoso.com”
In this example, PCs in the Contoso.com domain (running Windows 7 or Windows 8.1) receive password policies from Group Policy – not from Work Folders because the domain is excluded from the Work Folders PasswordAutolock policy. Windows 8.1 PCs that aren’t joined to the domain receive Work Folders password policies, if set on the sync share – not from Group Policy because Group Policy applies only to domain-joined PCs.
Each user can be given permission to sync with a single sync share, though they can have a mix of Windows 8.1 and Windows 7 PCs that sync with this share.
Upgrade or migration
When it is the time to upgrade or migrate a Windows 7 PC to a newer version, the expected behavior is listed below:
- Windows 7 -> Windows 8: Sync will stop, and the Work Folders Control Panel item will show “Can’t use Work Folders on this version of Windows” since there is no Work Folders support on Windows 8. Ideally, the user would install the Windows 8.1 update, and then set up Work Folders again.
- Windows 7 -> Windows 8 -> Windows 8.1: User needs to set up Work Folders again. If data is migrated, see the Known Issues section of this document.
- Windows 7 -> Windows 8.1: User needs to set up Work Folders again. If data is migrated, see the Known Issues section of this document.
- Windows 7 -> Windows 8.1 using User State Migration Toolkit (USMT), the expected user experience will be:
- Work Folders partnership configuration will be migrated.
- Work Folders data will not be migrated. (i.e. no files that have yet to be synced are migrated to the new client)
- Work Folders is shown in File Explorer under Favorites, but isn’t listed under “This PC” as is the case when setting up the Work Folders partnership on Windows 8.1.
- The Work Folders configuration is migrated, and files are synced from the sync server after the user signs on.
Known issues
- In the case where the user upgrades from Windows 7 to Windows 8.1, and the data is migrated without the partnership information, if the local folder storing Work Folders (by default, C:\Users\<username>\Work Folders) was encrypted on Windows 7, the same path can’t be used again on the Windows 8.1. This is because the different encryption mechanisms used on Windows 7 and Windows 8.1. There are two workarounds:
- The user can open File Explorer in Windows 8.1, right click the folder storing Work Folders and then click Properties. Click Advanced, and then clear the “Encrypt contents to secure data” checkbox. Click OK, and then click “Apply changes to this folder, subfolders, and files”.
- The user can choose a different path for the Work Folders, and optionally delete the old folder. The user must make sure all the content has synced to the server before removing the old Work Folders path.
- If your environment requires Active Directory Federation Services (AD FS) and uses form-based authentication, the client PCs must use Internet Explorer 9, 10 or 11. There is an issue with Internet Explorer 8, where the user can’t authenticate against the server.
- If your environment uses IPSec, see Knowledge Base article 2665206. Without this hotfix, Work Folders client might experience slow sync performance in some environments that use IPSec.
- If you are configuring Work Folders by using Group Policy, the Work Folders Group Policy template is included with Windows Server 2012 R2. Although the description text indicates that it only applies to Windows 8.1 PCs, the policy settings can also configure Windows 7 PCs that have Work Folders installed.
- On Windows 7, the Work Folders shortcut is added to the user’s Favorites folder in Windows Explorer. If the Favorites folder is redirected to a network share, the shortcut for Work Folders will not be present. This is because the Work Folders path is local to a client machine, so the shortcut may not have any meaning on other client machines when presented through a network share.
- If the user migrates from Windows 7 to Windows 8.1 using USMT, and chooses to migrate the settings (which includes the user partnership), the Work Folders data will not be migrated. After user logs on the new machine, the partnership will be established, and data will synced down to the machine. The shell namespace under “This PC” for Work Folders is not created. To get the shell namespace under “This PC” for work folders, you can simply click “Stop Work Folders” in the Work Folders Control Panel, and then set up Work Folders again. This will allow the namespace to be created as part of the partnership creation.
- If the client has installed a localized (non-English) version of the Work Folders, after migration, the Work Folders shortcut under the favorite folder will be shown as English.
So that’s our Windows 7 app for Work Folders. Let us know what you think, and we’ll keep working on clients for other popular platforms and update when they’re ready.
Thanks,
Jian Yan and the Windows 7 Work Folders team