Troubleshooting Work Folders on Windows client

Published Apr 10 2019 04:05 AM 10.7K Views
First published on TECHNET on Jan 06, 2016
Work Folders syncs files between client and server. Although most issues are discovered by users, it could be root caused on the server, the client or the network. This blog post shares the most common problems customers have reported, and some troubleshooting techniques on Windows devices.


When user setup Work Folders using Control panel app, any issues encountered will be shown in the UI. Some common issues are:

  • Work Folders path cannot be encrypted : If the admin requires the files to be encrypted on the client, Work Folders will try to encrypt the folder created. If the encryption fails, user will see the failure, and ask to use a different path. A few examples:

    • If the folder handle is opened, encryption will fail.

    • If the folder is on a USB drive, and the drive is not supporting encryption.

    • There is an existing Work Folders folder, and the folder is encrypted by other keys.

    • If the device is domain joined, you may also search (then fix) expired/revoked certificate in the “Default Domain Policy”, that can prevent encryption on the client.

  • Password enforcement failure : Password policy is also an admin configuration on the server, and enforced on the client. User must be an admin on the client machine to enforce the policy.

    • However, it is not common that user has local admin right for domain managed machines. To exempt password policy on domain devices, admin must configure the domains to be excluded, by using Set-SyncShare cmdlet, and specify PasswordAutolockExcludeDomain list. For example:

Set-SyncShare <share name> -PasswordAutolockExcludeDomain <domain list>

    • Password enforcement is done by the using the EAS engine in Windows. It requires that user can change password on the device. In Windows 10, EAS engine has change such that all users (including local user accounts) on that device can change password. You can find more details here (note that the MailApp also uses the EAS engine to enforce password)

  • Access Denied :

    • Mirrored account: This usually happens in testing, when the device is connected to the corpnet, and logged on with a local account, and there is a domain account for the same user name as the local account. Windows may try to use NTLM to authenticate, and didn’t prompt for domain user credential (note, if you logged on as device local account, you should get prompt for domain credentials). In this case, setup will fail.

    • Windows 10 specific: This issue existed in some pre-release versions of Windows 10 and version 1507, it is fixed in the Windows 10 version 1511 release. In some setup, the following regkey is missing: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager. There is no good workaround for this, please use version 1511 or later which has the fix.


Both Encryption and Password enforcement error described above can happen during sync, if the admin turns on the policy after user already setup the Work Folders. On each sync, the client will check for policy change, and apply if necessary.

For client errors, it’s always good to start with the message displayed in the Control panel. List below describe some common errors showing on the client:

  • Require credential : this is more common if the admin configured ADFS for authentication. The frequency for the user to re-enter credential is defined by the ADFS token lifetime. The configuration is in ADFS. On Windows 8.1 or below, if the device is WorkPlace joined, token lifetime is 7 days by default. On Windows 10, it extends to 42 days. For non-Workplace joined devices, token lifetime is 8 hours.

  • Key revoked : This happens when the encryption key was revoked by either the admin or user themselves. There are multiple ways can trigger the key revocation.

    • Admin chooses to wipe a device.

    • User removes the device from Intune management (or other MDM app if it is supported for key revocation)

    • User removes corporate email account on the device.

    • Work Folders is configured on an external drive, and the drive is connected to a different machine. The encryption key is tied to a device, when the folder is configured on one device, you can’t simply move it to another device to read it.

    • PC refresh: If the device is clean installed, the encryption key will be deleted. That will result the data unable to be decrypted.

  • Conflict files : When the same file is getting modified on different devices, at the next sync time, conflict file will be generated. Work Folders determines a winner file by the last write timestamp. The winner file keeps the file name; the loser file will get renamed by appending a device name to the file name, the device name indicates where the conflict was created. Some known examples:

    • If user has changed file on one device without closing it, the file will not sync to the server, user goes to another device change the file. When both files are closed then synced, there will be conflict.

    • IE favorites: IE changes the favorite links periodically, although there is not content change, sync will detect the change, and create conflict. In Windows 10, Work Folders has optimized this by comparing content. If the file is truly identical, it will not generate conflict.

    • Server data restore: if the server lost the sync metadata database, client and server will need to compare the file sets to determine what to sync. During this reconciliation process, any differences found between the client and the server will generate conflicts.

  • File types excluded from sync : Work Folders tries to optimize sync by excluding temp files and a few files specific to the device itself. The files which are excluded from sync: thumbs.db, desktop.ini and temp files (most temp files seen by Work Folders are from Office applications).

Client upgrade

Upgrade from Windows 7 to Windows 10, ensure the Windows 7 client has KB 3081954 is installed, otherwise, the device will lose the sync partnership to the server after upgrade. User will not be notified for any errors (since Work Folders will be shown as not installed on the device). If the user didn’t have the KB installed before the upgrade, he/she will need to re-configure Work Folders after upgrade.

From Windows 8.1 to Windows 10 upgrade, if the upgrade is done using USMT, the Work Folders link in File Explorer may not work after the upgrade. To fix this, user needs to simply open the control panel -> Work Folders, this action triggers the service to reload the partnership, and fix the link of the Work Folders path in File Explorer.

Event logs

Work Folders event logs are stored under Applications and Services -> Microsoft -> Windows -> Work Folders . The logs under Operational folder should be examined. ManagementAgent logs are used to show notification center, which can be ignored.


If the problem is not covered in any of the above or resources below, you will need to contact Microsoft CSS, who can guide you to capture the debug traces for further investigation.


The Technet wiki is also getting updated periodically when issues are reported:

If you want to learn more about Work Folders, I’d recommend the list of the blogs:

There are also good technet articles on Work Folders here:

Version history
Last update:
‎Apr 10 2019 04:05 AM
Updated by: