William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

To deploy Work Folders, you add the File And Storage Services \ Work Folders role to a file server, and then configure Work Folders by using Server Manager. Afterward, you can use policy settings to control related options, such as the server to which users can connect remotely and access Work Folders. You control the connection server in one of two ways:

■By specifying the exact URL of a file server hosting the Work Folders for the user, such as https://server29.cpandl.com

■By specifying the URL used within your organization for Work Folders discovery, such as https://workfolders.cpandl.com

REAL WORLD Clients use secure encrypted communications to connect to work folders as long as the file servers hosting the Work Folders have valid SSL certificates. When a device initiates an SSL connection, the server sends the certificate to the client. The client evaluates the certificate and continues only if the certificate is valid and can be trusted. If you configure a connection to an exact URL, the client can connect directly to the specified sever and synchronize data in Work Folders. The server’s certificate must have a Common Name (CN) or a Subject Alternative Name (SAN) that matches the host header in the request. For example, if the client makes a request to https://server18.cpandl.com, the CN or SAN must be server18.cpandl.com.

In Group Policy, you specify the URL used within your organization for Work Folders discovery by using the Specify Work Folders Settings policy found under Administrative Templates policies for User Configuration\Windows Components\Work Folders. Any server configured with Work Folders acts as a discovery server by default. If you configure a discovery URL, a client connects to one of several servers, and the email address of the user is used to discover which specific server hosts the Work Folders for the client. The client is then connected to this server. Each discovery server will need to have a certificate with multiple Subject Alternative Names, which includes the server name and the discovery name. For example,

if a client makes a request to https://workfolders.cpandl.com and connects to FileServer11.cpandl.com , the server’s certificate must have a CN or SAN of fileserver11. cpandl.com and a SAN of workfolders.cpandl.com .

If you want to configure Work Folders in Group Policy, use the following technique:

1.Access Group Policy for the system, site, domain, or OU with which you want to work. Next, access the Work Folders node by using the Administrative Templates policies for User Configuration under Windows Components\Work Folders.

2.Double-tap or double-click Specify Work Folders Settings, and then select Enabled.

3.In the World Folders URL text box, enter the URL of the file server that hosts the Work Folders for the user or the URL used within your organization for Work Folders discovery.

4.If you want to prevent users from changing settings when setting up Work Folders, select Force Automatic Setup.

5.Tap or click OK.

A server designated as a certificate authority (CA) is responsible for issuing digital certificates and managing certificate revocation lists (CRLs). Servers running Windows Server can be configured as certificate authorities by installing Active Directory Certificate Services. Computers and users can use certificates for authentication and encryption.

In an enterprise configuration, enterprise CAs are used for automatic enrollment. This means authorized users and computers can request a certificate, and the certificate authority can automatically process the certificate request so that the users and computers can immediately install the certificate.

Group Policy controls the way automatic enrollment works. When you install enterprise CAs, automatic enrollment policies for users and computers are enabled automatically. The policy for computer certificate enrollment is Certificate Services Client-Auto-Enrollment Settings under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. The policy for user certificate enrollment is Certificate Services Client-Auto-Enrollment under User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

You can configure automatic enrollment by following these steps:

1.In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.

2.In the policy editor, access User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies or Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies as appropriate for the type of policy you want to review.

3.Double-tap or double-click Certificate Services Client-Auto-Enrollment. To disable automatic enrollment, select Disabled from the Configuration Model list, tap or click OK, and then skip the remaining steps in this procedure. To enable automatic enrollment, select Enabled from the Configuration Model list.

4.To automatically renew expired certificates, update pending certificates, and remove revoked certificates, select the related check box.

5.To ensure that the latest version of certificate templates are requested and used, select the Update Certificates That Use Certificate Templates check box.

6.To notify users when a certificate is about to expire, specify when notifications are sent using the box provided. By default, notifications are sent when 10 percent of the certificate lifetime remains.

7.Tap or click OK to save your settings.

Automatic Updates help you keep the operating system up to date. Although you can configure Automatic Updates on a per-computer basis, you’ll typically want to configure this feature for all users and computers that process a GPO-this is a much more efficient management technique.

Note that by default, Windows 8.1 and Windows Server 2012 R2 use Windows Update to download Windows Components in addition to binaries for roles, role services, and features. If the Windows diagnostics framework detects that a Windows component needs to be repaired, Windows uses Windows Update to download the component. If an administrator is trying to install a role, role service, or feature and the payload is missing, Windows uses Windows Update to download the related binaries.

When you manage Automatic Updates through Group Policy, you can set the update configuration to any of the following options:

■ Auto Download And Schedule The InstallUpdates are automatically downloaded and installed according to a schedule you specify. When updates have been downloaded, the operating system notifies the user so that she can review the updates that are scheduled to be installed. The user can install the updates at that time or wait for the scheduled installation time.

■ Auto Download And Notify For InstallThe operating system retrieves all updates as they become available, and then prompts the user when they’re ready to be installed. The user can then accept or reject the updates. Accepted updates are installed. Rejected updates aren’t installed but remain on the system, where they can be installed at a later date.