How to Use Enterprise State Roaming ESR Feature for Windows Autopilot Deployment

Let’s see what the Enterprise State Roaming (ESR) feature of Azure AD is. Also, let’s go through and understand how useful is ESR feature is for Windows Autopilot Deployment.

ESR helps Azure Active Directory (Azure AD) users to gain the ability to securely synchronize their user settings and application settings data to the cloud.

This will replace the older solutions such as UE-V and Roaming profiles. Those two are on-prem solutions in place for many years now.

Microsoft claims that Enterprise State Roaming (ESR) provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new appliance. However, the reality is a bit far.

Patch My PC

Introduction

End-user experience is a crucial factor in modern device management. Let’s consider an Autopilot device break-fix scenario (Laptop hardware is faulty).

In this case, the user will get a new computer with autopilot enabled. In a modern managed device, we know that the user gets back apps from Intune and data from OneDrive.

But, what about personalized settings configured by users like:

  • Windows Settings
    • Theme
    • Taskbar position
    • Wallpaper
    • Edge settings
    • IE history
    • Favorites etc.?
    • Application Settings?
  • Application Settings
    • Universal Windows Apps (UWA) can write settings data to a roaming folder. As per Microsoft documentation, each developer’s responsibility is to use this feature during their development cycles.
    • NO Support for Win32 Application.

NOTE! – Does the user need to reconfigure these settings again on the new autopilot computer? If so, that is not inevitably user-friendly!! 

Adaptiva

In the modern device deployment world, the solution for this is Azure AD Enterprise State Roaming. User and app settings sync from Win 10 and store to Azure blog storage with this feature.

After the user login to a new computer, the roaming settings are downloaded from the Azure blob and applied to the new computer.

NOTE! – Some thoughts about GDPR and enterprise state roaming(ESR). More details in terms of personal and corporate data from Microsoft documentation.

Benefits of Enterprise State Roaming

Let’s check the benefits of Enterprise State Roaming.

  • Enterprise State Roaming provides the same end-user experience across Windows devices.
  • Reduce the time needed for the end-user to configure the new device.
  • Settings synced between windows ten and Azure are secured (Encrypted with RMS).

Pre-requisites for Enterprise State Roaming (ESP)

Let’s check the Pre-requisites for Enterprise State Roaming (ESP).

  • Azure Active Directory Premium subscription.
  • Windows Creators Update (Build 15063) or above.
  • Win 10 computers should be Azure AD or Hybrid Azure AD joined.
  • UWP ESR enabled applications*

Enterprise State Roaming (ESP) Schema Diagram – High-level workflow

Let’s check the Enterprise State Roaming (ESP) Schema Diagram and high-level architecture diagram.

Enterprise State Roaming workflow Enterprise State Roaming -ESR - Windows Autopilot
Enterprise State Roaming -ESR – Windows Autopilot

1. User 1 login to Client 1

  • Enterprise State Roaming settings from client 1 synced with Azure data center (Azure Regions).

Before roaming settings leave the computer, it gets encrypted using RMS, built into Windows 10. This encryption activity happens behind the scene.

  • A separate subscription for Azure RMS is not required to use the Enterprise State Roaming feature.

2. Sync communication

  • The communication between Win 10 client and Azure is secured (encrypted).

Only roaming settings are captured from win ten and stored in Azure blob. Please note that user data is not included.

3. Datacenter Storage

Settings are stored in the Microsoft Azure data center where your tenant subscribed.

For example, if your tenant is subscribed to APAC, settings will be stored in one of the Asia Azure regions.

User data is deleted from Azure until the information is marked as stale. For more details about the retention policy, refer.

4. User 1 login to client 2

Enterprise State Roaming(ESR) settings with the latest timestamp stored in the azure downloads to Client 2.

Enterprise State Roaming client component in windows ten download and apply the settings.

What data is captured by Enterprise State Roaming?

Enterprise State Roaming settings are classified into two

(1) Windows settings (2) Application data:  

The below table shows different setting areas captured with examples.

Enterprise State Roaming settings - Enterprise State Roaming -ESR - Windows Autopilot
Settings – Enterprise State Roaming -ESR – Windows Autopilot

Challenges with Enterprise State Roaming

While considering any feature, it’s important to understand challenges as well. This post below is the challenge with the Enterprise State Roaming feature at the time of writing.

Note 1: We know that most apps are desktop apps in the enterprise. The Enterprise State Roaming feature does not include win 32-based or desktop app settings.

This means that most app settings are not captured using the Enterprise State Roaming feature. It’s a significant limitation to note.

NOTE! – You need to consider other solutions like UE-V to capture win32 app settings. Refer for more details.

Note 2: Enterprise State Roaming for Windows 10 is available in most countries but not everywhere. The Azure Region (Data Center) is open in the US, Europe, Asia, etc. Refer here to understand the different Azure regions list

Note 3: Data privacy and regulation is another point. Enterprise State Roaming will store settings in the Azure region where the tenant is subscribed. It will not sync across countries.

Refer for more details to understand the country/region where Enterprise State Roaming data is stored.

Note 4: There is no option to configure when Roaming settings should apply or sync the client. After user login, Enterprise State Roaming Settings may apply anytime (asynchronous). Admins or users don’t have any control.

NOTE! – However, In the autopilot scenario, I have seen most of the Enterprise State Roaming settings get applied as soon as users enroll and see the desktop first time.

Note 5: We can monitor the sync status at the device level. But there is no option in the Azure console to monitor the sync status for each roaming setting.

How to enable Enterprise State Roaming?

This section will go through the steps to enable enterprise roaming for the user group.

  • Login in to the Azure portal
  • Click Azure Active Directory
  • Click Devices
  • Click Enterprise State Roaming
  • Specify a group of users that you want  Enterprise State Roaming enabled
enable Enterprise State Roaming - Enterprise State Roaming -ESR - Windows Autopilot
Enable – Enterprise State Roaming -ESR – Windows Autopilot

How to turn off Enterprise State Roaming for a device group

Enterprise state roaming feature is tagged to the user. This roaming feature will apply to all devices where users log in. Let’s consider a scenario where IT doesn’t want a roaming setting on a particular or group of devices.

In this scenario, you can create a CSP to turn off sync. Then deploy the CSP to those device groups where we need synch to be turned off.

Below shown, CSP will turn off Enterprise state roaming (ESR).

./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings

OMA-URI  Enterprise State Roaming - Enterprise State Roaming -ESR - Windows Autopilot
OMA-URI – Enterprise State Roaming -ESR – Windows Autopilot How to Use Enterprise State Roaming ESR Feature for Windows Autopilot Deployment

After CSP deployment, you can see synch gets turned off.

CSP Enterprise State Roaming - Enterprise State Roaming -ESR - Windows Autopilot
CSP – Enterprise State Roaming -ESR – Windows Autopilot

Troubleshooting

Let’s try to explore some monitoring and troubleshooting areas. Azure console:

We can track Enterprise State Roaming synch status from the Azure portal for your computers.

Follow the below steps:

  • Select Azure Active Directory > Users > All users.
  • Select the user, and then select Devices.

Under Show, select Devices syncing settings and app data to show sync status. If you have multiple devices, you need to note the device with the latest synch time stamp.

  • Verify the device and its synch status.
Devices syncing settings and app data - Enterprise State Roaming -ESR - Windows Autopilot
Device Syncing Settings – Enterprise State Roaming -ESR – Windows Autopilot

Verify Roaming settings locally Enterprise State Roaming ESR

As shown below from your win ten computers, you can verify whether your account is configured for Enterprise State Roaming or not.

Enterprise State Roaming verify - Enterprise State Roaming -ESR - Windows Autopilot
Verify – Enterprise State Roaming -ESR – Windows Autopilot

If your account is not enabled for the Enterprise State Roaming feature, you will see the error message state below.

Sync is not available for your account.Contact your system administrator to resolve this

Check the Device registration status.

Your computer should be either Azure AD or Hybrid Azure AD. You can check the status of your computer using the below command.

Device registration status dsregcmd
Device Registration Status DSREGCMD

If your computer is not an Azure AD or Hybrid Azure AD device, you may see the below error.

Some Windows feature are only available if you are using a Microsoft account or work account

Azure AD join registration status

Event viewer

Event viewer helps to understand client-side Enterprise State Roaming activity. You can see sync logs under:

Event Viewer > Applications and Services Logs > Microsoft > Windows > Settingsync-Azure

Settingsync eventviewer
Enterprise State Roaming -ESR – Windows Autopilot

Below are the different events captured from Windows 10 clients for reference.

You can see IE settings synch events below.

Sync operation started for browsersettings-wininet-internet-explorer, SyncOperationFlags: 4, IsDeviceTrusted: trueFile onecoreuap\shell\roaming\settingsynchost\lib\syncstate.cpp line 287

Settingsync eventviewer

Successfully synced one setting from cloud storage to Windows for collection browsersettings-wininet-internet-explorer

Settingsync eventviewer

Successfully applied 0 setting unit(s) and failed to use one setting (s) unit to cloud storage for collection browsersettings-favoriteurls-internet-explorer

You can also see some of the IE sync settings failed to apply.

Settingsync eventviewer

You can see windows theme settings are synced and applied.

The local provider requested a sync of collection Windows-Theme. (operation: 0, Result: 0x0)

Enterprise state roaming event viewer

Attempting to sync settings from Windows to cloud storage

Enterprise state roaming event viewer

An upload sync session was scheduled for collection windows-explorer. (Result: 0x0)

Enterprise state roaming event viewer

Below events will help to understand whether synch settings are successful or failures.

Successfully synced three settings from cloud storage to Windows for collection browsersettings-favoriteurls-internet-explorer

Enterprise state roaming event viewer

Task manager:

The below process “SettingSyncHost.exe” plays a key role in synching the Enterprise State Roaming settings. You can track this processing activity while troubleshooting.

settingshost.exe Enterprise State Roaming
Enterprise State Roaming -ESR – Windows Autopilot

Scheduled task

There are two scheduled tasks related to Enterprise State Roaming on Windows 10

  1. BackgroundUploadTask
  2. NetworkStateChangeTask – This task will execute once your account is enabled for enterprise state roaming.
scheduled tasks Enterprise State Roaming
Enterprise State Roaming -ESR – Windows Autopilot

Multi-factor Authentication (MFA )

During Autopilot enrollment, If MFA like Windows Hello for business is enabled, ensure you complete second-factor authentication.

In the Windows Autopilot scenario, I observed that Enterprise State Roaming settings sync fails if we postpone the second factor like Hello PIN.

Network – Firewall, Ports, and Proxy configuration

We need to ensure the firewall, ports, and proxy in your network are not blocking the sync activity. Please make sure Azure URLs are allowed in your system.

During Enterprise State Roaming sync activity on Windows 10, we can see windows 10 access the Azure URLs like *.one.microsoft.com. The primary endpoint URL varies based on your Azure subscription region. Below is some example.

Region Azure Primary endpoint URL
Example 1 : Southeast Asia https://kailani10.one.microsoft.com
Example 2 : East US
https://kailani1.one.microsoft.com

Refer here for more details about the URLs accessed by Enterprise State Roaming based on the region.

network firewall proxy Enterprise State Roaming
Network Firewall – Enterprise State Roaming -ESR – Windows Autopilot

Other common issues

Refer here, If you want to know more details about some of the known issues with Enterprise State Roaming and troubleshooting.

End Result

User 1 login to first client 8 (first) and later to second client 9 (second). For example, user settings are roamed.

  • Taskbar position from client eight is roamed to client 9
  • Wallpaper from client eight is wandered to client 9
  • Edge favorites from client eight are walked to client 9
  • IE favorites from client eight are walked to client 9
Enterprise State Roaming  result
Results – Enterprise State Roaming -ESR – Windows Autopilot How to Use Enterprise State Roaming ESR Feature for Windows Autopilot Deployment

Resources

Author

Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.

5 thoughts on “How to Use Enterprise State Roaming ESR Feature for Windows Autopilot Deployment”

  1. hallo,

    Maybe you can help me?
    Microsoft is trying to help but they don’t understand what is wrong, for 5 months now.

    My ESR is not working, it did work but now it is broken and I do not know why.

    – License Azure AD Premium P1
    – In Azure AD devices “Users may sync settings and app data across devices”: all
    – In the Settings app all in set to ‘’on’’
    – All the info in dsregcmd /status is oke
    – Scheduled task are there and I can run them
    – There is no Windows hello active

    But I have a log of erros in the logs in eventvwr “SettingSync”, almost all the same but the number after .cpp(xxx) are different
    – shell\roaming\settingsync\explorersettinghandler.cpp(315)\SettingSync.dll!00007FFAAAA097F0: (caller: 00007FF73A6E1699) ReturnHr(4) tid(2a68) 80070002 The system cannot find the file specified.

    The exe file “SettingSyncHost.exe” is available in the system32 folder but I don’t see it in the taskmgr, and if I run it, it will not start (I think)

    After reinstalling a device and join it to Azure the error are directly back in eventvwr

    Do you or someone have any tips?
    This drives me nuts

    Reply
    • Not that I can confirm from the MS Link …rather ESR back-end storage system is changed!

      Sync your settings (updated: August 17, 2017) Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The Sync your settings options and the Enterprise State Roaming feature will continue to work.

      Personalization roaming Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release.

      Reply
  2. Ive got the issue that the scheduled tasks arent there. I think thats the problem why it doesnt work.
    Enterprise State Roaming is active, the device is also cloud joined. Ive reinstalled the computer a couple of times.

    Any ideas about that?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.