Let’s see what the Enterprise State Roaming (ESR) feature of Azure AD is. Also, let’s go through and understand how useful is ESR feature is for Windows Autopilot Deployment.
ESR helps Azure Active Directory (Azure AD) users to gain the ability to securely synchronize their user settings and application settings data to the cloud.
This will replace the older solutions such as UE-V and Roaming profiles. Those two are on-prem solutions in place for many years now.
Microsoft claims that Enterprise State Roaming (ESR) provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new appliance. However, the reality is a bit far.
End-user experience is a crucial factor in modern device management. Let’s consider an Autopilot device break-fix scenario (Laptop hardware is faulty).
In this case, the user will get a new computer with autopilot enabled. In a modern managed device, we know that the user gets back apps from Intune and data from OneDrive.
But, what about personalized settings configured by users like:
- Windows Settings
- Taskbar position
- Edge settings
- IE history
- Favorites etc.?
- Application Settings?
- Application Settings
- Universal Windows Apps (UWA) can write settings data to a roaming folder. As per Microsoft documentation, each developer’s responsibility is to use this feature during their development cycles.
- NO Support for Win32 Application.
NOTE! – Does the user need to reconfigure these settings again on the new autopilot computer? If so, that is not inevitably user-friendly!!
In the modern device deployment world, the solution for this is Azure AD Enterprise State Roaming. User and app settings sync from Win 10 and store to Azure blog storage with this feature.
After the user login to a new computer, the roaming settings are downloaded from the Azure blob and applied to the new computer.
NOTE! – Some thoughts about GDPR and enterprise state roaming(ESR). More details in terms of personal and corporate data from Microsoft documentation.
Benefits of Enterprise State Roaming
Let’s check the benefits of Enterprise State Roaming.
- Enterprise State Roaming provides the same end-user experience across Windows devices.
- Reduce the time needed for the end-user to configure the new device.
- Settings synced between windows ten and Azure are secured (Encrypted with RMS).
Pre-requisites for Enterprise State Roaming (ESP)
Let’s check the Pre-requisites for Enterprise State Roaming (ESP).
- Azure Active Directory Premium subscription.
- Windows Creators Update (Build 15063) or above.
- Win 10 computers should be Azure AD or Hybrid Azure AD joined.
- UWP ESR enabled applications*
Enterprise State Roaming (ESP) Schema Diagram – High-level workflow
Let’s check the Enterprise State Roaming (ESP) Schema Diagram and high-level architecture diagram.
1. User 1 login to Client 1
- Enterprise State Roaming settings from client 1 synced with Azure data center (Azure Regions).
Before roaming settings leave the computer, it gets encrypted using RMS, built into Windows 10. This encryption activity happens behind the scene.
- A separate subscription for Azure RMS is not required to use the Enterprise State Roaming feature.
2. Sync communication
- The communication between Win 10 client and Azure is secured (encrypted).
Only roaming settings are captured from win ten and stored in Azure blob. Please note that user data is not included.
3. Datacenter Storage
Settings are stored in the Microsoft Azure data center where your tenant subscribed.
For example, if your tenant is subscribed to APAC, settings will be stored in one of the Asia Azure regions.
4. User 1 login to client 2
Enterprise State Roaming(ESR) settings with the latest timestamp stored in the azure downloads to Client 2.
Enterprise State Roaming client component in windows ten download and apply the settings.
What data is captured by Enterprise State Roaming?
Enterprise State Roaming settings are classified into two
(1) Windows settings (2) Application data:
Challenges with Enterprise State Roaming
While considering any feature, it’s important to understand challenges as well. This post below is the challenge with the Enterprise State Roaming feature at the time of writing.
Note 1: We know that most apps are desktop apps in the enterprise. The Enterprise State Roaming feature does not include win 32-based or desktop app settings.
This means that most app settings are not captured using the Enterprise State Roaming feature. It’s a significant limitation to note.
Note 2: Enterprise State Roaming for Windows 10 is available in most countries but not everywhere. The Azure Region (Data Center) is open in the US, Europe, Asia, etc. Refer here to understand the different Azure regions list.
Note 3: Data privacy and regulation is another point. Enterprise State Roaming will store settings in the Azure region where the tenant is subscribed. It will not sync across countries.
Note 4: There is no option to configure when Roaming settings should apply or sync the client. After user login, Enterprise State Roaming Settings may apply anytime (asynchronous). Admins or users don’t have any control.
NOTE! – However, In the autopilot scenario, I have seen most of the Enterprise State Roaming settings get applied as soon as users enroll and see the desktop first time.
Note 5: We can monitor the sync status at the device level. But there is no option in the Azure console to monitor the sync status for each roaming setting.
How to enable Enterprise State Roaming?
This section will go through the steps to enable enterprise roaming for the user group.
- Login in to the Azure portal
- Click Azure Active Directory
- Click Devices
- Click Enterprise State Roaming
- Specify a group of users that you want Enterprise State Roaming enabled
How to turn off Enterprise State Roaming for a device group
Enterprise state roaming feature is tagged to the user. This roaming feature will apply to all devices where users log in. Let’s consider a scenario where IT doesn’t want a roaming setting on a particular or group of devices.
In this scenario, you can create a CSP to turn off sync. Then deploy the CSP to those device groups where we need synch to be turned off.
Below shown, CSP will turn off Enterprise state roaming (ESR).
After CSP deployment, you can see synch gets turned off.
Let’s try to explore some monitoring and troubleshooting areas. Azure console:
We can track Enterprise State Roaming synch status from the Azure portal for your computers.
Follow the below steps:
- Select Azure Active Directory > Users > All users.
- Select the user, and then select Devices.
Under Show, select Devices syncing settings and app data to show sync status. If you have multiple devices, you need to note the device with the latest synch time stamp.
- Verify the device and its synch status.
Verify Roaming settings locally – Enterprise State Roaming ESR
As shown below from your win ten computers, you can verify whether your account is configured for Enterprise State Roaming or not.
If your account is not enabled for the Enterprise State Roaming feature, you will see the error message state below.
Check the Device registration status.
Your computer should be either Azure AD or Hybrid Azure AD. You can check the status of your computer using the below command.
If your computer is not an Azure AD or Hybrid Azure AD device, you may see the below error.
Event viewer helps to understand client-side Enterprise State Roaming activity. You can see sync logs under:
Event Viewer > Applications and Services Logs > Microsoft > Windows > Settingsync-Azure
Below are the different events captured from Windows 10 clients for reference.
You can see IE settings synch events below.
Sync operation started for browsersettings-wininet-internet-explorer, SyncOperationFlags: 4, IsDeviceTrusted: trueFile onecoreuap\shell\roaming\settingsynchost\lib\syncstate.cpp line 287
Successfully synced one setting from cloud storage to Windows for collection browsersettings-wininet-internet-explorer
Successfully applied 0 setting unit(s) and failed to use one setting (s) unit to cloud storage for collection browsersettings-favoriteurls-internet-explorer
You can also see some of the IE sync settings failed to apply.
You can see windows theme settings are synced and applied.
The local provider requested a sync of collection Windows-Theme. (operation: 0, Result: 0x0)
Attempting to sync settings from Windows to cloud storage
An upload sync session was scheduled for collection windows-explorer. (Result: 0x0)
Below events will help to understand whether synch settings are successful or failures.
Successfully synced three settings from cloud storage to Windows for collection browsersettings-favoriteurls-internet-explorer
The below process “SettingSyncHost.exe” plays a key role in synching the Enterprise State Roaming settings. You can track this processing activity while troubleshooting.
There are two scheduled tasks related to Enterprise State Roaming on Windows 10
- NetworkStateChangeTask – This task will execute once your account is enabled for enterprise state roaming.
Multi-factor Authentication (MFA )
During Autopilot enrollment, If MFA like Windows Hello for business is enabled, ensure you complete second-factor authentication.
In the Windows Autopilot scenario, I observed that Enterprise State Roaming settings sync fails if we postpone the second factor like Hello PIN.
Network – Firewall, Ports, and Proxy configuration
We need to ensure the firewall, ports, and proxy in your network are not blocking the sync activity. Please make sure Azure URLs are allowed in your system.
During Enterprise State Roaming sync activity on Windows 10, we can see windows 10 access the Azure URLs like *.one.microsoft.com. The primary endpoint URL varies based on your Azure subscription region. Below is some example.
|Region||Azure Primary endpoint URL|
|Example 1 : Southeast Asia||https://kailani10.one.microsoft.com|
|Example 2 : East US||
Refer here for more details about the URLs accessed by Enterprise State Roaming based on the region.
Other common issues
Refer here, If you want to know more details about some of the known issues with Enterprise State Roaming and troubleshooting.
User 1 login to first client 8 (first) and later to second client 9 (second). For example, user settings are roamed.
- Taskbar position from client eight is roamed to client 9
- Wallpaper from client eight is wandered to client 9
- Edge favorites from client eight are walked to client 9
- IE favorites from client eight are walked to client 9
- MDM Diagnostics Tool – Tips & Tricks – Windows Autopilot Troubleshooting
- Repurpose Existing Devices to Windows Autopilot – SCCM or MDT?
Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.