Let’s see what Enterprise State Roaming (ESR) feature of Azure AD is. Also, let’s go through and understand how useful is ESR feature for Windows Autopilot Deployment.
End-user experience is a crucial factor in modern device management. Let’s consider an Autopilot device break-fix scenario (Laptop hardware is faulty). In this case, the user will get a new computer with autopilot enabled. In a modern managed device, we know that user gets back apps from Intune and data from OneDrive.
But, what about personalized settings configured by user like:
- Windows Settings
- Taskbar position
- Edge settings
- IE history
- Favorites etc ?
- Application Settings?
- Application Settings
- Universal Windows Apps (UWA) can write settings data to a roaming folder. As per Microsoft documentation, it’s the responsibility of each developer to use this feature during their development cycles.
- NO Support for Win32 Application (More Details here)
NOTE! – Does the user need to reconfigure these settings again on the new autopilot computer? If so, that is not inevitably a user-friendly!!
In the modern device deployment world, the solution for this is Azure AD Enterprise State Roaming. With this feature, user and app settings syncs from Win 10 and stores to Azure blog storage. After user login to a new computer, roaming settings downloads from the Azure blob and applies on the new computer.
NOTE! – Some thoughts about GDPR and enterprise state roaming(ESR). More details in terms of personal and corporate data from Microsoft documentation.
Benefits of Enterprise State Roaming
- Enterprise State Roaming provides the same end-user experience across Windows devices.
- Reduce the time needed for the end-user to configure the new device.
- Settings synced between windows 10 and Azure are secured (Encrypted with RMS).
- Azure Active Directory Premium subscription.
- Windows Creators Update (Build 15063) or above
- Win 10 computers should be Azure AD, or Hybrid Azure AD joined.
- UWP ESR enabled applications*
Enterprise State Roaming High level workflow
1. User 1 login to Client 1
- Enterprise State Roaming settings from client 1 synced with Azure data center (Azure Regions).
- Before roaming settings leave the computer, it gets encrypted using RMS, which is inbuilt to Windows 10. This encryption activity happens behind the scene.
- A separate subscription for Azure RMS is not required to use the Enterprise State Roaming feature.
2. Sync communication
- The communication between Win 10 client and Azure is secured (encrypted).
- Only roaming settings are captured from win 10 and stored in Azure blob. Please note that user data is not included.
3. Data center Storage
- Settings are stored in Microsoft Azure data center where your tenant subscribed.
- For example, if your tenant is subscribed to APAC, then settings will be stored in one of the Asia Azure regions. For more details, refer here.
- User data is deleted from the Azure until the data is marked as stale. For more details about the retention policy, refer here.
4. User 1 login to client 2
- Enterprise State Roaming(ESR) settings with the latest timestamp stored in the azure downloads to Client 2.
- Enterprise State Roaming client component in windows 10 download and apply the settings.
What data is captured by Enterprise State Roaming?
Enterprise State Roaming settings classified in to two
(1) Windows settings (2) Application data:
The below table shows different setting areas captured with example. Refer here for complete settings captured during sync.
Challenges with Enterprise State Roaming
While considering any feature, it’s important to understand challenges as well. At the time of writing, this post below is the challenge with the Enterprise State Roaming feature.
Note 1: In the enterprise, we know that most of the apps are desktop apps. Win 32 based apps or desktop apps settings are not included in the Enterprise State Roaming feature. This means that the majority of the app settings are not captured using the Enterprise State Roaming feature. It’s a significant limitation to note.
NOTE! – You need to consider other solutions like UE-V to capture win32 apps settings. Refer here for more details.
Note 2: Enterprise State Roaming for Windows 10 available on most of the countries but not everywhere. The Azure Region (Data Center) is open in the US, Europe, Asia, etc. Refer here to understand the different Azure regions list.
Note 3: Data privacy and regulation is another point. Enterprise State Roaming will store settings in the Azure region where the tenant is subscribed. It will not sync across countries. Refer here more details to understand the country/region where Enterprise State Roaming data is stored.
Note 4: There is no option to configure when Roaming settings should apply or synch on the client. This means after user login; Enterprise State Roaming Settings may apply anytime (asynchronous). Admins or users don’t have any control.
NOTE! – However, In the autopilot scenario, I have seen most of the Enterprise State Roaming settings get applied as soon as users enroll and see the desktop first time.
Note 5: We can monitor the sync status at the device level. But there is no option in Azure console to monitor the sync status for each roaming settings.
How to enable Enterprise State Roaming?
In this section we will go through the steps to enable enterprise roaming for user group
- Login in to Azure portal
- Click Azure Active Directory
- Click Devices
- Click Enterprise State Roaming
- Specify a group of users that you want Enterprise State Roaming enabled
How to turn off Enterprise State Roaming for a device group
Enterprise state roaming feature is tagged to the user. This roaming feature will apply to all devices where users log in. Let’s consider a scenario where IT doesn’t want a roaming setting on a particular or group of devices.
In this scenario, you can create a CSP to turn off sync.Then deploy the CSP to those device groups where we need synch to be turned off.
Below shown CSP will turn off Enterprise state roaming (ESR).
After CSP deployment , you can see synch gets turned off.
Let’s try to explore some monitoring and troubleshooting areas
From the Azure portal, we can track Enterprise State Roaming synch status for your computers.
Follow below steps:
- Select Azure Active Directory > Users > All users.
- Select the user, and then select Devices.
- Under Show, select Devices syncing settings and app data to show sync status. If you have multiple devices, then you need to make a note for the device with the latest synch time stamp.
- Verify the device and its synch status.
Verify Roaming settings locally
As shown below from your win 10 computer, you can verify whether your account is configured for Enterprise State Roaming or not.
If your account is not enabled for the Enterprise State Roaming feature, then you will see below the error message state.
Check Device registration status
Your computer should be either Azure AD or Hybrid Azure AD. You can check the status of your computer using the below command.
If your computer is not Azure AD or Hybrid Azure AD device, then you may see below error.
Event viewer helps to understand client side Enterprise State Roaming activity. You can see sync logs under:
Event Viewer > Applications and Services Logs > Microsoft > Windows > Settingsync-Azure
Below are the different events captured from Windows 10 clients for reference.
You can see IE settings synch events below.
You can also see some of the IE sync settings failed to apply.
You can see windows theme settings are synced and applied.
Below events will help to understand whether synch settings are success or failed.
The below process “SettingSyncHost.exe” plays a key role in synching the Enterprise State Roaming settings. You can track this processing activity while troubleshooting.
There are two scheduled tasks related to Enterprise State Roaming on Windows 10
- NetworkStateChangeTask – This task will execute once your account is enabled for enterprise state roaming.
Multi-factor Authentication (MFA )
During Autopilot enrollment If MFA like Windows Hello for business is enabled, then make sure you complete second factor authentication.
Network – Firewall, Ports, and Proxy configuration
We need to ensure the firewall, ports, and proxy in your network is not blocking the sync activity. Please make sure Azure URLs are whitelisted in your system.
During Enterprise State Roaming sync activity on Windows 10, we can see windows 10 access the Azure URLs like *.one.microsoft.com. The primary endpoint URL varies based on your Azure subscription region. Below is some example.
|Region||Azure Primary endpoint URL|
|Example 1 : Southeast Asia||https://kailani10.one.microsoft.com|
|Example 2 : East US|| |
For more details about the URLs accessed by Enterprise State Roaming based on the region, refer here.
Other common issues
Refer here, If you want to know more details about some of the known issues with Enterprise State Roaming and troubleshooting.
User 1 login to first client 8 (first) and later to second client 9 (second) . For example, user settings are roamed.
- Taskbar position from client 8 is roamed to client 9
- Wallpaper from client 8 is roamed to client 9
- Edge favorites from client 8 are roamed to client 9
- IE favorites from client 8 are roamed to client 9