Let’s see what the Enterprise State Roaming (ESR) feature of Azure AD is. Also, let’s go through and understand how useful is ESR feature is for Windows Autopilot Deployment.
ESR helps Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user settings and application settings data to the cloud.
This will replace the older solutions, such as UE-V and Roaming profiles. Those two are on-prem solutions in place for many years now.
Microsoft claims that Enterprise State Roaming (ESR) provides users with a unified experience across their Windows devices and reduces the time needed to configure a new appliance. However, the reality is a bit further away.
- Set Computer Name During Windows Autopilot Hybrid Azure AD Join Using Intune
- Windows AutoPilot Process End To End Guide
- Beginners Guide Setup Windows Autopilot Deployment
- Windows Autopilot FAQ Clarifying the General Misconceptions
- Windows Autopilot Behind The Scenes Top Secrets-Post 2
How to Use Enterprise State Roaming ESR
End-user experience is a crucial factor in modern device management. Let’s consider an Autopilot device break-fix scenario (Laptop hardware is faulty).
In this case, the user will get a new computer with autopilot enabled. In a modern managed device, we know that the user gets back apps from Intune and data from OneDrive.
But what about personalized settings configured by users like:
- Windows Settings
- Theme
- Taskbar position
- Wallpaper
- Edge settings
- IE history
- Favorites etc.?
- Application Settings?
- Application Settings
- Universal Windows Apps (UWA) can write settings data to a roaming folder. As per Microsoft documentation, each developer must use this feature during their development cycles.
- NO Support for Win32 Application.
NOTE! – Does the user need to reconfigure these settings again on the new autopilot computer? If so, that is not inevitably user-friendly!!
In the modern device deployment world, the solution is Azure AD Enterprise State Roaming. With this feature, user and app settings sync from Win 10 and are stored in Azure blog storage.
After the user login to a new computer, the roaming settings are downloaded from the Azure blob and applied to the new computer.
NOTE! – Some thoughts about GDPR and enterprise state roaming(ESR). More details in terms of personal and corporate data from Microsoft documentation.
Benefits of Enterprise State Roaming
Let’s check the benefits of Enterprise State Roaming.
- ESR provides the same end-user experience across Windows devices.
- Reduce the time needed for the end-user to configure the new device.
- Settings synced between Windows 10 and Azure are secured (Encrypted with RMS).
Pre-requisites for Enterprise State Roaming (ESP)
Let’s check the Prerequisites for Enterprise State Roaming (ESP).
- Azure Active Directory Premium subscription.
- Windows Creators Update (Build 15063) or above.
- Win 10 computers should be Azure AD or Hybrid Azure AD joined.
- UWP ESR-enabled applications*
Enterprise State Roaming (ESP) Schema Diagram – High-level workflow
Let’s check the Enterprise State Roaming (ESP) Schema Diagram and high-level architecture diagram.
1. User 1 login to Client 1
- Enterprise State Roaming settings from client 1 synced with Azure data center (Azure Regions).
Before roaming settings leave the computer, they are encrypted using RMS, built into Windows 10. This encryption activity happens behind the scenes.
- A separate subscription for Azure RMS is not required to use the Enterprise State Roaming feature.
2. Sync communication
- The communication between Win 10 client and Azure is secured (encrypted).
Only roaming settings are captured from Win 10 and stored in an Azure blob. User data is not included.
3. Datacenter Storage
Settings are stored in the Microsoft Azure data center where your tenant subscribed.
For example, if your tenant is subscribed to APAC, settings will be stored in one of the Asia Azure regions.
4. User 1 login to client 2
Enterprise State Roaming(ESR) settings with the latest timestamp stored in the Azure downloads to Client 2.
ESR client component in Windows 10 download and apply the settings.
What data is captured by Enterprise State Roaming?
ESR settings are classified into two
(1) Windows settings (2) Application data:
The below table shows different setting areas captured with examples.
Challenges with Enterprise State Roaming
While considering any feature, it’s important to understand challenges as well. This post below is the challenge with the ESR feature at the time of writing.
Note 1: We know that most apps are desktop apps in the enterprise. The ESR feature does not include Win 32-based or desktop app settings, which means that most app settings are not captured using the Enterprise State Roaming feature. This is a significant limitation to note.
Note 2: Enterprise State Roaming for Windows 10 is available in most countries but not everywhere. The Azure Region (Data Center) is open in the US, Europe, Asia, etc. Refer here to understand the different Azure regions list.
Note 3: Data privacy and regulation is another point. ESR will store settings in the Azure region where the tenant is subscribed. It will not sync across countries.
Note 4: There is no option to configure when Roaming settings should apply or sync the client. After the user logs in, ESR Settings may apply anytime (asynchronous). Admins or users don’t have any control.
NOTE! However, in the autopilot scenario, I have seen most of the ESR settings applied as soon as users enrol and see the desktop for the first time.
Note 5: We can monitor the sync status at the device level. However, the Azure console does not offer an option to monitor the sync status for each roaming setting.
How to enable Enterprise State Roaming?
This section will review the steps to enable enterprise roaming for the user group.
- Login into the Azure portal
- Click Azure Active Directory
- Click Devices
- Click ESR
- Specify a group of users that you want Enterprise State Roaming enabled
How to turn off Enterprise State Roaming for a device group
Enterprise state roaming feature is tagged to the user. This roaming feature will apply to all devices where users log in. Let’s consider a scenario where IT doesn’t want a roaming setting on a particular group of devices.
In this scenario, you can create a CSP to turn off sync and deploy it to the device groups where synch needs to be turned off.
As shown, CSP will turn off Enterprise state roaming (ESR).
./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
After CSP deployment, you can see synch gets turned off.
Troubleshooting
Let’s try to explore some monitoring and troubleshooting areas. Azure console:
We can track the Enterprise State Roaming synch status from the Azure portal for your computers.
Follow the below steps:
- Select Azure Active Directory > Users > All users.
- Select the user, and then select Devices.
Under Show, select Devices syncing settings and app data to show sync status. Note the one with the latest synch time stamp if you have multiple devices.
- Verify the device and its synch status.
Verify Roaming settings locally – Enterprise State Roaming ESR
As shown below from your win ten computers, you can verify whether your account is configured for ESR or not.
If your account is not enabled for the ESR feature, you will see the error message state below.
Sync is not available for your account.Contact your system administrator to resolve this
Check the Device registration status.
Your computer should be either Azure AD or Hybrid Azure AD. You can check its status using the below command.
If your computer is not an Azure AD or Hybrid Azure AD device, you may see the below error.
Some Windows feature are only available if you are using a Microsoft account or work account
Event viewer
Event viewer helps to understand client-side Enterprise State Roaming activity. You can see sync logs under:
Event Viewer > Applications and Services Logs > Microsoft > Windows > Settingsync-Azure
Below are the different events captured from Windows 10 clients for reference.
You can see IE settings synch events below.
Sync operation started for browsersettings-wininet-internet-explorer, SyncOperationFlags: 4, IsDeviceTrusted: trueFile onecoreuap\shell\roaming\settingsynchost\lib\syncstate.cpp line 287
Successfully synced one setting from cloud storage to Windows for collection browsersettings-wininet-internet-explorer
Successfully applied 0 setting unit(s) and failed to use one setting (s) unit to cloud storage for collection browsersettings-favoriteurls-internet-explorer
You can also see some of the IE sync settings failed to apply.
You can see windows theme settings are synced and applied.
The local provider requested a sync of the collection Windows-Theme. (operation: 0, Result: 0x0)
Attempting to sync settings from Windows to cloud storage
An upload sync session was scheduled for collection windows-explorer. (Result: 0x0)
The below events will help to understand whether synch settings are successful or failures.
Successfully synced three settings from cloud storage to Windows for collection browsersettings-favoriteurls-internet-explorer
Task manager:
The below process “SettingSyncHost.exe” plays a key role in synching the Enterprise State Roaming settings. You can track this processing activity while troubleshooting.
Scheduled task
There are two scheduled tasks related to Enterprise State Roaming on Windows 10
- BackgroundUploadTask
- NetworkStateChangeTask – This task will execute once your account is enabled for enterprise state roaming.
Multi-factor Authentication (MFA )
During Autopilot enrollment, ensure you complete second-factor authentication if MFA, like Windows Hello for business, is enabled.
In the Windows Autopilot scenario, I observed that Enterprise State Roaming settings sync fails if we postpone the second factor, such as Hello PIN.
Network – Firewall, Ports, and Proxy configuration
We must ensure your network’s firewall, ports, and proxy are not blocking the sync activity. Please make sure Azure URLs are allowed in your system.
During Enterprise State Roaming sync activity on Windows 10, we can see Windows 10 access Azure URLs like *.one.microsoft.com. The primary endpoint URL varies based on your Azure subscription region. Below is an example.
| Region | Azure Primary endpoint URL |
|---|---|
| Example 1: Southeast Asia | https://kailani10.one.microsoft.com |
| Example 2: East US |
https://kailani1.one.microsoft.com |
Refer here for more details about the URLs accessed by Enterprise State Roaming based on the region.
Other common issues
Refer here, If you want to know more details about some of the known issues with Enterprise State Roaming and troubleshooting.
End Result
User 1 logged in to first client 8 (first) and later to second client 9 (second). For example, user settings are roamed.
- Taskbar position from client eight is roamed to client 9
- Wallpaper from client eight is wandered to client 9
- Edge favourites from client eight are walked to client 9
- IE favourites from client eight are walked to client 9
Resources
- MDM Diagnostics Tool – Tips & Tricks – Windows Autopilot Troubleshooting
- Repurpose Existing Devices to Windows Autopilot – SCCM or MDT?
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Vimal has more than 10 years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about SCCM, Windows 10, Microsoft Intune, and MDT.
Great write up. thanks
hallo,
Maybe you can help me?
Microsoft is trying to help but they don’t understand what is wrong, for 5 months now.
My ESR is not working, it did work but now it is broken and I do not know why.
– License Azure AD Premium P1
– In Azure AD devices “Users may sync settings and app data across devices”: all
– In the Settings app all in set to ‘’on’’
– All the info in dsregcmd /status is oke
– Scheduled task are there and I can run them
– There is no Windows hello active
But I have a log of erros in the logs in eventvwr “SettingSync”, almost all the same but the number after .cpp(xxx) are different
– shell\roaming\settingsync\explorersettinghandler.cpp(315)\SettingSync.dll!00007FFAAAA097F0: (caller: 00007FF73A6E1699) ReturnHr(4) tid(2a68) 80070002 The system cannot find the file specified.
The exe file “SettingSyncHost.exe” is available in the system32 folder but I don’t see it in the taskmgr, and if I run it, it will not start (I think)
After reinstalling a device and join it to Azure the error are directly back in eventvwr
Do you or someone have any tips?
This drives me nuts
Apparently some features of ESR (including wallpaper!) are deprecated:
https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
Not that I can confirm from the MS Link …rather ESR back-end storage system is changed!
Sync your settings (updated: August 17, 2017) Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The Sync your settings options and the Enterprise State Roaming feature will continue to work.
Personalization roaming Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release.
Ive got the issue that the scheduled tasks arent there. I think thats the problem why it doesnt work.
Enterprise State Roaming is active, the device is also cloud joined. Ive reinstalled the computer a couple of times.
Any ideas about that?