This time I will have a quick test-drive of the Enterprise State Roaming Feature (ESR) with a hybrid Azure AD joined device, for those of us still using our own AD.
Enterprise State Roaming will offer a secure synchronization of user settings from Windows and applications to the cloud.
You can think of it as the modern roaming profiles, but it will not roam existing Windows desktop apps (Win32 apps), in order to roam these settings we need UE-V (preferred before the old roaming profile).
We also need to be aware that Enterprise State Roaming only is available with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.
Azure Active Directory Connect must be setup and configured for Hybrid Azure AD Join and the Service Connection Point (SCP) must be configured (Azure AD Connect will take care of this with the right credentials).
We can use Pass Through Authentication (PTA) or Password Hash Sync (PHS) on managed domains (so for now we forget about federated domains).
The automatically SCP setup requires Azure AD connect at version 1.1.819.0 or newer, this will significantly simplify the configuration process.
If you are not synchronizing all OU’s, make sure that the one used for the client is selected:
Then for the devices in question we will create a Group policy object, enabling devices to register in Azure AD:
This registration will take some time, because we have to wait until Windows 10 has registered and Azure AD connect has synchronized.
On the client you can use the command dsregcmd /status – this will show the current status of the client:
In the computer certification store you must also see two new certificates like the ones shown here:
In Azure Active Directory – Devices you can se the client and that it is Hybrid Azure AD joined:
SCCM can also be used instead of the GPO approach, use client settings:
But now the client has hybrid joined we are ready to test Enterprise State Roaming, first we create a test user in the local Active Directory.
When testing Enterprise State Roaming on a managed domain (not federated), it is very important that you use a routable login ID with a valid verified domain, if you use non-routable domains – ESR will not work.
You can test with a onmicrosoft.com domain if you add the domain to your Alternative UPN suffixes and use it on the user.
Don’t use mixed case User Principal Name.
Let’s start a Azure AD connect sync to speedup the process:
Start-ADSyncSyncCycle -PolicyType Delta
We can see the user In Azure Active Directory – Users when synchronization has occurred:
In Azure Active Directory go to Devices – Enterprise State Roaming:
We will select the user who should use Enterprise State Roaming, it can of course be a group also a synchronized group from the local AD.
So here we choose Selected and click on No member selected:
Select Add members:
Select the user in question and click select:
Select OK:
And finally save the changes:
Now lets login to the local domain with our new user:
Go to Windows Settings and Accounts:
Select Sync your settings and make sure Sync settings is on:
Lets do a simple change by moving the taskbar to the left side:
Then login on another client with the same user, and watch the change propagate to the second machine within five minutes (ESR in action).
Locking and unlocking the screen (Win + L) can help trigger a sync.
Individual sync settings can be disabled by using Group Policy (GPO):
GPO in effect:
The next question is what data roams?
Windows settings: the PC settings that are built into the Windows operating system. Generally, these are settings that personalize your PC, and they include the following broad categories:
- Theme, which includes features such as desktop theme and taskbar settings.
- Internet Explorer settings, including recently opened tabs and favorites.
- Microsoft Edge browser settings, such as favorites and reading list.
- Passwords, including Internet passwords, Wi-Fi profiles, and others.
- Language preferences, which includes settings for keyboard layouts, system language, date and time, and more.
- Ease of access features, such as high-contrast theme, Narrator, and Magnifier.
- Other Windows settings, such as mouse settings.
Application data: Universal Windows apps can write settings data to a roaming folder, and any data written to this folder will automatically be synced.
I would be very nice also to see UE-V settings roam to the cloud, but not there yet….
In Azure AD we can see the user’s devices syncing settings, Select Azure Active Directory – Users – Select the user in question – Devices, and select Devices syncing settings and app data
Now test in your own environment.