Search This Blog

Friday, August 21, 2020

Modern Roaming Profile - Enterprise State Roaming (ESR) + UE-V

Amazon Time Sync Service | Miadria




Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.

It enables users to sync user- and application settings across devices. It is an upgraded version of what you probably know as Roaming profile, but with no on-premise server involved.

What if we could have an environment where device replacement would have much less impact on users?

Read along!



  • Azure Active Directory Premium subscription.
  • Windows Creators Update (Build 15063) or above
  • Win 10 computers should be Azure AD, or Hybrid Azure AD joined.


How to enable ESR in your Azure tenant


How to enable ESR on the clients

Easy, it will apply automatically to the user when the setting in Azure has been set

If you are in a hybrid environment, my colleague Lars Lohmann have created a thorough guide how to:


How to disable ESR on specific clients using Intune

Sometimes we have different needs and as ESR enables on the user, it will be enabled on every Azure AD enabled device. If you have some groups of devices where this setting should not apply, simply create a policy to disable it on device level.

Devices -> Windows -> Configuration profiles -> Create Profile -> Windows 10 and later -> Custom




- ESR Sync Disable

- Enable Enterprise State Roaming


- Interger

- 0

Hit “add” and next


Assign it to a test group


Press Select -> Next –> Create


What is synced by Enterprise State Roaming?



How to make a nice device platform with UE-V

A lot of businesses are still running legacy applications, and the benefit for moving towards MSIX has not been huge enough to make it happen. Also, not all apps are able to be packaged as MSIX as it has limitations. If you like to have a nice desktop roaming solution for other items than covered in above matrix, you must deal with UE-V and add the setting you like to roam. Let us have a look how to do that.

Instead of doing a post how to do UE-V, Aaron parker (Follow this guy, he is brilliant) already did an extensive post on how to set it up and how to deal with no on-prem servers.


UE-V Templates ready to download


Custom UE-V templates to fit your needs


Known Issues

There are always know errors and I am not going to rewrite what Microsoft already did well. There are known issues on different versions of windows and what settings are not working. I recommend you check it out before ripping of your hair in frustration if you see any troubles in your environment


To ensure data roaming across devices in a modern world where on-prem servers are not present, we can build a nice environment gathering 3 technologies together.

  • Enterprise State Roaming
  • User Experience Virtualization
  • OneDrive

This will ensure that it is easier for the user obtaining a new device when the current is broken or just old and needs to be upgraded.

Wednesday, August 19, 2020

Microsoft Endpoint Analytics – Proactive remediations


Proactive remediations in Endpoint analytics will help your organization to fix common issues automatically. Stuff that you know are broken or reoccur can be automated and your helpdesk and Admins will save time. It can also be used for monitoring in your environment, and in this blog post I will show you how to monitor your windows clients are licensed. This can save you some time when Microsoft Audit visit.









Example how to monitor Windows is activated

Go to

Reports -> Endpoint analytics (Preview) -> Proactive remediations

Create Script Package



Add text that document itself


Add script

Can be downloaded from here

If you wonder where the values came from, check out this site



Leave out the remediation script unless you like to activate devices that turns out not to be licensed.



Assign a group to apply remediation to



Using a test group to start with where the only member is myself




Now sit back and relax. From now and the next 24 hours you will see info from the script.


Other script resources ready to copy and paste to your environment


Proactive remediations in Endpoint analytics can be used as reporting and not only for fixing broken stuff.




Happy testing!

Monday, August 10, 2020

Microsoft 365 Apps modern management, get rid of nag screens

How often have you clicked through numerous screens when starting the local office package? I know I have done my fair shares, and I am done with it.



As we enter the cloud with more and more services, we also have new tools providing control across our devices. I mean with Microsoft 365 apps it enables us to work anywhere with the online access, and with a local copy at home. We need tools to provide policies to all locations and not only at work.

Work is not a place.


If you like me do not like prompts, tips or other “helpful” popups while using Office 365 on a new device, then you should read along.

In this guide I will use 3 techniques. I could easily put everything in a PowerShell script, but I like to use the tools we are given by Microsoft.



2. Administrative Templates (intune)

3. Powershell Script


Prompts we are removing: (some pictures in Danish)






Ok so I have seen these prompts like a ton of times and I just want to use Office without having to click a million prompts.

First set default policies to as we can define a baseline that will target all accounts authenticating to Microsoft 365 Apps.


Go to

Log on as an administrator



Give it a default name


Click Assignments


Choose “this policy configuration applies to users”


(I create a test group before applying to all users. You might do the same.)

Target your Azure AD group


Configure Policies


Search for these policies and set them to “Enabled”


Hit Create


First step done. These settings will apply from the cloud on every device where you use your office 365 account. Pretty neat!


Next, we like to remove the tips that Microsoft are giving us. I have not come across that this is a GPO that can be added, so here we need to create a PowerShell script. I already did, so you can have mine.

Save the script to your device as we need to upload it to Intune.


Go to

Devices -> Windows -> PowerShell Scripts -> Add


Build a standard structure that document itself.


Upload the script and “Run this script using the logged-on credentials”


Assign it by selecting a group


Again, I start with a test group before adding new stuff to everyone


Add it


Ok so we are pretty much ready for a silent start of every product in the Microsoft 365 Apps for business.


Last thing to setup is Outlook to automatically configure your profile based on primary SMTP address.

Go to

Devices -> Windows -> Configuration profiles -> Create Profile



Naming standards + make it easy to get overview of your setting when debugging or reviewing them later.


Enable “Automatically configure only the first profile based on ac….”



Assign it to your test group




Happy testing!

Friday, August 7, 2020

How to activate app lock on Microsoft Authenticator app


Microsoft Authenticator app has been around for a long time, originally released as beta in 2016. It has served us well with easier and safer access to our resources using Microsoft accounts as well as Azure AD accounts. By using the app, we can do two-factor authentication without the need of email or text codes verification. Just hit the authenticate button when asked (if you know it is you it prompts for of course )

Now you can use the app as a no-password sign-in (no big news about that) but that makes the life of users and not at least security, much easier and more secure.

This blogpost is not intended to go into “how to configure the app” or using it, but to inform about a new coming feature change. Microsoft Authenticator app have had an app lock for a long time, but it was set to “off”, which means that you had to go set the setting manually on every device using the app. Well in these days where users must do more and more themselves, it is not easy to make sure they remember to set the app lock.

We have scenarios on mobile devices. I give 2 examples:

Bring your own device (BYOD) and Company owned device (COD). (I am not going to explain what they are in this blog post)

So, what is all the fuss about? Let us have an example:

If you are a family, you have times where the kids just need to cool off and you let them sit with your phone. It would be terrible bad if someone with bad intentions were trying to break into your account while the kids were playing as they just click whatever blocks there view of the current activity. That would make the intruder able to access your account and there you have it.

With this app lock you will have an extra layer of security and not just the pin / biometric of your phone.

So, what do we do about it?

Download the newest version of the Microsoft Authenticator app 6.4.22+ (Pictures in Danish)


My current version of Microsoft Authenticator


App lock NOT enabled.


Go to the App store and update if not set to automatically update your apps.


After updating a message pops up saying your app lock is now activated!


We confirm that we got the correct version installed


Perfect. App locker activated by default and that is the big news!

Intune cannot set this app lock, so it is either the manual way, or updating to the newest version.