Search This Blog

Tuesday, January 29, 2019

Enterprise State Roaming

This time I will have a quick test-drive of the Enterprise State Roaming Feature (ESR) with a hybrid Azure AD joined device, for those of us still using our own AD.

Enterprise State Roaming will offer a secure synchronization of user settings from Windows and applications to the cloud.

You can think of it as the modern roaming profiles, but it will not roam existing Windows desktop apps (Win32 apps), in order to roam these settings we need UE-V (preferred before the old roaming profile).

We also need to be aware that Enterprise State Roaming only is available with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.

Azure Active Directory Connect must be setup and configured for Hybrid Azure AD Join and the Service Connection Point (SCP) must be configured (Azure AD Connect will take care of this with the right credentials).

We can use Pass Through Authentication (PTA) or Password Hash Sync (PHS) on managed domains (so for now we forget about federated domains).

image

The automatically SCP setup requires Azure AD connect at version 1.1.819.0 or newer, this will significantly simplify the configuration process.

If you are not synchronizing all OU’s, make sure that the one used for the client is selected:

image

Then for the devices in question we will create a Group policy object, enabling devices to register in Azure AD:

image

This registration will take some time, because we have to wait until Windows 10 has registered and Azure AD connect has synchronized.

On the client you can use the command dsregcmd /status – this will show the current status of the client:

image

In the computer certification store you must also see two new certificates like the ones shown here:

image

In Azure Active Directory – Devices you can se the client and that it is Hybrid Azure AD joined:

image

SCCM can also be used instead of the GPO approach, use client settings:

image

But now the client has hybrid joined we are ready to test Enterprise State Roaming, first we create a test user in the local Active Directory.

When testing Enterprise State Roaming on a managed domain (not federated), it is very important that you use a routable login ID with a valid verified domain, if you use non-routable domains - ESR will not work.

image

You can test with a onmicrosoft.com domain if you add the domain to your Alternative UPN suffixes and use it on the user.

Don’t use mixed case User Principal Name.

image

Let’s start a Azure AD connect  sync to speedup the process:

Start-ADSyncSyncCycle -PolicyType Delta

image

We can see the user In Azure Active Directory – Users when synchronization has occurred:

image

In Azure Active Directory go to Devices - Enterprise State Roaming:

image

We will select the user who should use Enterprise State Roaming, it can of course be a group also a synchronized group from the local AD.

So here we choose Selected and click on No member selected:

image

Select Add members:

image

Select the user in question and click select:

image

Select OK:

image

And finally save the changes:

image

Now lets login to the local domain with our new user:

image

Go to Windows Settings and Accounts:

image

Select Sync your settings and make sure Sync settings is on:

image

Lets do a simple change by moving the taskbar to the left side:

image

Then login on another client with the same user, and watch the change propagate to the second machine within five minutes (ESR in action).

Locking and unlocking the screen (Win + L) can help trigger a sync.

image

Individual sync settings can be disabled by using Group Policy (GPO):

image

GPO in effect:

image

The next question is what data roams?

Windows settings: the PC settings that are built into the Windows operating system. Generally, these are settings that personalize your PC, and they include the following broad categories:

  • Theme, which includes features such as desktop theme and taskbar settings.
  • Internet Explorer settings, including recently opened tabs and favorites.
  • Microsoft Edge browser settings, such as favorites and reading list.
  • Passwords, including Internet passwords, Wi-Fi profiles, and others.
  • Language preferences, which includes settings for keyboard layouts, system language, date and time, and more.
  • Ease of access features, such as high-contrast theme, Narrator, and Magnifier.
  • Other Windows settings, such as mouse settings.

Application data: Universal Windows apps can write settings data to a roaming folder, and any data written to this folder will automatically be synced.

I would be very nice also to see UE-V settings roam to the cloud, but not there yet….

In Azure AD we can see the user’s devices syncing settings, Select Azure Active Directory – Users – Select the user in question – Devices, and select Devices syncing settings and app data

image

Now test in your own environment.

No comments:

Post a Comment