Enterprise State Roaming: How to Sync Settings Between Devices with Azure

Today, efficient management of user settings and data has become a priority for businesses that use multiple Windows devices. Enterprise State Roaming (ESR) with Azure emerges as a key solution that allows organizations to synchronize settings and preferences between different devices, ensuring a consistent experience and saving time setting up new devices.

In this article, we'll explain this Microsoft feature in a complete and natural way. From how to activate it to its advantages, limitations, and technical details about it. storage and data retention, common issues you may encounter, and recommendations to get the most out of it. If you have devices managed in Azure AD or are interested in optimizing your users' mobility, here's all the necessary information, compiled and clearly explained.

What is Enterprise State Roaming and what is it for?

Enterprise State Roaming It is an advanced feature offered by Microsoft for companies that use Azure Active Directory (Azure AD, now known as Microsoft Access ID). Its main objective is Automatically sync system settings and certain app preferences user, storing this information securely in the Azure cloud. This way, employees can enjoy the same user experience on any Windows device linked to their corporate account, without having to configure everything from scratch each time.

The feature was originally introduced for home users in Windows 8, but with the arrival of Azure AD, businesses can benefit from much more controlled and professional management of which settings are synchronized and under what conditions.

Advantages of using Enterprise State Roaming in your organization

Using ESR on Azure provides several strategic advantages for businesses and IT administrators:

• Homogeneous experienceUsers can achieve the same look and feel across all their Windows devices. If they upgrade or add a new computer, the settings stay with them.
• Less time on initial setups: Considerable time is saved when setting up new equipment, as preferences such as language, desktop background, and even some application data are automatically transferred.
• centralized managementAdministrators can define, limit, or extend the scope of data synchronization and view the status of devices and users from the Azure console.
• Security and compliance: All synchronized data is stored in Azure regions that meet global security and privacy standards.

Prerequisites for enabling Enterprise State Roaming

In order to activate and enjoy ESR, it is necessary to comply some technical and licensing requirements:

• Discharge: Your organization must have Microsoft licenses Enter ID P1 or P2, or from a package Enterprise Mobility + Security (EMS) that includes any of these modalities.
• updated operating system: Devices must run Windows 10 version 21H2 or laterEither Windows 11Ideally, you should always have the latest update, as the features and security fixes are up to date.
• Devices linked to Entra ID: It is essential that the terminal is joined to Azure AD (Microsoft Entra). If you're using a hybrid environment with on-premises Active Directory, you'll need to configure hybrid join for it to work properly.
• Appropriate user account: : It will only work for users who have mobility and synchronization enabled through policies set by the administrator.

It is worth remembering that ESR is an optional feature, it is not activated by default and requires a pre-configuration from the administration console from Azure.

How do I enable Enterprise State Roaming step by step?

ESR activation is well documented and is a process that any Azure global administrator can perform relatively easily with the appropriate licenses. The main steps are:

1. Accesses Microsoft admin center Sign in as a global administrator.
2. Navigate to route Go to ID > Devices > General Information > Enterprise State Roaming.
3. Activate the option "Allow users to sync app settings and data across devices"You can do this for all users or just for specific groups, depending on your needs.
4. For devices that are only in on-premises Active Directory, configure hybrid join so they recognize Azure AD and can participate in synchronization.
5. It is essential that the terminals reboot and users log in again for the new settings to take effect.

After completing these steps, authorized users will be able to enjoy enterprise status synchronization on their supported devices.

What type of information is synchronized with ESR?

One of the big recurring questions is what the exact nature of the data ESR can synchronize is. Microsoft, in its documentation, specifies that Both operating system settings and some application preferences are synchronizedSome practical examples:

• Desktop background (image and position)
• Regional preferences (language, date and time format, etc.)
• Taskbar layout
• Wi-Fi passwords (if allowed by the organization)
• Supported application-specific configurations
• Other custom options that the user has modified and that support roaming

The list of specific settings may vary depending on the version of Windows and company restrictions. It's the administrator who, through policies, determines exactly what is allowed to sync and what isn't.

Where and how is synchronized data stored?

Secure storage is a fundamental part of Enterprise State Roaming. All synchronized information resides in the Azure infrastructure and is hosted taking into account the geographic location defined by the company when creating its Entra ID instance.

Microsoft segments storage into three broad areas: North America, EMEA (Europe, the Middle East, and Africa), and APAC (Asia-Pacific). For example, if your company is located in Spain, the data will be in European data centers, and They will not be replicated in other regions, except for justified reasons..

This approach ensures that compliance with local data protection regulations (such as the GDPR) is strictly observed. The country or region value is defined at the time of directory creation and cannot be modified a posterioriIf you have questions about the location of your data or need detailed information, you can open a support ticket in Azure.

How long does data stay synchronized in Azure?

Data retention in Enterprise State Roaming is well defined and responds to both efficiency and privacy criteria:

• manual removalIf the administrator deletes a user or directory, its associated data is deleted within 90 to 180 days. Manual deletion can also be requested for a specific user.
• Obsolete data: If a particular configuration has not been used or accessed for at least one year, it is considered obsolete and may be removed from the cloud within a period of no less than 90 additional days.
• Global deactivation: If ESR is disabled for the entire directory, all user settings stop synchronizing and are considered obsolete after the minimum retention period.

Once the data is deleted from the cloud, there is no possibility of recovering themHowever, if a device still has the configuration locally and comes back online, it can be automatically uploaded back to the cloud.

How to troubleshoot common Enterprise State Roaming issues

Although the functionality is solid, in practice they may appear timing issuesMicrosoft emphasizes reviewing the following points whenever incidents occur:

• Check system versions: Confirm that the device is running a minimum version (Windows 10 22H2 or higher).
• Check the binding to Enter ID: It is critical that the device is properly joined to Azure AD or an approved hybrid environment.
• Licenses: Ensure the user has a valid Entra ID P1 or P2 license.
• Applied policies: ESR must be enabled for the affected user or group.
• Restart: After changes or problems, restarting your computer and logging back in often fixes many minor issues.

In addition, to check the correct synchronization and the account in useWe recommend going to Settings > Accounts > Sync Settings and checking if your work account is listed. You can also make simple changes (such as changing the language) and see if they're replicated on a second computer after a few minutes.

Detailed analysis of the most common problems and their solutions

In real life, very specific problems arise that can prevent ESR from working. Some of the most common ones are related to:

• The device is connected but not syncing. This is often because the policy hasn't been applied yet, which can take hours in complex corporate environments.
• Missing permissions, licenses, or proper user assignment.
• The "Sync Settings" page displays messages such as "Some features are only available with a work or Microsoft account." In this case, this may be due to a lack of effective authentication against Login ID.
• Device registration issues in Azure AD, which can be diagnosed with the command "dsregcmd.exe /status" from DCMIf the AzureAdJoined and WamDefaultSet values ​​are set to "NO," the situation will need to be analyzed and, if appropriate, manually or force-registered.

In many of these cases, an administrator can resolve the issue by disabling and re-enabling sync, restarting the computer, and ensuring that credentials and multi-factor authentication (MFA) are configured correctly.

Multi-factor synchronization and authentication: relationships and limitations

A critical point identified This is the interaction between Enterprise State Roaming and multi-factor authentication (MFA) systems. When MFA is required at login, settings may not sync properly when accessing with a traditional password. This occurs because the system prevents automated processes that cannot complete the additional authentication.

For administrators, the recommended solution is for users to use PINs like Windows Hello or complete the MFA process when signing in to other Azure services, such as Microsoft 365. Additionally, if advanced conditional access policies are used via Active Directory Federation Services (AD FS) and these cause access tokens to expire, it is critical to log out and log back in using a PIN or complete the additional online authentication process.