I’ve been looking forward to this post for some time now. Those of you who saw our blog series on enterprise functionality in Windows 10 last year would have read that we were working on building an enterprise compliant service to sync OS settings across Azure AD joined Windows 10 devices. Well it’s finally here! Today we are announcing the public preview of Enterprise State Roaming for Windows 10.
I have invited Gunjan Jain, a Program Manager on the Windows Server and Services team to tell you more about it. Give Enterprise State Roaming a try and let us know what you think.
Alex Simons (@Alex_A_Simons)
Director of Program Management
Microsoft Identity and Security Services Division
I’m Gunjan Jain, one of the PMs in Microsoft’s Windows Server and Services team. I have been working with the Azure AD and Windows client teams to bring Enterprise State Roaming in Windows 10 to life! Today I am really thrilled to announce the public preview of the Enterprise State Roaming for Windows 10.
As you’re probably aware, ‘settings sync‘ has existed since Windows 8 and 8.1. It allows consumers to sync OS settings and Universal Windows Platform application data across all their personal Windows devices. It uses a personal Microsoft Account and a consumer OneDrive folder in the cloud to achieve this. Enterprise State Roaming – or ‘OS State Roaming’ as we referred to it in the Bringing the cloud to enterprise desktops series of blog posts, well before it had a real name – brings the exact same user experience to enterprise users!
The big difference between Enterprise State Roaming and settings sync lies under the hood. As much as the settings sync feature is well loved by consumers, it does not meet many enterprise customers’ needs. IT admins want to retain control of corporate data, even when an employee leaves the company. Enterprises users also want to separate work and personal data on their devices. They don’t want their corporate Wi-Fi passwords syncing to the cloud along with their favorite game’s high score. Enterprise State Roaming in Windows 10 solves these problems for corporate owned devices because data is roamed using Azure AD identities and is backed by storage in the Azure cloud.
Enterprise State Roaming enables a number of benefits for enterprise customers. Among them are:
- Separation of corporate and consumer data – No mixing of enterprise data in a consumer cloud account or consumer data in an enterprise cloud account.
Enhanced security – All the data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names. By the way, you don’t need a separate paid Azure RMS subscription to use this service. Microsoft provides free limited use Azure RMS service restricted for Enterprise State Roaming use.
- Better management – More control and visibility over who syncs settings in your organization and on what devices.
- Geographic location of data in the cloud – Data will be stored in an Azure region based on the country associated with the Azure AD directory. We understand it is important to some of our enterprise customers to ensure data stays within their geographic boundaries due to the compliance reasons.
Please note at the time of this public preview, this service is available in US and Europe regions only. We do plan to roll service out globally in the near future.
What do I need to deploy Enterprise State Roaming?
All you need to deploy Enterprise State Roaming in your organization is the following:
An Azure Active Directory Premium subscription. Enterprise State Roaming requires an Azure Active Directory Premium subscription. At the time of GA, users will require to have premium licenses assigned to use this service.
Windows 10 (Version 1511, Build 10586 or greater). Devices must either be
AD Domain Joined with automatic registration to Azure AD
How do I configure Enterprise State Roaming?
Enterprise State Roaming is also easy to set up – everything can be done in the Azure Admin Portal.
Just login to the Azure Admin Portal, go to Active Directory, select the directory that you want to enable the service for, click on the Configure tab and scroll down to users may sync settings and enterprise app data.
Select All or specify users or Security Groups in the Selected field for the users you want to enable roaming for – and hit Save.
If you don’t see the configuration settings, your tenant probably does not have an Azure AD Premium subscription. Click here to learn more about Azure AD Premium benefits and how to get a subscription.
If you receive an error “Unable to save Device Registration Settings” with details showing “The feature is not yet available in your region,” it is likely your tenant is not setup in one of the supported US and Europe regions.
Once you save these settings, your Windows 10 devices that are joined to Azure AD or domain joined registered with Azure AD will automatically start syncing settings through the Azure cloud using enterprise accounts.
Users can also control which settings roam between their devices using the Sync your settings page in Windows. This can be found by going to the Accounts section of the Settings app.
So, what account is really being used for roaming?
In Windows 8 and Windows 8.1, roaming always happens through a connected Microsoft Account via the consumer OneDrive cloud – even on corporate owned Domain Joined devices. This is still possible today for organizations and users who are willing to allow personal accounts on corporate owned devices. However, the advent of Azure AD Join in Windows 10 gives us the capability to drive cloud services using work or school accounts – even on Domain Joined machines. With Enterprise State Roaming, OS settings use this account to authenticate to the Enterprise State Roaming service back-end (which in turn uses Azure storage) to roam data between devices.
A personal Microsoft Account can still be added to an Azure AD joined Windows 10 machine as a secondary account – allowing personal apps and data to be used on the device. In this configuration however it is important to note that:
- The OS settings always roam with the primary account
- App state data roams based on the identity of app acquisition
Note that multiple identity support for roaming is not yet available in current builds of Windows 10. So, if you log into a corporate owned device with your enterprise credentials, the OS settings and the state of Windows apps acquired using enterprise account will roam using Azure AD account. The state of the Windows apps acquired using your secondary personal Microsoft Account will not roam. Similarly, if you log into a personally owned device with a Microsoft account, the OS settings and the state of the Windows apps acquired using that Microsoft account will roam via the consumer OneDrive cloud, but the state of the Windows apps acquired using enterprise account will not roam.
Tip – Check the account identity on “Sync your settings” page on device to determine the account that is being used for syncing.
That’s it! If you’ve read this far, thanks a ton for your time! We really appreciate your interest! Please give this feature a try and send us your questions and feedback.
Gunjan Jain (@gunjanjain123)
Senior Program Manager
Microsoft Windows Server and Services Division