Enterprise Mobility End to End // Part 7 – Enterprise State Roaming and Windows Store for Business

The last module if this blog series will cover Enterprise State Roaming and the Windows Store for Business.
Enterprise State Roaming (ESR) is part of the "identity convergence" scenario between Active Directory (AD), Azure Active Directory (Azure AD), and a consumer's Microsoft Account (MSA). In Windows 8.1, MSA users have the ability to roam (sync) their PC settings and application data to multiple devices using OneDrive. Users enjoyed the feature but enterprises do not always want to allow MSA with in their organization. This is because a MSA is a personal account and the organization does not have management control over the data when employees' personal MSAs are used. ESR adds support for roaming to Azure AD users with an Azure AD Premium subscription. Azure AD based roaming has the same client-side functionality as MSA based roaming, but enterprise IT have better management and monitoring control over the enterprise data which is backed up by Azure cloud storage rather than consumer's personal OneDrive accounts.

The Windows Store for Business is a private store for your organization in the Windows Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company.


Set-Up Enterprise State Roaming (ESR)

With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device.

  • Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
  • Enhanced security – Data is automatically encrypted before leaving the user's Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
  • Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.

In Windows 10, only the primary account for the device can be used for settings sync. The primary account is defined as the account used to log into Windows – this can be a Microsoft account, an Azure Active Directory (Azure AD) account, an on-premises Active Directory account, or a local account. In addition to the primary account, Windows 10 users can add one or more secondary cloud accounts to their device. These secondary accounts are generally a Microsoft account, Azure Active Directory account, or some other account such as Gmail or Facebook. These secondary accounts provide access to additional services such as single-sign-on and the Windows Store, but they are not capable of powering settings sync.

Data is never mixed between the different user accounts on the device. There are two rules for settings sync: - Windows settings will always roam with the primary account. - App data will be tagged with the account used to acquire the app. Only apps tagged with the primary account will sync. App ownership tagging is determined when an app is side-loaded through the Windows Store or when the app is side loaded through mobile device management (MDM).

After an organization's IT admin enables the feature in the Azure Portal, ESR will be a delighter rather than a hard scenario that users should be aware of. Roaming works silently in the background on Windows 10 devices and will synchronize settings such as desktop backgrounds, keyboard layouts, and credentials across all the user's connected devices. The most noticeable scenario for roaming is during device replacement – if a user replaces his device, right after OOBE, all of his settings will sync from the cloud so he doesn't need to waste time re-entering Wi-Fi passwords, finding his IE favorites/bookmarks, and personalizing his device with his user tile and background.


Enterprise State Roaming requires Azure Active Directory Premium. When you enable Enterprise State Roaming, your organization will be automatically granted licenses for a free, limited-use subscription to Azure Rights Management. This free subscription is limited to encrypting and decrypting enterprise settings and application data synced by the Enterprise State Roaming service; you must have a paid subscription to use the full capabilities of Azure Rights Management.

For devices that use a traditional on-premises Active Directory, the IT admin must connect the domain-joined devices to Azure AD for Windows 10 experiences


What data roams?

  • Windows Settings: the PC settings that are built into the Windows operating system. Generally, these are settings that personalize the user's PC, and they include the following broad categories:
    • Theme: desktop theme, taskbar settings, etc.
    • Internet Explorer settings: recently opened tabs, favorites, etc.
    • Edge browser settings: favorites, reading list
    • Passwords: Internet passwords, Wi-Fi profiles, etc.
    • Language preferences: keyboard layouts, system language, date and time, etc.
    • Ease of access: high contrast theme, Narrator, Magnifier, etc.
    • Other Windows settings: command prompt settings, application list, etc.
  • Application data: Universal Windows apps can write settings data to a "roaming" folder, and any data written to this folder will automatically be synced. It's up to the individual app developer to design an app to take advantage of this capability.

Note: Windows 10 devices that are enterprise owned and are connected to Azure AD can no longer connect their Microsoft Accounts to a domain account. The ability to connect a Microsoft Account to a domain account and have all the user's data sync to the Microsoft Account (i.e. Microsoft Account roaming via the "connected Microsoft Account and Active Directory" functionality) is removed from Windows 10 devices that are joined to a connected Active Directory/Azure AD environment.

  1. Login to the Azure classic portal (https://manage.windowsazure.com).
  2. On the left, select ACTIVE DIRECTORY, and then select the directory for which you want to enable Enterprise State Roaming.

  3. Go to the CONFIGURE tab on the top.

  4. Scroll down the page and select USERS MAY SYNC SETTINGS AND ENTERPRISE APP DATA, and then click SAVE. (Global administrators can limit settings sync to specific security groups.)


What is Microsoft's recommendation for enabling roaming today in Windows 10?

Microsoft has a few different settings roaming solutions available, including Roaming User Profiles, UE-V, and Enterprise State Roaming. Microsoft is committed to making an investment in Enterprise State Roaming in future versions of Windows. If your organization is not ready or comfortable with moving data to the cloud, then Microsoft recommends that you use UE-V as your primary roaming technology. If your organization requires roaming support for existing Windows desktop applications, but is eager to move to the cloud, Microsoft recommends that you use both Enterprise State Roaming and UE-V. While UE-V and Enterprise State Roaming are very similar technologies, they are not mutually exclusive, and today they complement each other to ensure that your organization provides the roaming services that your users need.

When using both Enterprise State Roaming and UE-V, the following rules apply:

  • Enterprise State Roaming is the primary roaming agent on the device. UE-V is being used to supplement the "Win32 gap."
  • UE-V roaming for Windows settings and modern UWP app data should be disabled using the UE-V group polices because these are already covered via Enterprise State Roaming.




Windows Store for Business (WSfB)

The Windows Store for Business used to find, acquire, distribute, and manage apps for your organization. The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Windows Store for Business applies to Windows 10 and Windows 10 Mobile.

The first task for Enterprises to get started is the is the signup process. But before you sign up, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process. Step by Step signup guidance is here. If you created your Azure AD directory during Store for Business sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store. For more information, see Manage user accounts in Store for Business

As an admin, you now can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see Apps in the Windows Store for Business. The last is the decision you need to make as a company to allow or block the user to use the public store using his/her own MS account.

Set-Up GPO to Allow Only Private Store

You can use Group Policy in Windows Server Active Directory to configure your Windows 10 domain-joined devices to only allow the private store and block the public store.

  1. Open Server Manager, and navigate to Tools > Group Policy Management.

  1. From Group Policy Management, navigate to the domain node that corresponds to the domain in which you want to enable Azure AD Join.
  2. Right-click Group Policy Objects, and select New. Give your Group Policy Object a name, for example, Enable Microsoft Passport. Click OK.

  1. Right-click your new Group Policy Object, and then select Edit.
  2. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Component > Store

  1. Right-click Only display the private store within the Windows Store app, and then select Edit.
  2. Select the Enabled option button, and then click Apply. Click OK.

  1. You can now link the Group Policy Object to a location of your choice. To enable this policy for all of the domain-joined Windows 10 devices in your organization, link the Group Policy to the domain. For example:
  • A specific organizational unit (OU) in Active Directory where Windows 10 domain-joined computers will be located
  • A specific security group that contains Windows 10 domain-joined computers that will be automatically registered with Azure AD


This Blog post was published by the authors
Lutz Seidemann (Architect) and Raymond Michael Sy Guan (Consultant). We both with Microsoft Consulting Services – Worldwide Enterprise Mobility Center of Excellence (CoE).

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.


Comments (0)

Skip to main content