Troubleshoot Enterprise State Roaming in Azure Active Directory - Microsoft Entra (2024)

Table of Contents
In this article Preliminary steps for troubleshooting Information to include when you need help Troubleshooting and diagnosing issues Verify sync, and the “Sync your settings” settings page Verify the device registration status Enterprise State Roaming and Multi-Factor Authentication Event Viewer Known issues Sync does not work on devices that have apps side-loaded using MDM software Date, Time, and Region settings do not sync on domain-joined device Domain-joined device is not syncing after leaving corporate network Azure AD Joined device is not syncing and the user has a mixed case User Principal Name. Event ID 6065: 80070533 This user can’t sign in because this account is currently disabled Event ID 1098: Error: 0xCAA5001C Token broker operation failed Next steps FAQs
  • Article
  • 9 minutes to read

This topic provides information on how to troubleshoot and diagnose issues with Enterprise State Roaming, and provides a list of known issues.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Note

This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information on the Sync behavior for the new Microsoft Edge, see the article Microsoft Edge Sync.

Preliminary steps for troubleshooting

Before you start troubleshooting, verify that the user and device have been configured properly, and that all the requirements of Enterprise State Roaming are met by the device and the user.

  1. Windows 10 or newer, with the latest updates, and a minimum Version 1511 (OS Build 10586 or later) is installed on the device.
  2. The device is Azure AD joined or hybrid Azure AD joined. For more information, see how to get a device under the control of Azure AD.
  3. Ensure that Enterprise State Roaming is enabled for the tenant in Azure AD as described in To enable Enterprise State Roaming. You can enable roaming for all users or for only a selected group of users.
  4. The user is assigned an Azure Active Directory Premium license.
  5. The device must be restarted and the user must sign in again to access Enterprise State Roaming features.

Information to include when you need help

If you cannot solve your issue with the guidance below, you can contact our support engineers. When you contact them, include the following information:

  • General description of the error: Are there error messages seen by the user? If there was no error message, describe the unexpected behavior you noticed, in detail. What features are enabled for sync and what is the user expecting to sync? Are multiple features not syncing or is it isolated to one?
  • Users affected – Is sync working/failing for one user or multiple users? How many devices are involved per user? Are all of them not syncing or are some of them syncing and some not syncing?
  • Information about the user – What identity is the user using to sign in to the device? How is the user signing in to the device? Are they part of a selected security group allowed to sync?
  • Information about the device – Is this device Azure AD-joined or domain-joined? What build is the device on? What are the most recent updates?
  • Date / Time / Timezone – What was the precise date and time you saw the error (include the timezone)?

Including this information helps us solve your problem as quickly as possible.

Troubleshooting and diagnosing issues

This section gives suggestions on how to troubleshoot and diagnose problems related to Enterprise State Roaming.

Verify sync, and the “Sync your settings” settings page

  1. After joining your Windows 10 or newer PC to a domain that is configured to allow Enterprise State Roaming, sign on with your work account. Go to Settings > Accounts > Sync Your Settings and confirm that sync and the individual settings are on, and that the top of the settings page indicates that you are syncing with your work account. Confirm the same account is also used as your login account in Settings > Accounts > Your Info.

  2. Verify that sync works across multiple machines by making some changes on the original machine, such as moving the taskbar to the right or top side of the screen. Watch the change propagate to the second machine within five minutes.

    • Locking and unlocking the screen (Win + L) can help trigger a sync.
    • You must be signing in with the same account on both PCs for sync to work – as Enterprise State Roaming is tied to the user account and not the machine account.

Potential issue: If the controls in the Settings page are not available, and you see the message “Some Windows features are only available if you are using a Microsoft account or work account.” This issue might arise for devices that are set up to be domain-joined and registered to Azure AD, but the device has not yet successfully authenticated to Azure AD. A possible cause is that the device policy must be applied, but this application happens asynchronously, and could be delayed by a few hours.

Verify the device registration status

Enterprise State Roaming requires the device to be registered with Azure AD. Although not specific to Enterprise State Roaming, following the instructions below can help confirm that the Windows 10 or newer Client is registered, and confirm thumbprint, Azure AD settings URL, NGC status, and other information.

  1. Open the command prompt unelevated. To do this in Windows, open the Run launcher (Win + R) and type “cmd” to open.
  2. Once the command prompt is open, type “dsregcmd.exe /status”.
  3. For expected output, the AzureAdJoined field value should be “YES”, WamDefaultSet field value should be “YES”, and the WamDefaultGUID field value should be a GUID with “(AzureAd)” at the end.

Potential issue: WamDefaultSet and AzureAdJoined both have “NO” in the field value, the device was domain-joined and registered with Azure AD, and the device does not sync. If it is showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Azure AD. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running “dsregcmd.exe /leave” in an elevated command prompt window, rebooting, and trying registration again may help with this issue.

Potential issue: The field for SettingsUrl is empty and the device does not sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure Active Directory Portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to Azure Active Directory > Devices > Enterprise State Roaming disable and re-enable Users may sync settings and app data across devices. Once re-enabled, restart the device and have the user login. If this does not resolve the issue, SettingsUrl may be empty if there is a bad device certificate. In this case, running “dsregcmd.exe /leave” in an elevated command prompt window, rebooting, and trying registration again may help with this issue.

Enterprise State Roaming and Multi-Factor Authentication

Under certain conditions, Enterprise State Roaming can fail to sync data if Azure AD Multi-Factor Authentication is configured. For more information on these symptoms, see the support document KB3193683.

Potential issue: If your device is configured to require Multi-Factor Authentication on the Azure Active Directory portal, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of Multi-Factor Authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing Multi-Factor Authentication while accessing other Azure services like Microsoft 365.

Potential issue: Sync can fail if the admin configures the Active Directory Federation Services Multi-Factor Authentication Conditional Access policy and the access token on the device expires. Ensure that you sign in and sign out using the Windows Hello for Business PIN or complete Multi-Factor Authentication while accessing other Azure services like Microsoft 365.

Event Viewer

For advanced troubleshooting, Event Viewer can be used to find specific errors. These are documented in the table below. The events can be found under Event Viewer > Applications and Services Logs > Microsoft > Windows > SettingSync-Azure and for identity-related issues with sync Applications and Services Logs > Microsoft > Windows > AAD.

Known issues

Sync does not work on devices that have apps side-loaded using MDM software

Affects devices running the Windows 10 Anniversary Update (Version 1607). In Event Viewer under the SettingSync-Azure logs, the Event ID 6013 with error 80070259 is frequently seen.

Recommended action
Make sure the Windows 10 v1607 client has the August 23, 2016 Cumulative Update (KB3176934 OS Build 14393.82).

Date, Time, and Region settings do not sync on domain-joined device

Devices that are domain-joined will not experience sync for the setting Date, Time, and Region: automatic time. Using automatic time may override the other Date, Time, and Region settings and cause those settings not to sync.

Recommended action
None.

Domain-joined device is not syncing after leaving corporate network

Domain-joined devices registered to Azure AD may experience sync failure if the device is off-site for extended periods of time, and domain authentication can't complete.

Recommended action
Connect the device to a corporate network so that sync can resume.

Azure AD Joined device is not syncing and the user has a mixed case User Principal Name.

If the user has a mixed case UPN (for example, UserName instead of username) and the user is on an Azure AD Joined device, which has upgraded from Windows 10 Build 10586 to 14393, the user's device may fail to sync.

Recommended action
The user will need to unjoin and rejoin the device to the cloud. To do this, login as the Local Administrator user and unjoin the device by going to Settings > System > About and select "Manage or disconnect from work or school". Clean up the files below, and then Azure AD Join the device again in Settings > System > About and selecting "Connect to Work or School". Continue to join the device to Azure Active Directory and complete the flow.

In the cleanup step, clean up the following files:

  • Settings.dat in C:\Users\<Username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\
  • All the files under the folder C:\Users\<Username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Account

Event ID 6065: 80070533 This user can’t sign in because this account is currently disabled

In Event Viewer under the SettingSync/Debug logs, this error can be seen when the user's credentials have expired. In addition, it can occur when the tenant did not automatically have AzureRMS provisioned.

Recommended action
In the first case, have the user update their credentials and login to the device with the new credentials. To solve the AzureRMS issue, proceed with the steps listed in KB3193791.

Event ID 1098: Error: 0xCAA5001C Token broker operation failed

In Event Viewer under the AAD/Operational logs, this error may be seen with Event 1104: AAD Cloud AP plugin call Get token returned error: 0xC000005F. This issue occurs if there are missing permissions or ownership attributes.

Recommended action
Proceed with the steps listed KB3196528.

Next steps

For an overview, see enterprise state roaming overview.

Troubleshoot Enterprise State Roaming in Azure Active Directory - Microsoft Entra (2024)

FAQs

How do I enable or disable enterprise state roaming? ›

In the Settings app, go to Accounts > Sync your settings. From this page, you can see which account is being used to roam settings, and you can enable or disable individual groups of settings to be roamed.

Learn More Now
What roams with Enterprise State roaming? ›

Enterprise State Roaming is a feature for Windows 10 users that are using a device which is Azure AD device registered (either AAD joined or hybrid joined). User gain the ability to securely synchronize their user and application settings data to the Microsoft cloud.

See More
What is the difference between enterprise state roaming and roaming profiles? ›

Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license. It enables users to sync user- and application settings across devices. It is an upgraded version of what you probably know as Roaming profile, but with no on-premise server involved.

Discover More Details
What is enterprise application in Azure Active Directory? ›

Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists, and act as an instance of the application.

Explore More
What is prerequisite for enterprise state roaming? ›

For a Windows 10 or newer device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the user's primary sign-in identity is their Azure AD identity, so no other configuration is required.

Find Out More
How do I know if roaming is enabled? ›

Procedure
  1. Tap the Apps icon on the home screen or slide down from the top of the screen.
  2. Tap the Settings/Gear icon.
  3. Tap Connections.
  4. Tap Mobile networks. Note: If you are running Android 8 or higher, tap Roaming.
  5. Make sure Data roaming is enabled.

Find Out More
What are enterprise state roaming features? ›

Enterprise State Roaming lets users securely synchronize user and application settings data to the cloud. This means they'll have the same experience no matter which Windows device they sign into.

Read On
What files are in roaming? ›

The Roaming folder is used to store data that will be synced across multiple Windows systems. This is often used for storing settings like bookmarks, saved passwords, and so on.

Learn More
What is a roaming policy? ›

Competition & Infrastructure Policy Division

Roaming allows mobile wireless customers to automatically receive service when they are outside of the area covered by their provider's network.

Explore More
What is a mandatory roaming profile? ›

A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users.

Continue Reading

How many types of roaming are there? ›

Roaming is divided into "SIM-based roaming" and "username/password-based roaming", whereby the technical term "roaming" also encompasses roaming between networks of different network standards, e.g. WLAN (Wireless Local Area Network) or GSM (Global System for Mobile Communications).

Find Out More
Can I use data abroad with EE? ›

Can I use my tablet, mobile broadband or dongle abroad? Our Roam Abroad Pass allows you to enjoy your plan's minutes, text and data allowances in 47 European destinations and five additional countries abroad for £10 a month.

View More
What are the four types of enterprise applications? ›

The Four Types of Enterprise Systems
  • Enterprise Resource Planning (E.R.P.) Systems. ...
  • Supply Chain Management (S.C.M.) Systems. ...
  • Customer Relationship Management (C.R.M.) Systems. ...
  • Knowledge Management Systems (K.M.S.)
May 25, 2021

Read On
What are the four major types of enterprise applications? ›

Enterprise Resource Planning (ERP) Customer Relationship Management (CRM) Decision Support System (DSS) Knowledge Management Systems (KMS)

See More
What is the difference between enterprise application and app registration in Azure? ›

In some cases, people even use both terms interchangeably. But, App registration is simply the actual application object where you configure application settings. Whereas Enterprise Application is a representation of the application within a directory.

Learn More Now
How do I turn off roaming state? ›

How to turn off data roaming on an Android
  1. Open the Settings app.
  2. Tap "Connections."
  3. 3, Tap "Mobile networks."
  4. Turn off "Data roaming" by swiping the button to the left.
  5. Open the Messages app.
  6. Tap the three dots to the right of the search icon, and, in the drop-down menu, tap "Settings."
  7. Tap "More Settings."
Dec 26, 2019

Get More Info Here
What is roaming and how do I turn it off? ›

How to Set an Android Phone to Turn Off Roaming
  1. Press the "Home" button to reach the Home screen.
  2. Press the "Menu" button.
  3. Tap "Settings," "Wireless & networks" and "Mobile networks."
  4. Ensure that the "Data roaming" option is unchecked. ...
  5. Press the "Home" or "Back" button to exit "Mobile networks" settings.

Discover More
Top Articles
How to Bypass a CVV Code
A Complete Guide of SAP Variant Configuration Tutorial
Craigslistsalemoregon
A best new artist nominee at 35, D Smoke is both a music lifer and the longest of longshots
Latest Posts
La répartition des pouvoirs dans le système politique des États-Unis
Najbolji sajtovi za gledanje i skidanje domaćih filmova | Luftika
Article information

Author: Eusebia Nader

Last Updated:

Views: 6243

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.