Zero Touch Readiness Guide

See if your environment is ready for a Zero Touch deployment.

ON-PREMISE

  • The AD schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema and forest level requirements are met.

  • If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must also apply hotfix KB2386717.

  • The domain controller used by Azure AD must be writable. It is not supported to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.

  • It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).

  • It is not supported to use on-premises forests/domains using "dotted" (name contains a period ".") NetBios names.

  • It is recommended to enable the Active Directory recycle bin.
  • Azure AD Connecct cannot be installed on Small Business Server or Windows Server Essentials. The server must be using Windows server standard or better.

  • The Azure AD Connect server must have a full GUI installed It is not supported to install on server core.

  • Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain.

  • If you install Azure AD Connect on Windows Server 2008 or Windows Server 2008 R2, then make sure to apply the latest hotfixes from Windows Update. The installation is not able to start with an unpatched server.

  • If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.

  • If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later.

  • The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.

  • The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled.

  • If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.

  • If Active Directory Federation Services is being deployed, you need SSL Certificates.

  • If Active Directory Federation Services is being deployed, then you need to configure name resolution.

  • If your global administrators have MFA enabled, then the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You are prompted to add this site to the trusted sites list when you are prompted for an MFA challenge and it has not added before. You can use Internet Explorer to add it to your trusted sites.
  • Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.

  • If you use a separate SQL Server, then these requirements apply:
    • Azure AD Connect supports all flavors of Microsoft SQL Server from SQL Server 2008 (with latest Service Pack) to SQL Server 2016 SP1. Microsoft Azure SQL Database is not supported as a database.

    • You must use a case-insensitive SQL collation. These collations are identified with a _CI_ in their name. It is not supported to use a case-sensitive collation, identified by _CS_ in their name.

    • You can only have one sync engine per SQL instance. It is not supported to share a SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync.
  • An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. This account must be a school or organization account and cannot be a Microsoft account.

  • If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your local Active Directory.

  • Accounts in Active Directory if you use the custom settings installation path.
  • The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints.

  • If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers, then see Azure AD Connect Ports for more information.

  • If your proxy or firewall limit which URLs can be accessed, then the URLs documented in Office 365 URLs and IP address ranges must be opened.

  • Azure AD Connect is by default using TLS 1.0 to communicate with Azure AD. You can change this to TLS 1.2 by following the steps in Enable TLS 1.2 for Azure AD Connect.

  • If you are using an outbound proxy for connecting to the Internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Azure AD Connect sync to be able to connect to the Internet and Azure AD. This text must be entered at the bottom of the file. In this code, <PROXYADRESS> represents the actual proxy IP address or host name.

  • Set Proxy Address
                                                                
                                                                   <system.net>
                                                                       <defaultProxy>
                                                                           <proxy
                                                                                usesystemdefault="true"
                                                                                proxyaddress="http://<PROXYADRESS>:<PROXYPORT>"
                                                                                bypassonlocal="true"
                                                                           />
                                                                       </defaultProxy>
                                                                   </system.net>
                                                                
                                                            
  • If your proxy server requires authentication, then the service account must be located in the domain and you must use the customized settings installation path to specify a custom service account. You also need a different change to machine.config. With this change in machine.config, the installation wizard and sync engine respond to authentication requests from the proxy server. In all installation wizard pages, excluding the Configure page, the signed in user's credentials are used. On the Configure page at the end of the installation wizard, the context is switched to the service account that was created by you. The machine.config section should look like this.

  • machine.config
                                                            
                                                                <system.net>
                                                                    <defaultProxy enabled="true" useDefaultCredentials="true">
                                                                        <proxy
                                                                        usesystemdefault="true"
                                                                        proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                                                                        bypassonlocal="true"
                                                                        />
                                                                    </defaultProxy>
                                                                </system.net>
                                                            
                                                        
  • When Azure AD Connect sends a web request to Azure AD as part of directory synchronization, Azure AD can take up to 5 minutes to respond. It is common for proxy servers to have connection idle timeout configuration. Please ensure the configuration is set to at least 6 minutes or more.

AZURE

Enterprise Mobility + Security (EMS) is a cost effective way for organizations to use the following services together under one licensing plan: Azure Active Directory Premium, Azure Information Protection, and Microsoft Intune. You can learn more about EMS at the Enterprise Mobility + Security web site and more about the EMS license types available for purchase on the Enterprise Mobility + Security Pricing Options page.

You can get started with Azure AD via EMS licenses using one of the following licensing options:

Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@.onmicrosoft.com'. The process is simple:

  • Add the custom domain name to your directory.

  • Add a DNS entry for the domain name at the domain name registrar

  • Update the DNS zone file for the domain. Azure AD can then verify that your organization owns the custom domain name. You can use Azure DNS for your Azure/Office 365/external DNS records within Azure, or add the DNS entry at a different DNS registrar.

    • Sign in to the domain name registrar for the domain. If you don't have access to update the DNS entry, ask the person or team who has this access to complete step 2 and to let you know when it is completed.

    • Update the DNS zone file for the domain by adding the DNS entry provided to you by Azure AD. The DNS entry doesn't change any behaviors such as mail routing or web hosting.

  • Verify the custom domain name in Azure AD

  • Once you have added the DNS entry, you are ready to verify the domain name with Azure AD. A domain name can be verified only after the DNS records have propagated. This propagation often takes only seconds, but it can sometimes take an hour or more. If verification doesn’t work the first time, try again later.

Any user who should have access to, or who is managed through, an Azure AD paid feature must be assigned a license. License assignment is a mapping between a user and a purchased service, such as Azure AD Premium, Basic, or Enterprise Mobility + Security. You can use group-based license assignment to set up rules such as the following:

  • All users in your directory automatically get a license

  • Everyone with the appropriate job title gets a license

  • You can delegate the decision to other managers in the organization (by using self-service groups)
  • Grant access by assigning the appropriate RBAC role to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.

  • A role assigned at a parent scope also grants access to the children contained within it. For example, a user with access to a resource group can manage all the resources it contains, like websites, virtual machines, and subnets.

  • Built-in roles

  • Azure RBAC has three basic roles that apply to all resource types:

    • Owner has full access to all resources including the right to delegate access to others.

    • Contributor can create and manage all types of Azure resources but can't access to others.

    • Reader can view existing Azure resources.

    RBAC built-in roles lists the roles available in Azure. It specifies the operations and scope that each built-in role grants to users. If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.

  • Set Intune as the MDM authority in Azure portal -> Mobility.

  • Ensure that Intune is syncing with the Microsoft Store for Business so that modern Windows apps can be dployed.

  • Enable Intune management for all users or specific groups. Those users will be automatically enrolled into Intune whenever they join a device to Azure Active Directory

WINDOWS

  • Windows 10 Pro does not require additional licensing because devices are no longer being imaged. Any device running Windows 10 Pro will use the included OEM license when enrolled with Zero Touch.

  • Upgrading from Windows 10 Pro to Enterprise can be done via Intune policy. Using your MAK key, a device can be automatically upgraded to Enterprise once it is enrolled in Azure Active Directory.

  • Enterprise security features like Applocker can be managed via Azure Active Directory and Intune.
  • Specific features of Windows 10 are only supported on modern hardware. A device with TPM 2.0 and connected standby can have Bitlocker automatically enforced upon Zero Touch enrollment. The key is then escrowed to Azure Active Directory.

  • Zero Touch requires Windows 10 to be on at least build 1607. For machines that are currently deployed running an older version, it is recommended that they be updated and run SYSPREP before enrolling in Zero Touch.

  • Don't shy away frorm devices with complex driver and feature sets- this includes detatchable displays, touch screens and styluses. Zero Touch allows OEM drivers to remain entact while your organizations content is provisioned over it. This ensures that all devices features work as intended.

  • Review current group policy settings that are enforced on Windows 8.1, 7 and XP. There's a good chance that many of these policies are no longer relevant in Windows 10.

  • Use the MDM Migration Analysis Tool to compare current group policies to comparable MDM policies that can be applied with Intune.

  • Leverage the Policy CSP (configuration service provider) list to configure custom policies for your organization.

By using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.

Specifically, Windows Update for Business allows for:

  • The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).

  • Selectively including or excluding drivers as part of Microsoft-provided updates

  • Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.

  • Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.

Update types

Windows Update for Business provides three types of updates to Windows 10 devices:

  • Feature Updates: previously referred to as upgrades, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.

  • Quality Updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as Microsoft Updates and devices can be optionally configured to receive such updates along with their Windows Updates.

  • Non-defferrable updates: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.

Update branch naming changes

As part of the alignment with Windows 10 and Office 365 ProPlus, Microsoft adopted a common naming convention for the Windows servicing channels:

  • Semi-Annual Channel (Targeted)- formerly known as the Current Branch- feature updates are available as soon as Microsoft releases them.

  • Semi-Annual Channel- formerly known as Current Branch for Business- recommended servicing channel for client machines. This channel allows feature updates for up to 365 days after initial release.

  • Long-Term Servicing Channel- formerly known as Long-Term Servicing Branch-recommended ONLY for specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs— devices that typlically perform only a single, important task and do not require frequent updates. This servicing channel is only available to Windows 10 Enterprise.

See Prepare servicing strategy for Windows 10 updates to learn more about building a healthy update strategy.