How to start using Windows Insider for Business in you organization – Mobile-First Cloud-First
At Ignite it was announced that Windows Insider Program for Business now has policy settings with Windows 10 so that we can start deploying Windows Insider build in our organization in a controlled way.
Why is this important – Microsoft is releasing new build of Windows twice a year and if you want you LOB apps tested on the new release before that. Then you can have some of your users doing Windows Insider testing, and have them registered with our Azure Active Directory.
First you have to be a Insider for Business then you can sig your organization, then you can register your domain.
Start at Windows Insider Program for Business and login with your global admin
You have to accept the terms of this agreement and click submit
Then you have to click “Find out more about domain administration”
The requirement for register you domain:
- A Global Admin in Azure Active Directory
- Windows 10 1703 or later
Start at Windows Insider Program for Business and login with your global admin
Click “Find out how to register”
Click “Register your organization domain”
You have to accept the terms of this agreement and click register
Then your ready to create or deploy a Widows Update policy with MDM or GPO.
In this blogpost I will show how to do it with Intune.
To set the policies with Intune you need to create a Windows 10 and later custom configuration profile.
This can be done with PowerShell or manuelt – see the script below.
The settings that needs to be set is:
OMA-URL : ./Vendor/MSFT/Update/ManagePreviewBuilds
Data Type : Integer
Value : 2
MDM Values:
0-Disable preview builds
1-Disable preview builds once next release is public
2-Enable preview builds
3-Preview builds are left to user selection (default)
OMA-URL : ./Vendor/MSFT/Update/BranchReadinessLevel
Data Type : Integer
Value : 2
2 {0x2} – Preview Builds – Fast (default) 4 {0x4} – Preview Builds – Slow
8 {0x8} – Release Preview
./Vendor/MSFT/Policy/Config
OMA-URL : ./Vendor/MSFT/Policy/Config/System/AllowTelemetry
Data Type : Integer
Value : 2
0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
####################################################
function Get-AuthToken {
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicy(){
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
Write-Verbose "Resource: $DCP_resource"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the Android Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
$Windows = @"
{
"@odata.type": "#microsoft.graph.windows10CustomConfiguration",
"lastModifiedDateTime": "2017-01-01T00:00:35.1329464-08:00",
"assignmentStatus": "Assignment Status value",
"assignmentProgress": "Assignment Progress value",
"assignmentErrorMessage": "Assignment Error Message value",
"description": "Sets WUfB to Windows Insider Fast Ring and Telemetry = 2",
"displayName": "Windows 10 - Custom - WUfB Insider Fast Ring",
"version": 1024,
"omaSettings": [
{
"@odata.type": "microsoft.graph.omaSettingInteger",
"displayName": "ManagePreviewBuilds",
"description": "2-Enable preview builds",
"omaUri": "./Vendor/MSFT/Update/ManagePreviewBuilds",
"value": 2
}
,
{
"@odata.type": "microsoft.graph.omaSettingInteger",
"displayName": "Branch readiness level",
"description": "2 {0x2} - Preview Builds - Fast (default)",
"omaUri": "./Vendor/MSFT/Update/BranchReadinessLevels",
"value": 2
}
,
{
"@odata.type": "microsoft.graph.omaSettingInteger",
"displayName": "Set telemetry",
"description": "2 – Enhanced",
"omaUri": "./Vendor/MSFT/Policy/Config/System/AllowTelemetry",
"value": "2"
}
]
}
"@
####################################################
Add-DeviceConfigurationPolicy -Json $Windows
The user will see the Insider settings in the Windows 10 settings app – under Update & Security – Windows Insider Program
Under Windows Insider Program the user will not be able to jump out of the Insider program, it will be set to active deployment of Windows and set to fast ring
If you want you can create a slow ring as well – and remember also to do the normal Windows Update for Business settings so that you are always on a supported build version of Windows 10