At Ignite it was announced that Windows Insider Program for Business now has policy settings with Windows 10 so that we can start deploying Windows Insider build in our organization in a controlled way.

Why is this important – Microsoft is releasing new build of Windows twice a year and if you want you LOB apps tested on the new release before that. Then you can have some of your users doing Windows Insider testing, and have them registered with our Azure Active Directory.

First you have to be a Insider for Business then you can sig your organization, then you can register your domain.

Start at Windows Insider Program for Business and login with your global admin

WUfB - Windows Insider - SIgnup - 00

You have to accept the terms of this agreement and click submit

WUfB - Windows Insider - SIgnup - 000

Then you have to click “Find out more about domain administration”

 

The requirement for register you domain:

  1. A Global Admin in Azure Active Directory
  2. Windows 10 1703 or later

Start at Windows Insider Program for Business and login with your global admin

WUfB - Windows Insider - SIgnup - 01

Click “Find out how to register”

WUfB - Windows Insider - SIgnup - 02

Click “Register your organization domain”

WUfB - Windows Insider - SIgnup - 03

You have to accept the terms of this agreement and click register

WUfB - Windows Insider - SIgnup - 04

Then your ready to create or deploy a Widows Update policy with MDM or GPO.

In this blogpost I will show how to do it with Intune.

To set the policies with Intune you need to create a Windows 10 and later custom configuration profile.

This can be done with PowerShell or manuelt  – see the script below.

WUfB - Windows Insider - MDM 01

The settings that needs to be set is:

OMA-URL : ./Vendor/MSFT/Update/ManagePreviewBuilds

Data Type : Integer

Value : 2

MDM Values:
0-Disable preview builds
1-Disable preview builds once next release is public
2-Enable preview builds
3-Preview builds are left to user selection (default)

OMA-URL : ./Vendor/MSFT/Update/BranchReadinessLevel

Data Type : Integer

Value : 2

2 {0x2} – Preview Builds – Fast (default)
4 {0x4} – Preview Builds – Slow
8 {0x8} – Release Preview

./Vendor/MSFT/Policy/Config

OMA-URL : ./Vendor/MSFT/Policy/Config/System/AllowTelemetry

Data Type : Integer

Value : 2

0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.

#>

####################################################
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
[Parameter(Mandatory=$true)]
$User
)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

$AadModule = Get-Module -Name "AzureAD" -ListAvailable

if ($AadModule -eq $null) {

Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

}

if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

if($AadModule.count -gt 1){

$Latest_Version = ($AadModule | select version | Sort-Object)[-1]

$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

# Checking if there are multiple versions of the same module found

if($AadModule.count -gt 1){

$aadModule = $AadModule | select -Unique

}

$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

}

else {

$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

}

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

try {

$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")

$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

# If the accesstoken is valid then create the authentication header

if($authResult.AccessToken){

# Creating header for Authorization token

$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}

return $authHeader

}

else {

Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break

}

}

catch {

write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break

}

}

####################################################

Function Add-DeviceConfigurationPolicy(){

<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>

[cmdletbinding()]

param
(
$JSON
)

$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
Write-Verbose "Resource: $DCP_resource"

try {

if($JSON -eq "" -or $JSON -eq $null){

write-host "No JSON specified, please specify valid JSON for the Android Policy..." -f Red

}

else {

Test-JSON -JSON $JSON

$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"

}

}

catch {

$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break

}

}

####################################################

Function Test-JSON(){

<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>

param (

$JSON

)

try {

$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true

}

catch {

$validJson = $false
$_.Exception

}

if (!$validJson){

Write-Host "Provided JSON isn't in valid JSON format" -f Red
break

}

}

####################################################

#region Authentication

write-host

# Checking if authToken exists before running authentication
if($global:authToken){

# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()

# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes

if($TokenExpires -le 0){

write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host

# Defining User Principal Name if not present

if($User -eq $null -or $User -eq ""){

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host

}

$global:authToken = Get-AuthToken -User $User

}
}

# Authentication doesn't exist, calling Get-AuthToken function

else {

if($User -eq $null -or $User -eq ""){

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host

}

# Getting the authorization token
$global:authToken = Get-AuthToken -User $User

}

#endregion

####################################################

&nbsp;

$Windows = @"

{

"@odata.type": "#microsoft.graph.windows10CustomConfiguration",

"lastModifiedDateTime": "2017-01-01T00:00:35.1329464-08:00",
"assignmentStatus": "Assignment Status value",
"assignmentProgress": "Assignment Progress value",
"assignmentErrorMessage": "Assignment Error Message value",
"description": "Sets WUfB to Windows Insider Fast Ring and Telemetry = 2",
"displayName": "Windows 10 - Custom - WUfB Insider Fast Ring",
"version": 1024,
"omaSettings": [
{
"@odata.type": "microsoft.graph.omaSettingInteger",
"displayName": "ManagePreviewBuilds",
"description": "2-Enable preview builds",
"omaUri": "./Vendor/MSFT/Update/ManagePreviewBuilds",
"value": 2
}
,
{
"@odata.type": "microsoft.graph.omaSettingInteger",
"displayName": "Branch readiness level",
"description": "2 {0x2} - Preview Builds - Fast (default)",
"omaUri": "./Vendor/MSFT/Update/BranchReadinessLevels",
"value": 2
}
,
{
"@odata.type": "microsoft.graph.omaSettingInteger",
"displayName": "Set telemetry",
"description": "2 – Enhanced",
"omaUri": "./Vendor/MSFT/Policy/Config/System/AllowTelemetry",
"value": "2"
}
]
}

"@
####################################################

Add-DeviceConfigurationPolicy -Json $Windows

 

 

 

The user will see the Insider settings in the Windows 10 settings app – under Update & Security – Windows Insider Program

WUfB - Windows Insider - MDM 03

Under Windows Insider Program the user will not be able to jump out of the Insider program, it will be set to active deployment of Windows and set to fast ring

WUfB - Windows Insider - MDM 02

If you want you can create a slow ring as well – and remember also to do the normal Windows Update for Business settings so that you are always on a supported build version of Windows 10