What's new in Windows ten, version 1703 for It Pros

  • Commodity
  • 17 minutes to read

Below is a list of some of what's new in It (IT) pro features in Windows 10, version 1703 (besides known as the Creators Update).

For more general info about Windows 10 features, see Features available only on Windows ten. For info about previous versions of Windows x, see What'south New in Windows 10. Also see this blog post: What'due south new for Information technology pros in the Windows 10 Creators Update.

Configuration

Windows Configuration Designer

Previously known as Windows Imaging and Configuration Designer (ICD), the tool for creating provisioning packages is renamed Windows Configuration Designer. The new Windows Configuration Designer is available in Microsoft Store as an app. To run Windows Configuration Designer on earlier versions of Windows, yous can still install Windows Configuration Designer from the Windows Assessment and Deployment Kit (ADK).

Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to brand information technology easier to create provisioning packages.

wizards for desktop, mobile, kiosk, Surface Hub.

Both the desktop and kiosk wizards include an selection to remove pre-installed software, based on the new CleanPC configuration service provider (CSP).

remove pre-installed software option.

Learn more about Windows Configuration Designer.

Azure Active Directory join in bulk

Using the new wizards in Windows Configuration Designer, you lot can create provisioning packages to enroll devices in Azure Active Directory. Azure Ad bring together in majority is bachelor in the desktop, mobile, kiosk, and Surface Hub wizards.

get bulk token action in wizard.

Windows Spotlight

The following new Grouping Policy and mobile device management (MDM) settings are added to help you lot configure Windows Spotlight user experiences:

  • Turn off the Windows Spotlight on Action Center
  • Practise not apply diagnostic information for tailored experiences
  • Plough off the Windows Welcome Experience

Learn more about Windows Spotlight.

Get-go and taskbar layout

Enterprises have been able to apply customized Outset and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized First and taskbar layout tin besides be practical to Windows ten Pro.

Previously, the customized taskbar could simply be deployed using Grouping Policy or provisioning packages. Windows 10, version 1703, adds back up for customized taskbars to MDM.

Additional MDM policy settings are bachelor for Start and taskbar layout. New MDM policy settings include:

  • Settings for the User tile: Start/HideUserTile, Commencement/HideSwitchAccount, Commencement/HideSignOut, Start/HideLock, and Offset/HideChangeAccountSettings
  • Settings for Power: Start/HidePowerButton, Outset/HideHibernate, Showtime/HideRestart, Start/HideShutDown, and Get-go/HideSleep
  • Additional new settings: Starting time/HideFrequentlyUsedApps, Outset/HideRecentlyAddedApps, AllowPinnedFolder, ImportEdgeAssets, Beginning/HideRecentJumplists, Starting time/NoPinningToTaskbar, Settings/PageVisibilityList, and Commencement/HideAppsList.

Cortana at work

Cortana is Microsoft's personal digital assistant, who helps busy people become things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees tin give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them exterior of work.

Using Azure AD also means that you tin remove an employee's profile (for example, when an employee leaves your arrangement) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.

For more info about Cortana at work, see Cortana integration in your concern or enterprise

Deployment

MBR2GPT.EXE

MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and subsequently versions. MBR2GPT converts a disk from Principal Boot Record (MBR) to GUID Partition Tabular array (GPT) partition mode without modifying or deleting data on the disk. The tool is designed to exist run from a Windows Preinstallation Environs (Windows PE) command prompt, merely can likewise be run from the full Windows 10 operating organisation (OS).

The GPT partitioning format is newer and enables the use of larger and more disk partitions. Information technology also provides added data reliability, supports additional division types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the estimator to kick in UEFI style, and so make sure that your device supports UEFI before attempting to convert the system disk.

Additional security features of Windows ten that are enabled when you kick in UEFI fashion include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Baby-sit, and BitLocker Network Unlock.

For details, meet MBR2GPT.EXE.

Security

Microsoft Defender for Endpoint

New features in Microsoft Defender for Endpoint for Windows 10, version 1703 include:

  • Detection: Enhancements to the detection capabilities include:

    • Use the threat intelligence API to create custom alerts - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
    • Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
    • Upgraded detections of ransomware and other advanced attacks
    • Historical detection capability ensures new detection rules apply to upwards to six months of stored data to detect previous attacks that might not have been noticed

  • Investigation: Enterprise customers tin now take reward of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks existence surfaced in the Microsoft Defender for Endpoint portal. Other capabilities have been added to aid you proceeds a holistic view on investigations.

    Other investigation enhancements include:

    • Investigate a user account - Place user accounts with the almost agile alerts and investigate cases of potential compromised credentials.
    • Alarm process tree - Aggregates multiple detections and related events into a single view to reduce case resolution time.
    • Pull alerts using REST API - Employ REST API to pull alerts from Microsoft Defender for Endpoint.

  • Response: When detecting an assault, security response teams can at present take immediate action to comprise a breach:

    • Take response deportment on a machine - Apace answer to detected attacks by isolating machines or collecting an investigation packet.
    • Have response actions on a file - Quickly respond to detected attacks past stopping and quarantining files or blocking a file.

  • Other features

    • Cheque sensor health country - Cheque an endpoint's ability to provide sensor information and communicate with the Microsoft Defender for Endpoint service and fix known issues.

You can read more near ransomware mitigations and detection capability in Microsoft Defender for Endpoint in the blog: Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint.

Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows x and the new capabilities in Windows ten, version 1703 see Microsoft Defender for Endpoint for Windows x Creators Update.

Microsoft Defender Antivirus

Windows Defender is at present called Microsoft Defender Antivirus, and we've increased the breadth of the documentation library for enterprise security admins.

The new library includes information on:

  • Deploying and enabling AV protection
  • Managing updates
  • Reporting
  • Configuring features
  • Troubleshooting

Some of the highlights of the new library include:

  • Evaluation guide for Microsoft Defender AV
  • Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure surround

New features for Microsoft Defender AV in Windows 10, version 1703 include:

  • Updates to how the Block at First Sight characteristic tin can exist configured
  • The ability to specify the level of deject-protection
  • Microsoft Defender Antivirus protection in the Windows Defender Security Center app

In Windows 10, version 1607, we invested heavily in helping to protect against ransomware, and we continue that investment in version 1703 with updated behavior monitoring and ever-on existent-time protection.

You lot tin can read more than nearly ransomware mitigations and detection capability in Microsoft Defender AV in the Microsoft Malware Protection Center blog.

Device Baby-sit and Credential Baby-sit

Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. For more information, see Device Guard Requirements and Credential Guard Security Considerations.

Grouping Policy Security Options

The security setting Interactive logon: Brandish user data when the session is locked has been updated to work in conjunction with the Privacy setting in Settings > Accounts > Sign-in options.

A new security policy setting Interactive logon: Don't display username at sign-in has been introduced in Windows ten version 1703. This security policy setting determines whether the username is displayed during sign in. Information technology works in conjunction with the Privacy setting in Settings > Accounts > Sign-in options. The setting only affects the Other user tile.

Windows Hello for Business

Yous can at present reset a forgotten PIN without deleting visitor managed data or apps on devices managed by Microsoft Intune.

For Windows desktops, users are able to reset a forgotten PIN through Settings > Accounts > Sign-in options.

For more details, check out What if I forget my PIN?.

Windows Information Protection (WIP) and Azure Agile Directory (Azure Advertizing)

Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you lot choose your immune apps, your WIP-protection level, and how to find enterprise information on the network. For more info, see Create a Windows Data Protection (WIP) policy using Microsoft Intune and Acquaintance and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune.

You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Consequence Forwarding (for Windows desktop domain-joined devices). For info, run across the brand-new topic, How to collect Windows Information Protection (WIP) inspect consequence logs.

Update

Windows Update for Business

The pause characteristic has been changed, and now requires a start date to fix. Users are at present able to pause through Settings > Update & security > Windows Update > Advanced options in case a policy has not been configured. We have besides increased the pause limit on quality updates to 35 days. You can detect more information on pause in Break Feature Updates and Pause Quality Updates.

Windows Update for Business managed devices are now able to defer feature update installation past upwardly to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See Configure devices for Current Branch (CB) or Current Co-operative for Business (CBB), Configure when devices receive Feature Updates and Configure when devices receive Quality Updates for details.

Windows Insider for Business

We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, y'all increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business organization needs. For details, see Windows Insider Program for Business.

Optimize update delivery

With changes delivered in Windows ten, version 1703, Express updates are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, likewise as with other third-party updating and management products that implement this new functionality. This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.

Annotation

The to a higher place changes can be made bachelor to Windows ten, version 1607, past installing the April 2017 cumulative update.

Delivery Optimization policies at present enable yous to configure additional restrictions to take more command in various scenarios.

Added policies include:

  • Let uploads while the device is on battery while under set Battery level
  • Enable Peer Caching while the device connects via VPN
  • Minimum RAM (inclusive) immune to use Peer Caching
  • Minimum disk size allowed to use Peer Caching
  • Minimum Peer Caching Content File Size

To cheque out all the details, come across Configure Delivery Optimization for Windows 10 updates

Uninstalled in-box apps no longer automatically reinstall

Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.

Additionally, apps de-provisioned past admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not utilize to the update from Windows 10, version 1607 (or before) to version 1703.

Management

New MDM capabilities

Windows 10, version 1703 adds many new configuration service providers (CSPs) that provide new capabilities for managing Windows ten devices using MDM or provisioning packages. Among other things, these CSPs enable yous to configure a few hundred of the about useful Group Policy settings via MDM - encounter Policy CSP - ADMX-backed policies.

Some of the other new CSPs are:

  • The DynamicManagement CSP allows yous to manage devices differently depending on location, network, or time. For case, managed devices can have cameras disabled when at a piece of work location, the cellular service tin be disabled when outside the country to avert roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. One time configured, these settings will exist enforced even if the device tin can't accomplish the direction server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in improver to setting the conditions on which the change occurs.

  • The CleanPC CSP allows removal of user-installed and pre-installed applications, with the pick to persist user data.

  • The BitLocker CSP is used to manage encryption of PCs and devices. For case, yous can require storage card encryption on mobile devices, or require encryption for operating organization drives.

  • The NetworkProxy CSP is used to configure a proxy server for ethernet and Wi-Fi connections.

  • The Office CSP enables a Microsoft Role client to be installed on a device via the Office Deployment Tool. For more information, meet Configuration options for the Office Deployment Tool.

  • The EnterpriseAppVManagement CSP is used to manage virtual applications in Windows x PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs fifty-fifty when managed by MDM.

IT pros tin can employ the new MDM Migration Assay Tool (MMAT) to determine which Group Policy settings have been configured for a user or calculator and cross-reference those settings against a born list of supported MDM policies. MMAT tin can generate both XML and HTML reports indicating the level of support for each Grouping Policy setting and MDM equivalents.

Learn more about new MDM capabilities.

Mobile application management back up for Windows 10

The Windows version of mobile application direction (MAM) is a lightweight solution for managing company information admission and security on personal devices. MAM support is built into Windows on top of Windows Data Protection (WIP), starting in Windows x, version 1703.

For more info, see Implement server-side back up for mobile application direction on Windows.

MDM diagnostics

In Windows ten, version 1703, we go on our work to meliorate the diagnostic feel for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an mistake in MDM, eliminating the need to have always-on logging for retention-constrained devices. Additionally, we are introducing Microsoft Message Analyzer every bit an additional tool to aid Support personnel quickly reduce issues to their root cause, while saving time and cost.

Application Virtualization for Windows (App-Five)

Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you lot to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing surroundings for you, including provisioning your virtual motorcar. Additionally, the App-5 Sequencer has been updated to allow y'all sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.

For more info, see the post-obit topics:

  • Automatically provision your sequencing surround using Microsoft Application Virtualization Sequencer (App-V Sequencer)
  • Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-5 Sequencer)
  • Automatically update multiple apps at the aforementioned time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
  • Automatically clean upwards unpublished packages on the App-V customer

Windows diagnostic data

Larn more near the diagnostic data that's collected at the Bones level and some examples of the types of information that is collected at the Full level.

  • Windows ten, version 1703 basic level Windows diagnostic events and fields
  • Windows 10, version 1703 Diagnostic Data

Group Policy spreadsheet

Learn about the new Grouping Policies that were added in Windows 10, version 1703.

  • Group Policy Settings Reference for Windows and Windows Server

Miracast on existing wireless network or LAN

In the Windows 10, version 1703, Microsoft has extended the ability to transport a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the Miracast over Infrastructure Connectedness Establishment Protocol (MS-MICE).

Miracast over Infrastructure offers a number of benefits:

  • Windows automatically detects when sending the video stream over this path is applicable.
  • Windows will only cull this route if the connection is over Ethernet or a secure Wi-Fi network.
  • Users do not have to modify how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
  • No changes to current wireless drivers or PC hardware are required.
  • It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
  • It leverages an existing connection which both reduces the fourth dimension to connect and provides a very stable stream.

How it works

Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will endeavor to resolve the device'due south hostname via standard DNS, every bit well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will autumn dorsum to establishing the Miracast session using the standard Wi-Fi direct connection.

Enabling Miracast over Infrastructure

If you have a device that has been updated to Windows 10, version 1703, then you automatically take this new feature. To take advantage of it in your environment, you lot need to ensure the post-obit is true within your deployment:

  • The device (PC or Surface Hub) needs to exist running Windows 10, version 1703.
  • A Windows PC or Surface Hub can act as a Miracast over Infrastructure receiver. A Windows device can deed equally a Miracast over Infrastructure source.
    • As a Miracast receiver, the PC or Surface Hub must be continued to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure volition disable itself.
    • As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connexion.
  • The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You lot can reach this by either assuasive your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA tape for the device'southward hostname.
  • Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connectedness.

It is of import to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a item location and don't have access to the enterprise network volition go on to connect using the Wi-Fi Direct connection method.

The following new features aren't part of Windows ten, but assistance you lot make the most of it.

Upgrade Readiness

Upgrade Readiness helps you ensure that applications and drivers are fix for a Windows 10 upgrade. The solution provides up-to-date application and commuter inventory, information about known problems, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March ii, 2017.

The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add information technology to an existing Functioning Direction Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.

For more than data about Upgrade Readiness, encounter the following topics:

  • Windows Analytics weblog
  • Manage Windows upgrades with Upgrade Readiness

Update Compliance

Update Compliance helps y'all to keep Windows x devices in your organisation secure and up-to-appointment.

Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided nigh the deployment progress of existing updates and the status of future updates. Information is also provided virtually devices that might need attention to resolve issues.

For more information about Update Compliance, encounter Monitor Windows Updates with Update Compliance.