What's new in Windows 10, version 1703 IT pro content

Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).

For more general info about Windows 10 features, see Features available only on Windows 10. For info about previous versions of Windows 10, see What's New in Windows 10. Also see this blog post: What’s new for IT pros in the Windows 10 Creators Update.

Note

Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see Windows 10 release information. For a list of removed features, see Features that are removed or deprecated in Windows 10 Creators Update.

Configuration

Windows Configuration Designer

Previously known as Windows Imaging and Configuration Designer (ICD), the tool for creating provisioning packages is renamed Windows Configuration Designer. The new Windows Configuration Designer is available in Windows Store as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the Windows Assessment and Deployment Kit (ADK).

Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.

wizards for desktop, mobile, kiosk, Surface Hub

Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new CleanPC configuration service provider (CSP).

remove pre-installed software option

Learn more about Windows Configuration Designer.

Azure Active Directory join in bulk

Using the new wizards in Windows Configuration Designer, you can create provisioning packages to enroll devices in Azure Active Directory. Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.

get bulk token action in wizard

Windows Spotlight

The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:

  • Turn off the Windows Spotlight on Action Center
  • Do not use diagnostic data for tailored experiences
  • Turn off the Windows Welcome Experience

Learn more about Windows Spotlight.

Start and taskbar layout

Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.

Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to MDM.

Additional MDM policy settings are available for Start and taskbar layout. New MDM policy settings include:

Cortana at work

Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.

Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.

For more info about Cortana at work, see Cortana integration in your business or enterprise

Deployment

MBR2GPT.EXE

MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).

The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.

Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.

For details, see MBR2GPT.EXE.

Security

Windows Defender Advanced Threat Protection

New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include:

  • Detection
    Enhancements to the detection capabilities include:

    • Use the threat intelligence API to create custom alerts - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
    • Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
    • Upgraded detections of ransomware and other advanced attacks
    • Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
  • Investigation
    Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.

    Other investigation enhancements include:

  • Response
    When detecting an attack, security response teams can now take immediate action to contain a breach:

  • Other features

    • Check sensor health state - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.

You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: Averting ransomware epidemics in corporate networks with Windows Defender ATP.

Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].

Windows Defender Antivirus

Windows Defender is now called Windows Defender Antivirus, and we've increased the breadth of the documentation library for enterprise security admins.

The new library includes information on:

Some of the highlights of the new library include:

New features for Windows Defender AV in Windows 10, version 1703 include:

In Windows 10, version 1607, we invested heavily in helping to protect against ransomware, and we continue that investment in version 1703 with updated behavior monitoring and always-on real-time protection.

You can read more about ransomware mitigations and detection capability in Windows Defender AV in the Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF) and at the Microsoft Malware Protection Center blog.

Device Guard and Credential Guard

Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. For more information, see Device Guard Requirements and Credential Guard Security Considerations.

Group Policy Security Options

The security setting Interactive logon: Display user information when the session is locked has been updated to work in conjunction with the Privacy setting in Settings > Accounts > Sign-in options.

A new security policy setting Interactive logon: Don't display username at sign-in has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the Privacy setting in Settings > Accounts > Sign-in options. The setting only affects the Other user tile.

Windows Hello for Business

You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by Microsoft Intune.

For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.

For Windows desktops, users are able to reset a forgotten PIN through Settings > Accounts > Sign-in options.

For more details, check out What if I forget my PIN?.

Windows Information Protection (WIP) and Azure Active Directory (Azure AD)

Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see Create a Windows Information Protection (WIP) policy using Microsoft Intune and Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune.

You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, How to collect Windows Information Protection (WIP) audit event logs.

Update

Windows Update for Business

The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through Settings > Update & security > Windows Update > Advanced options in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in Pause Feature Updates and Pause Quality Updates.

Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See Configure devices for Current Branch (CB) or Current Branch for Business (CBB), Configure when devices receive Feature Updates and Configure when devices receive Quality Updates for details.

Windows Insider for Business

We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see Windows Insider Program for Business.

Optimize update delivery

With changes delivered in Windows 10, version 1703, Express updates are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that implement this new functionality. This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.

Note

The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.

Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.

Added policies include:

To check out all the details, see Configure Delivery Optimization for Windows 10 updates

Uninstalled in-box apps no longer automatically reinstall

Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.

Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.

Management

New MDM capabilities

Windows 10, version 1703 adds many new configuration service providers (CSPs) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see Policy CSP - ADMX-backed policies.

Some of the other new CSPs are:

  • The DynamicManagement CSP allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.

  • The CleanPC CSP allows removal of user-installed and pre-installed applications, with the option to persist user data.

  • The BitLocker CSP is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.

  • The NetworkProxy CSP is used to configure a proxy server for ethernet and Wi-Fi connections.

  • The Office CSP enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see Configuration options for the Office Deployment Tool.

  • The EnterpriseAppVManagement CSP is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.

IT pros can use the new MDM Migration Analysis Tool (MMAT) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.

Learn more about new MDM capabilities.

Mobile application management support for Windows 10

The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.

For more info, see Implement server-side support for mobile application management on Windows.

MDM diagnostics

In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing Microsoft Message Analyzer as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.

Application Virtualization for Windows (App-V)

Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.

For more info, see the following topics:

Windows diagnostic data

Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.

Group Policy spreadsheet

Learn about the new Group Policies that were added in Windows 10, version 1703.

Windows 10 Mobile enhancements

Lockdown Designer

The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than manually creating a lockdown XML file.

Lockdown Designer app in Store

Learn more about the Lockdown Designer app.

Other enhancements

Windows 10 Mobile, version 1703 also includes the following enhancements:

  • SD card encryption
  • Remote PIN resets for Azure Active Directory accounts
  • SMS text message archiving
  • WiFi Direct management
  • OTC update tool
  • Continuum display management
    • Individually turn off the monitor or phone screen when not in use
    • Indiviudally adjust screen time-out settings
  • Continuum docking solutions
    • Set Ethernet port properties
    • Set proxy properties for the Ethernet port

The following new features aren't part of Windows 10, but help you make the most of it.

Upgrade Readiness

Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.

The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.

For more information about Upgrade Readiness, see the following topics:

Update Compliance

Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.

Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.

For more information about Update Compliance, see Monitor Windows Updates with Update Compliance.