What's new in Windows 10, version 1803 for IT Pros

Applies to

  • Windows 10, version 1803

This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709.

If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in hardware, for developers, and for consumers.

The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.

Deployment

Windows Autopilot

Windows Autopilot provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.

With the help of Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.

Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information.

Windows 10 in S mode

Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer.

Some additional information about Windows 10 in S mode:

  • Microsoft-verified. All of your applications are verified by Microsoft for security and performance.
  • Performance that lasts. Start-ups are quick, and S mode is built to keep them that way.
  • Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps.
  • S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.

If you want to switch out of S mode, you'll be able to do so at no charge, regardless of edition. Once you switch out of S mode, you can't switch back.

For more information, see Windows 10 Pro/Enterprise in S mode.

Windows 10 kiosk and Kiosk Browser

With this release, you can easily deploy and manage kiosk devices with Microsoft Intune in single- and multiple-app scenarios. These scenarios include the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.

  • Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
  • Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
  • Support for multiple screens for digital signage use cases.
  • The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
  • The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
  • A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
  • For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
  • To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.

For more information, see:

Windows 10 Subscription Activation

With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.

For more information, see Windows 10 Subscription Activation.

DISM

The following new DISM commands have been added to manage feature updates:

Command Description
DISM /Online /Initiate-OSUninstall Initiates an OS uninstall to take the computer back to the previous installation of windows.
DISM /Online /Remove-OSUninstall Removes the OS uninstall capability from the computer.
DISM /Online /Get-OSUninstallWindow Displays the number of days after upgrade during which uninstall can be performed.
DISM /Online /Set-OSUninstallWindow Sets the number of days after upgrade during which uninstall can be performed.

For more information, see DISM operating system uninstall command-line options.

Windows Setup

You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.

Prerequisites:

  • Windows 10, version 1803 or later.
  • Windows 10 Enterprise or Pro

For more information, see Run custom actions during feature update.

It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option:

/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]

For more information, see Windows Setup Command-Line Options

New command-line switches are also available to control BitLocker:

Command Description
Setup.exe /BitLocker AlwaysSuspend Always suspend BitLocker during upgrade.
Setup.exe /BitLocker TryKeepActive Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade.
Setup.exe /BitLocker ForceKeepActive Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade.

For more information, see Windows Setup Command-Line Options

SetupDiag

SetupDiag is a new command-line tool that can help diagnose why a Windows 10 update failed.

SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.

Windows Update for Business

Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see Manage software updates in Intune.

Feature update improvements

Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This migration has resulted in a significant reduction of offline time when installing updates. For more information, see We're listening to you.

Configuration

Co-management

Intune and Microsoft Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the MDMWinsOverGP policy, to enable easier transition to cloud-based management.

For more information, see What's New in MDM enrollment and management

OS uninstall period

The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or DISM to customize the length of the OS uninstall period.

Windows Hello for Business

Windows Hello now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the Kiosk configuration section.

  • Windows Hello is now password-less on S-mode.
  • Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
  • Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
  • You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
  • New public API for secondary account SSO for a particular identity provider.
  • It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).

For more information, see: Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices

Accessibility and Privacy

Accessibility

"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see Accessibility information for IT Professionals. Also see the accessibility section in the What’s new in the Windows 10 April 2018 Update blog post.

Privacy

In the Feedback and Settings page under Privacy Settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the Diagnostic Data Viewer app.

Security

Security Baselines

The new security baseline for Windows 10 version 1803 has been published.

Microsoft Defender Antivirus

Microsoft Defender Antivirus now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud-based protection, and new channels are available for emergency protection. For more information, see Virus and threat protection and Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.

Windows Defender Exploit Guard

Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. Virtualization-based Security (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.

For more information, see Reduce attack surfaces.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint has been enhanced with many new capabilities. For more information, see the following topics:

Also see New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security.

Windows Defender Application Guard

Windows Defender Application Guard has added support for Edge. For more information, see System requirements for Windows Defender Application Guard.

Windows Defender Device Guard

Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows Defender Device Guard deployment guide.

Windows Information Protection

This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see OneDrive Files On-Demand For The Enterprise.

Office 365 Ransomware Detection

For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see Ransomware detection and recovering your files.

Windows Analytics

Upgrade Readiness

Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see Upgrade Readiness now helps assess Spectre and Meltdown protections.

Update Compliance

Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see Delivery Optimization in Update Compliance.

Device Health

Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords—for a smooth migration to the password-less future. For more information, see Using Device Health.

Microsoft Edge

iOS and Android versions of Edge are now available. For more information, see Microsoft Edge Tips.

Support in Windows Defender Application Guard is also improved.

See Also