What's new in Windows 10, version 1803 IT Pro contentWhat's new in Windows 10, version 1803 IT Pro content

Applies toApplies to

  • Windows10, version 1803Windows10, version 1803

This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update.This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709.This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709.

If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in hardware, for developers, and for consumers.If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in hardware, for developers, and for consumers.

The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.

DeploymentDeployment

Windows AutopilotWindows Autopilot

Windows Autopilot provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.Windows Autopilot provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.

Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.

Windows Autopilot is now available with Surface, Lenovo, and Dell.Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months.Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information.Check back here later for more information.

Windows 10 in S modeWindows 10 in S mode

Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer.Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer.

Some additional information about Windows 10 in S mode:Some additional information about Windows 10 in S mode:

  • Microsoft-verified.Microsoft-verified. All of your applications are verified by Microsoft for security and performance.All of your applications are verified by Microsoft for security and performance.
  • Performance that lasts.Performance that lasts. Start-ups are quick, and S mode is built to keep them that way.Start-ups are quick, and S mode is built to keep them that way.
  • Choice and flexibility.Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose.Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps.Browse the Microsoft Store for thousands of apps.
  • S mode, on a range of modern devices.S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.

If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition.If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition. Once you switch out of S mode, you cannot switch back.Once you switch out of S mode, you cannot switch back.

For more information, see Windows 10 Pro/Enterprise in S mode.For more information, see Windows 10 Pro/Enterprise in S mode.

Windows 10 kiosk and Kiosk BrowserWindows 10 kiosk and Kiosk Browser

With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios.With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store.This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage.Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.A summary of new features is below.

  • Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
  • Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policiesUsing Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
  • Support for multiple screens for digital signage use cases.Support for multiple screens for digital signage use cases.
  • The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
  • The ability to configure and run Shell Launcher in addition to existing UWP Store apps.The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
  • A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
  • For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
  • To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.

For more information, see:For more information, see:

Windows 10 Subscription ActivationWindows 10 Subscription Activation

With this release, Subscription Activation supports Inherited Activation.With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.

For more information, see Windows 10 Subscription Activation.For more information, see Windows 10 Subscription Activation.

DISMDISM

The following new DISM commands have been added to manage feature updates:The following new DISM commands have been added to manage feature updates:

DISM /Online /Initiate-OSUninstall 
    – Initiates a OS uninstall to take the computer back to the previous installation of windows.
DISM /Online /Remove-OSUninstall 
    – Removes the OS uninstall capability from the computer. 
DISM /Online /Get-OSUninstallWindow 
    – Displays the number of days after upgrade during which uninstall can be performed.
DISM /Online /Set-OSUninstallWindow 
    – Sets the number of days after upgrade during which uninstall can be performed.

For more information, see DISM operating system uninstall command-line options.For more information, see DISM operating system uninstall command-line options.

Windows SetupWindows Setup

You can now run your own custom actions or scripts in parallel with Windows Setup.You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.Setup will also migrate your scripts to next feature release, so you only need to add them once.

Prerequisites:Prerequisites:

  • Windows 10, version 1803 or later.Windows 10, version 1803 or later.
  • Windows 10 Enterprise or ProWindows 10 Enterprise or Pro

For more information, see Run custom actions during feature update.For more information, see Run custom actions during feature update.

It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.

/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]

For more information, see Windows Setup Command-Line OptionsFor more information, see Windows Setup Command-Line Options

New command-line switches are also available to control BitLocker:New command-line switches are also available to control BitLocker:

Setup.exe /BitLocker AlwaysSuspend 
    – Always suspend bitlocker during upgrade.
Setup.exe /BitLocker TryKeepActive 
    – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
Setup.exe /BitLocker ForceKeepActive 
    – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.

For more information, see Windows Setup Command-Line OptionsFor more information, see Windows Setup Command-Line Options

SetupDiagSetupDiag

SetupDiag is a new command-line tool that can help diagnose why a Windows 10 update failed.SetupDiag is a new command-line tool that can help diagnose why a Windows 10 update failed.

SetupDiag works by searching Windows Setup log files.SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run.In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.The rules.xml file will be updated as new versions of SetupDiag are made available.

Windows Update for Business (WUfB)Windows Update for Business (WUfB)

Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune.Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see Manage software updates in Intune.For more information, see Manage software updates in Intune.

Feature update improvementsFeature update improvements

Portions of the work done during the offline phases of a Windows update have been moved to the online phase.Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates.This has resulted in a significant reduction of offline time when installing updates. For more information, see We're listening to you.For more information, see We're listening to you.

ConfigurationConfiguration

Co-managementCo-management

Добавлены политики Intune и Microsoft Endpoint Configuration Manager для поддержки гибридной проверки подлинности при присоединении к Azure AD.Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the MDMWinsOverGP policy, to enable easier transition to cloud-based management.Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the MDMWinsOverGP policy, to enable easier transition to cloud-based management.

For more information, see What's New in MDM enrollment and managementFor more information, see What's New in MDM enrollment and management

OS uninstall periodOS uninstall period

The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update.The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or DISM to customize the length of the OS uninstall period.With this release, administrators can use Intune or DISM to customize the length of the OS uninstall period.

Windows Hello for BusinessWindows Hello for Business

Windows Hello now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the Kiosk configuration section.Windows Hello now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the Kiosk configuration section.

  • Windows Hello is now password-less on S-mode.Windows Hello is now password-less on S-mode.
  • Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
  • Windows Hello is part of the account protection pillar in Windows Defender Security Center.Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
  • You can set up Windows Hello from lock screen for MSA accounts.You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in.We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello.Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
  • New public API for secondary account SSO for a particular identity provider.New public API for secondary account SSO for a particular identity provider.
  • It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).

For more information, see: Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devicesFor more information, see: Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices

Accessibility and PrivacyAccessibility and Privacy

AccessibilityAccessibility

"Out of box" accessibility is enhanced with auto-generated picture descriptions."Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see Accessibility information for IT Professionals.For more information about accessibility, see Accessibility information for IT Professionals. Also see the accessibility section in the What’s new in the Windows 10 April 2018 Update blog post.Also see the accessibility section in the What’s new in the Windows 10 April 2018 Update blog post.

PrivacyPrivacy

In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft.In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the Diagnostic Data Viewer app.You can also view this diagnostic data using the Diagnostic Data Viewer app.

SecuritySecurity

Security BaselinesSecurity Baselines

The new security baseline for Windows 10 version 1803 has been published.The new security baseline for Windows 10 version 1803 has been published.

Windows Defender AntivirusWindows Defender Antivirus

Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP.Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection.Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see Virus and threat protection and Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection.For more information, see Virus and threat protection and Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection.

Windows Defender Exploit GuardWindows Defender Exploit Guard

Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server.Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. Virtualization-based Security (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem.Virtualization-based Security (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.These Exploit Guard features can now be enabled through the Windows Defender Security Center.

For more information, see Reduce attack surfacesFor more information, see Reduce attack surfaces

Windows Defender ATPWindows Defender ATP

Windows Defender ATP has been enhanced with many new capabilities.Windows Defender ATP has been enhanced with many new capabilities. For more information, see the following topics:For more information, see the following topics:

Also see New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint securityAlso see New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security

Windows Defender Application GuardWindows Defender Application Guard

Windows Defender Application Guard has added support for Edge.Windows Defender Application Guard has added support for Edge. For more information, see System requirements for Windows Defender Application GuardFor more information, see System requirements for Windows Defender Application Guard

Windows Defender Device GuardWindows Defender Device Guard

Configurable code integrity is being rebranded as Windows Defender Application Control.Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications.This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows Defender Device Guard deployment guide.For more information about Device Guard, see Windows Defender Device Guard deployment guide.

Windows Information ProtectionWindows Information Protection

This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance.This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see OneDrive Files On-Demand For The Enterprise.For more information, see OneDrive Files On-Demand For The Enterprise.

Office 365 Ransomware DetectionOffice 365 Ransomware Detection

For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files.For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see Ransomware detection and recovering your filesFor more information, see Ransomware detection and recovering your files

Windows AnalyticsWindows Analytics

Upgrade ReadinessUpgrade Readiness

Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices.Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates.This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see Upgrade Readiness now helps assess Spectre and Meltdown protectionsFor more information, see Upgrade Readiness now helps assess Spectre and Meltdown protections

Update ComplianceUpdate Compliance

Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates.Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see Delivery Optimization in Update ComplianceFor more information, see Delivery Optimization in Update Compliance

Device HealthDevice Health

Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes.Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future.The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see Using Device HealthFor more information, see Using Device Health

Microsoft EdgeMicrosoft Edge

iOS and Android versions of Edge are now available.iOS and Android versions of Edge are now available. For more information, see Microsoft Edge Tips.For more information, see Microsoft Edge Tips.

Support in Windows Defender Application Guard is also improved.Support in Windows Defender Application Guard is also improved.

See AlsoSee Also