Win10 April Update: What’s new for IT pros? (Part 2)

In Part 1 of this 3-part overview of the Windows 10 April Update (also known as version 1803) that started rolling out to the public in early May, we looked at some of the more user-centric new features such as the Timeline, Focus Assist, Nearby Sharing, and Edge tab muting. While many IT professionals will find these useful, as well, there is another group of enhancements that probably aren’t of much interest to most consumers but are significant additions for IT pros. That’s what we’ll be discussing here in Part 2.

Windows 10 deployment/updates

There are several new features and tweaks that will make deployment, setup, and feature updates of Windows 10 machines easier.

Custom .cmd scripts during setup

With the Pro and Enterprise editions of Windows 10, you can create custom .cmd scripts and run them in parallel with Windows Setup during the feature update process. Even better, you only have to do it once. Setup migrates your scripts to the next feature release for you.  You can find more info about running custom scripts on the Microsoft Docs site in the article Run custom actions during feature update.

Subscription activation

Windows 10 Enterprise edition E3 and E5 can be deployed as online subscription services. Inherited activation is a new feature in 1803 that will make it possible for the activation state of a Windows 10 host to be inherited by the Windows 10 virtual machines that are running on it. Both host and VM must be running Win 10 1803 or above and you must have the E3 or E5 subscription.

New DISM commands

DISM.exe is Microsoft’s Deployment Image Servicing and Management tool. You use PowerShell or the command line to access it. IT pros use DISM to change or update features, packages, drivers and some settings with DISM. It has been included with the Windows OS since Windows 8.  

Windows 10 1803 adds uninstall command line options that you can use to initiate an uninstall operation, or you can remove the ability for users to uninstall an upgrade or set a number of days during which a user can uninstall the upgrade.  See the command syntax for each of these new commands on the Microsoft Docs site in the article DISM operating system uninstall command-line operations.

When updates fail

We’ve all been there – sometimes updates or upgrades refuse to install and it can be maddening to try to figure out why. Windows 10 1803 provides a new command line tool called SetupDiag to help you determine the reason for a failed update/upgrade.

It works by examining the files in the Windows Setup log and comparing them to an .xml file that contains information about known issues. The Windows 10 computer must have .NET Framework v4.6 installed. You can find out more about SetupDiag and the specifics of the rules in the .xml file on the Microsoft Docs site in the article SetupDiag.

Windows 10 configuration, privacy, and security features

Windows 10 1803 adds features that will help IT pros configure Windows 10 more securely, and helps to protect privacy in keeping with current regulatory requirements and organizational policies.

Windows Hello for Business

The April update adds support for FIDO 2.0 authentication to Windows Hello for Business. In S mode, Windows Hello replaces the password-based authentication system. Support for S/MIME has been added, as have new APIs for third-party identity lifecycle management products.

As part of the push to move to more secure authentication methods, Windows Defender Security Center now encourages users to set up Windows Hello biometrics, facial recognition, or PINs. Those users who use Dynamic Lock (which automatically locks your PC when your paired phone goes out of range) will now be notified if that feature has stopped working due to Bluetooth being off on their phones.  It’s easier now for users with Microsoft accounts to set up Hello on their devices and it’s easier to set up Dynamic Lock.

Windows Defender improvements

In Windows 10 1803, the Windows Defender antivirus feature will now share detection status between Microsoft 365 services (Office 365, Windows 10, and Enterprise Mobility + Security). It also interoperates with Windows Defender Advanced Threat Protection (ATP).

ATP itself has new capabilities in 1803, including the ability to query data using advanced hunting, use of automated investigations, and protection of users, devices and data with conditional access.

Windows Defender Exploit Guard, which first appeared in Windows 10 1709, now supports Windows Server, and you can enable Virtualization- based Security (VBS) and Hypervisor-protected code integrity (HVCI) across the Win 10 ecosystem. WDEG provides exploit protection, network protection, and controlled folder access, and reduces the attack surface using intelligent rules. 1803 adds new attack surface reduction rules and also enables you to block disk sectors using controlled folder access.

Windows Defender Application Guard, which is designed to help isolate web sites that are defined as untrusted (through whitelisting), now supports both Edge and Internet Explorer web browsers.  

Additional security and privacy related enhancements in 1803 include:

• Support for Windows Information Protection with Files on Demand, with file encryption available while the file is open in another app,
• Ransomware detection in Office 365 that notifies  you when OneDrive files are attacked,
• Ability to delete diagnostic data your device has sent to Microsoft, for better privacy.

If you want another layer of protection you can have a look at GFI OneGuard offering real time antivirus protection, patch management and asset tracking, in one, intuitive solution. Try GFI OneGuard free for 30 days.

Summary

The above includes some of the new features in the Windows 10 April update that will be of most interest to IT professionals. This is not a comprehensive list; there are many additional tweaks such as improvements to Windows Analytics, a new enrollment status page in Windows Autopilot, automatic management of language packs, features on demand, and other components, new policies in Microsoft Intune and System Center Configuration Manager to enable hybrid Azure AD-joined authentication, Microsoft Store for Business, and more.  You can watch a video summary of What’s New in Windows 10, version 1803, for IT Pros on YouTube.

Windows 10 special uses

The April update adds a number of enhancements for those organizations that deploy Windows 10 for special, limited purposes.

Kiosk management

Many companies use Windows 10 in kiosk scenarios, such as in retail establishments, hotels, etc. that want to make computers available to customers or the public in a limited, locked down state that runs only one application. Microsoft had already introduced kiosk mode in some editions of Windows 10 (Pro, Enterprise, and Education). They called the feature Assigned Access.

Windows 10 1803 adds a ton of new capabilities for this purpose, including a new Kiosk Browser (available in the Microsoft Store) that lets you specify allowed URLs and even disable the navigation buttons. You can deploy kiosks with Intune and you can also run Shell Launcher along with universal Store apps, and it’s easier to configure an auto-logon account so that the kiosk goes back to the correct state after it’s rebooted. Another useful improvement is the ability to use multiple displays across digital signage in this mode. And finally, you can assign access configurations to AAD and AD groups instead of having to do it on an individual user basis.  For more details about kiosk mode with Windows 10, see the post Simplifying kiosk management for IT with Windows 10 in the Windows IT Pro Blog.

S mode for added security

Windows 10 S mode is simpler configuration of the OS that provides greater security and faster performance by limiting applications to Microsoft Store apps and supporting only Edge for web browsing. It’s appropriate for education environments and work environments where a more restricted and higher security computing solution is desired.  Windows 10 features such as virtual desktops, Windows Hello, and Cortana are still supported. Systems that come installed in S Mode can be switched to regular Windows 10 mode (and there is no charge for doing so) but you can’t go back again once you’ve made the switch.

Previously S mode was only available in Windows 10 Pro, but with 1803 it’s available in Home and Enterprise editions as well.

Join us next week for Part 3 in this Win10 April update series.