New version of Windows 10: view of the system administrator

    Surely you have already heard that today Windows 10 Creators Update is officially released. In this article, we decided to be one step ahead and tell you about new features for system administrators in the next update of Windows 10 (1703).



    Configuration


    Windows Configuration Designer


    This component was formerly called Windows Imaging and Configuration Designer , ICD, and was used to create training packages. In this version, he received the new name Windows Configuration Designer . In previous versions of Windows, it can be installed as part of the Windows ADK deployment and evaluation toolkit.

    To simplify the creation of training packages in Windows Designer Designer in Windows 10 version 1703 there are a number of new wizards.



    In both versions of the wizard — for desktops and kiosks — there is the option to remove preinstalled software using the CleanPC configuration service provider .



    Mass connection to Azure Active Directory


    New wizards from Windows Configuration Designer let you create provisioning packages for attaching devices to Azure Active Directory. A mass connection to Azure Active Directory is available through the wizards for desktops, mobile devices, kiosks, and Surface Hub devices.



    Windows spotlight


    New group policies and mobile device management (MDM) options have been added:

    • Turn off the Windows Spotlight on Action Center;
    • Do not use diagnostic data for tailored experiences;
    • Turn off the Windows Welcome Experience.

    Learn more about Windows Spotlight .

    Start menu, start screen and taskbar structure


    Surely you know that enterprises can change the appearance of the Start menu, home screen and taskbar on computers running Windows 10 editions of Enterprise and Education. In version 1703, these modifications can also be applied to the Pro edition.

    Previously, a custom taskbar could only be deployed using group policies or training packages. In the new version, support for custom panels appeared in the Mobile Device Management (MDM) tool .

    There were new parameters MDM policies to control the Start menu and the structure of the home screen and taskbar. MDM policy settings:


    Deployment


    MBR2GPT.EXE Utility


    MBR2GPT.EXE is a new command line tool. It converts the MBR disk (Master Boot Record) to the GPT (GUID Partition Table) section without changing or deleting data on the disk. This utility is designed to be used on the command line of the Windows Preinstallation Environment (Windows PE), but it can also be used on the fully functional Windows 10 operating system.

    The GPT partition format is newer and allows you to create more larger partitions. It also provides enhanced data reliability, supports additional types of partitions, and improves download and shutdown speeds. After converting the system disk from MBR to GPT, you must reconfigure the computer to boot in UEFI mode, so before converting the system disk, you must make sure that your device supports UEFI.

    After loading in UEFI mode in Windows 10, the following security functions become available: safe boot, early launch of the ELAM driver (Early Launch Anti-malware), reliable Windows boot, measured boot, Device Guard, Credential Guard, and BitLocker Network Unlock.

    Security


    Windows Defender Advanced Threat Protection


    New features of Windows Defender Advanced Threat Protection (ATP) for Windows 10 version 1703. By the way, we recall that we recently shared a description of the ATP functionality on Habré .

    Attack Detection

    Major improvements in attack detection include:

    • the ability to use the threat analytics api to create custom alerts;
    • improvements to OS sensors for memory and the kernel to provide support for detecting attacks in memory and at the kernel level;
    • updating mechanisms for detecting blackmailers, as well as other complex attacks;
    • retrospective detection functionality, which allows you to apply new rules for detecting attacks in archive data with a depth of up to six months to detect attacks that previously went unnoticed.

    Investigation of attacks

    Corporate clients can now take advantage of the full range of Windows security features due to the fact that information about the detection of attacks by means of Windows Defender Antivirus and Device Guard units are displayed in the Windows Defender ATP portal.

    Other features have been added to provide a holistic picture of investigations. Other improvements to attack investigation include:

    • user account research - the ability to identify user accounts with the most alerts and investigate cases of possible compromise of credentials;
    • Alert processes tree - aggregation of multiple detection events and related events into a single view to reduce resolution time;
    • receive alerts using api rest - use the REST API to receive alerts from Windows Defender ATP.

    Responding to attacks

    When an attack is detected, response groups can take urgent measures to isolate a security breach:


    Other features

    Checking the health status of sensors — Testing the endpoint’s ability to provide sensor data and interact with Windows Defender ATP, and to resolve known issues.

    Windows Defender Antivirus


    Windows Defender got a new name - Windows Defender Antivirus. Its new features:


    The possibilities of protection against blackmailers have also expanded due to updated monitoring of behavior and real-time real-time protection.

    Group Policy Security Settings


    Security setting Interactive logon: Display user information when the session is locked (Interactive logon: Display user information when the session is locked) has been updated and now works in conjunction with parameter Privacy under Settings> Accounts> Login Options .

    A new security policy setting has appeared - Interactive logon: Don't display username at sign-i n. This parameter determines whether to display the username during login, and works in conjunction with the Privacy setting in the Settings> Accounts> Login Settings section . This setting only affects the Other user tile..

    Windows Hello for Business


    Now you can reset your forgotten PIN without deleting corporate data or applications managed by Microsoft Intune . An administrator can initiate a remote PIN reset of devices running PINs through the Intune portal.

    On desktop PCs, users can reset a forgotten PIN in Settings> Accounts> Login Settings .

    Update


    Windows Update for Business


    The pause function of the update has changed: now it is required to indicate the start date of the installation. If the corresponding policy is not configured, users now have the opportunity to postpone the update in the settings Windows Settings → Update & security → Windows Update → Advanced options . Also increased the time for which you can postpone corrections - up to 35 days.

    Updating devices managed with Windows Update for Business can now be delayed for up to 365 days (previously, updating could only be delayed for 180 days). Users can specify in the parameters the level of readiness of their branch and the time for which updates should be postponed.

    Windows Insider for Business


    Added the ability to download builds of the preliminary version of Windows 10 Insider Preview using Azure Active Directory (AAD) corporate credentials.

    Optimized update delivery


    Changes in the new version made it possible to provide full support for express updates in System Center Configuration Manager, starting with version 1702 of this product, as well as updates and management of third-party products that implement this functionality. She supplemented existing support for express updates in Windows Update, Windows Update for Business, and WSUS.

    Note. These changes are available in Windows 10 version 1607 after installing the April 2017 update.

    Update delivery optimization policies now allow you to set additional restrictions, which makes it possible to better manage various update scenarios.

    New policies include:

    • support for loading at a given charge level when the device is running on battery power;
    • support for peer-to-peer caching when connecting a device via VPN;
    • definition of memory (inclusive) that is allowed to be used for peer-to-peer caching;
    • the minimum amount of disk space that is allowed to use for peer-to-peer caching;
    • The minimum file size for peer-to-peer caching content.

    Previously installed applications are no longer updated automatically


    When upgrading to Windows 10, version 1703, the applications that are included with Windows that the user previously uninstalled will not be automatically installed as part of the upgrade process.

    Control


    New MDM Features


    The new version includes many new configuration service providers (CSPs) for managing Windows 10 using mobile device management tools (MDM) or training packages. Among other things, these CSPs allow you to manage hundreds of the most useful group policies through MDM.

    New CSP Providers:

    • DynamicManagement CSP allows you to manage devices differently depending on their location, network connection and time. For example, on managed devices, you can turn off the cameras when they are at the workplace, support for mobile communications when leaving the country to prevent high roaming costs; or a wireless network — when the device is not in the organization’s or campus’s building. After configuration, these parameters can be applied even in the absence of communication with the management server due to a change in location or network. Dynamic Management CSP allows you to configure policies that change the device management order in addition to configuring the conditions under which such a change occurs.
    • CleanPC CSP allows you to remove pre-installed and user-installed applications, while maintaining user data.
    • BitLocker CSP is used to manage encryption on desktop computers and devices. For example, you can provide data encryption on the memory cards of devices or disks with the operating system.
    • NetworkProxy CSP is used to configure a proxy server to connect via Ethernet or Wi-Fi.
    • Office CSP allows you to install the Microsoft Office client on the device using the Office Deployment Tool.
    • EnterpriseAppVManagement CSP is used to manage virtual applications on desktop computers running Windows 10 (in the editions of Enterprise and Education) and allows you to transfer virtualized App-V applications to computers, even if they are controlled by MDM tools.

    The MDM Migration Analysis Tool (MMAT) is used to determine the group policies that have been configured for the user or computer, and to cross-link these settings with the built-in list of supported MDM policies . The tool allows you to receive reports in XML and HTML formats, which indicate the level of support for all group policy settings and their equivalents in MDM.

    Manage mobile apps in Windows 10


    The mobile application management (MAM) version for Windows is a lightweight solution for managing access to corporate data and security on personal devices. Starting with Windows 10 version 1703, MAM support is built into Windows on top of WIP (Windows Information Protection).

    MDM Diagnostics


    Work continued on improving the diagnostic tools that meet the requirements of modern management. The advent of automatic journaling for mobile devices allowed Windows to automatically record errors in the MDM log, eliminating the need to constantly log on devices with a small amount of memory. In addition, Microsoft Message Analyzer was introduced, an additional tool that helps support staff quickly identify the causes of problems and, thus, save time and money.

    Mobile devices in Windows 10


    Lockdown designer


    The Lockdown Designer application helps to configure and create an XML lock file, which should be applied to devices running Windows 10, and also contains remote modeling functionality that allows you to define the tile configuration in the Start menu and on the initial screen. Using Lockdown Designer is easier than manually creating an XML lock file .



    Other improvements


    The following improvements also appeared:

    • SD card encryption
    • Remote reset of Azure Active Directory account PINs
    • archiving SMS text messages;
    • Wi-Fi Direct Management;
    • Continuum display control;
    • individual shutdown of the monitor screen or phone in the absence of activity;
    • individual definition of the screen timeout;
    • Continuum Docking Solutions
    • definition of Ethernet port properties;
    • Defining proxy properties for Ethernet ports.

    Useful materials from our blog and not only




    UPD: About updates in Windows 10 Creators Update can be found on the company's blog .

    Also popular now: