New version of Windows 10: sysadmin view
Surely you have already heard that Windows 10 Creators Update is officially coming out today. In this article we decided to be one step ahead and tell you about the new features for system administrators in the next Windows 10 update (1703).
Previously, this component was called Windows Imaging and Configuration Designer , ICD, and was used to create training packages. In this version, it received a new name for Windows Configuration Designer . In previous versions of Windows, you can install it as part of the Windows ADK Deployment and Assessment Toolkit.
To simplify the creation of training packages in the Windows Designer Designer in Windows 10 version 1703 there are a number of new wizards.
')
In both versions of the wizard — for desktops and kiosks — it is possible to remove preinstalled software using the CleanPC configuration service provider .
New wizards from the Windows Configuration Designer allow you to create preparation packages for connecting devices to the Azure Active Directory. Bulk connectivity to Azure Active Directory is available in wizards for desktops, mobile devices, kiosks, and Surface Hub devices.
Added new group policies and mobile device management (MDM) settings:
Learn more about Windows Spotlight .
Surely, you know that enterprises can change the appearance of the Start menu, the initial screen and the taskbar on computers running Windows 10 Enterprise and Education editions. In version 1703, these modifications can also be applied to the Pro edition.
Previously, a non-standard taskbar could be deployed only using group policies or training packages. In the new version, support for non-standard panels appeared in the Mobile Device Management (MDM) tool .
There are new MDM policy settings for managing the Start menu and the structure of the home screen and taskbar. MDM policy settings:
MBR2GPT.EXE is a new command line tool. It converts an MBR disk (Master Boot Record) into a GPT (GUID Partition Table) partition, without changing or deleting data on the disk. This utility is designed to be used on the command line of the Windows Preinstallation Environment (Windows PE), but it can also be used in a full-featured Windows 10 operating system.
The format of GPT partitions is newer and allows you to create larger partitions. It also provides enhanced data reliability, supports additional partition types, and boosts download and shutdown speeds. After converting the system disk from MBR to GPT, you need to reconfigure the computer to boot in UEFI mode, so before converting the system disk you need to make sure that your device supports UEFI.
After booting in UEFI mode in Windows 10, the following security features become available: Secure Boot, Early Launch Anti-Malware ELAM (Early Launch Anti-malware) driver, Secure Windows Boot, Target Boot, Device Guard, Credential Guard, and BitLocker network unlocking.
New features of Windows Defender Advanced Threat Protection (ATP) for Windows 10 version 1703. By the way, we remind you that recently shared the description of ATP functionality on Habré .
Attack detection
Major improvements in attack detection include:
Investigation of attacks
Corporate clients can now take advantage of the full range of Windows security features due to the fact that information about attack detection using Windows Defender Antivirus and Device Guard blocks are displayed in the Windows Defender ATP portal.
Added other features to get a complete picture of the investigations. Other improvements to the investigation of attacks include:
Attack response
When an attack is detected, response teams may take immediate measures to isolate a security breach:
Other features
Checking the health status of sensors - checking the ability of the end point to provide sensor data and interact with the Windows Defender ATP service, as well as troubleshoot known problems.
Windows Defender received a new name - Windows Defender Antivirus. Its new features:
The possibilities for protection against blackmailing programs have also been expanded due to updated behavior monitoring and real-time real-time protection.
Security option Interactive login : display user information if the session is locked (Interactive logon: Display the user information when the session is locked) has been updated and now works in conjunction with the Privacy option in the Settings> Accounts> Login options .
A new security policy setting has appeared - Interactive logon: Don't display username at sign-i n. This option determines whether to display the user name at login time, and works in conjunction with the Privacy option in the Settings> Accounts> Login Options section. This setting only affects the Other user tile.
Now, a forgotten PIN can be reset without deleting corporate data or applications managed by Microsoft Intune . The administrator can initiate a remote reset of the PIN code of devices running PIN through the Intune portal.
On desktop PCs, users can reset a forgotten PIN in Settings> Accounts> Login Settings .
The update suspension function has changed: it now needs to indicate the date of the start of the installation. If the corresponding policy is not configured, users now have the opportunity to postpone the update in Windows Settings → Update & security → Windows Update → Advanced options . The time for which corrections can be delayed has also increased - up to 35 days.
Updating devices managed by Windows Update for Business can now be delayed for up to 365 days (previously, the update could only be postponed for 180 days). Users can set in the parameters the level of readiness of their branch and the time for which updates should be postponed.
Added the ability to download pre-release Windows 10 Insider Preview builds using Azure Active Directory (AAD) corporate credentials.
Changes in the new version made it possible to provide full support for express updates in System Center Configuration Manager, starting with version 1702 of this product, as well as updates and management of third-party products that implement this functionality. It complemented the existing express update support in Windows Update, Windows Update for Business and WSUS.
Note. These changes are available in Windows 10 version 1607 after installing the April 2017 update.
Update delivery optimization policies now allow you to set additional restrictions, which makes it possible to better manage various update scenarios.
New policies include:
When upgrading to Windows 10 version 1703, the applications included with Windows that the user has previously uninstalled will not be automatically installed as part of the update process.
The new version has a lot of new configuration service providers (CSP) for managing Windows 10 using mobile device management (MDM) or training packages. Among other things, these CSP providers allow you to manage several hundred of the most useful group policies through MDM.
New CSP Suppliers:
The MDM Migration Analysis Tool (MMAT) is used to determine the group policies that have been configured for the user or computer, and to cross-link these parameters with the built-in list of supported MDM policies. The tool allows you to receive reports in XML and HTML formats, which indicate the level of support for all parameters of group policies and their equivalents in MDM.
Windows Mobile Application Management (MAM) version is a lightweight solution for managing access to corporate data and security on personal devices. Starting with Windows 10 version 1703, MAM support is built into Windows over WIP (Windows Information Protection).
Work continued on the improvement of diagnostic tools that meet the requirements of modern management. The advent of automatic journaling for mobile devices has enabled Windows to automatically log errors in MDM in the log, eliminating the need to constantly keep a journal on devices with a small amount of memory. In addition, Microsoft Message Analyzer appeared - an additional tool that helps support staff to quickly identify the causes of problems and thus save time and money.
The Lockdown Designer app helps you configure and create an XML blocking file that should be applied to devices running Windows 10, and also contains remote modeling functionality that allows you to define the configuration of tiles in the Start menu and on the initial screen. Using Lockdown Designer is easier than manually creating an XML lock file .
The following improvements also appeared:
UPD: About updates in Windows 10 Creators Update can be read in the company's blog .
Configuration
Windows Designer Designer
Previously, this component was called Windows Imaging and Configuration Designer , ICD, and was used to create training packages. In this version, it received a new name for Windows Configuration Designer . In previous versions of Windows, you can install it as part of the Windows ADK Deployment and Assessment Toolkit.
To simplify the creation of training packages in the Windows Designer Designer in Windows 10 version 1703 there are a number of new wizards.
')
In both versions of the wizard — for desktops and kiosks — it is possible to remove preinstalled software using the CleanPC configuration service provider .
Bulk connect to Azure Active Directory
New wizards from the Windows Configuration Designer allow you to create preparation packages for connecting devices to the Azure Active Directory. Bulk connectivity to Azure Active Directory is available in wizards for desktops, mobile devices, kiosks, and Surface Hub devices.
Windows spotlight
Added new group policies and mobile device management (MDM) settings:
- Turn off the Windows Spotlight on Action Center;
- Do not use diagnostic data for tailored experiences;
- Turn off the Windows Welcome Experience.
Learn more about Windows Spotlight .
Start menu, home screen and taskbar structure
Surely, you know that enterprises can change the appearance of the Start menu, the initial screen and the taskbar on computers running Windows 10 Enterprise and Education editions. In version 1703, these modifications can also be applied to the Pro edition.
Previously, a non-standard taskbar could be deployed only using group policies or training packages. In the new version, support for non-standard panels appeared in the Mobile Device Management (MDM) tool .
There are new MDM policy settings for managing the Start menu and the structure of the home screen and taskbar. MDM policy settings:
- Options for the User tile: Start / HideUserTile , Start / HideSwitchAccount , Start / HideSignOut , Start / HideLock, and Start / HideChangeAccountSettings ;
- Options for controlling the Power element: Start / HidePowerButton , Start / HideHibernate , Start / HideRestart , Start / HideShutDown and Start / HideSleep ;
- Additional new parameters: Start / HideFrequentlyUsedApps , Start / HideRecentlyAddedApps , AllowPinnedFolder, ImportEdgeAssets, Start / HideRecentJumplists , Start / NoPinningToTaskbar , Settings / PageVisibilityList and Start / HideAppsList .
Deployment
Utility MBR2GPT.EXE
MBR2GPT.EXE is a new command line tool. It converts an MBR disk (Master Boot Record) into a GPT (GUID Partition Table) partition, without changing or deleting data on the disk. This utility is designed to be used on the command line of the Windows Preinstallation Environment (Windows PE), but it can also be used in a full-featured Windows 10 operating system.
The format of GPT partitions is newer and allows you to create larger partitions. It also provides enhanced data reliability, supports additional partition types, and boosts download and shutdown speeds. After converting the system disk from MBR to GPT, you need to reconfigure the computer to boot in UEFI mode, so before converting the system disk you need to make sure that your device supports UEFI.
After booting in UEFI mode in Windows 10, the following security features become available: Secure Boot, Early Launch Anti-Malware ELAM (Early Launch Anti-malware) driver, Secure Windows Boot, Target Boot, Device Guard, Credential Guard, and BitLocker network unlocking.
Security
Windows Defender Advanced Threat Protection
New features of Windows Defender Advanced Threat Protection (ATP) for Windows 10 version 1703. By the way, we remind you that recently shared the description of ATP functionality on Habré .
Attack detection
Major improvements in attack detection include:
- the ability to use the threat analytics API for creating custom alerts;
- improvements in memory and kernel OS sensors to support attack detection in memory and at the kernel level;
- updating the detection of blackmail programs, as well as other complex attacks;
- retrospective detection functionality that allows you to apply new attack detection rules in archive data up to six months deep to detect attacks that previously went unnoticed.
Investigation of attacks
Corporate clients can now take advantage of the full range of Windows security features due to the fact that information about attack detection using Windows Defender Antivirus and Device Guard blocks are displayed in the Windows Defender ATP portal.
Added other features to get a complete picture of the investigations. Other improvements to the investigation of attacks include:
- User account research - the ability to identify user accounts with the highest number of alerts and investigate cases of possible compromise of credentials;
- Alert process tree — aggregates multiple detection events and related events into a single view to reduce resolution time
- receiving alerts using api rest — using the REST API to receive alerts from Windows Defender ATP.
Attack response
When an attack is detected, response teams may take immediate measures to isolate a security breach:
- host responses — respond quickly to detected attacks, isolating machines or collecting an analytics package;
- file responses — respond quickly to detected attacks by stopping the operation of files, moving them to quarantine or blocking.
Other features
Checking the health status of sensors - checking the ability of the end point to provide sensor data and interact with the Windows Defender ATP service, as well as troubleshoot known problems.
Windows Defender Antivirus
Windows Defender received a new name - Windows Defender Antivirus. Its new features:
- updating information on how you can configure blocking functionality at the first appearance (Block at First Sight);
- the ability to determine the level of cloud protection ;
- Windows Defender Antivirus protection in Windows Defender Security Center .
The possibilities for protection against blackmailing programs have also been expanded due to updated behavior monitoring and real-time real-time protection.
Group Policy Security Settings
Security option Interactive login : display user information if the session is locked (Interactive logon: Display the user information when the session is locked) has been updated and now works in conjunction with the Privacy option in the Settings> Accounts> Login options .
A new security policy setting has appeared - Interactive logon: Don't display username at sign-i n. This option determines whether to display the user name at login time, and works in conjunction with the Privacy option in the Settings> Accounts> Login Options section. This setting only affects the Other user tile.
Windows Hello for business
Now, a forgotten PIN can be reset without deleting corporate data or applications managed by Microsoft Intune . The administrator can initiate a remote reset of the PIN code of devices running PIN through the Intune portal.
On desktop PCs, users can reset a forgotten PIN in Settings> Accounts> Login Settings .
Update
Windows Update for Business
The update suspension function has changed: it now needs to indicate the date of the start of the installation. If the corresponding policy is not configured, users now have the opportunity to postpone the update in Windows Settings → Update & security → Windows Update → Advanced options . The time for which corrections can be delayed has also increased - up to 35 days.
Updating devices managed by Windows Update for Business can now be delayed for up to 365 days (previously, the update could only be postponed for 180 days). Users can set in the parameters the level of readiness of their branch and the time for which updates should be postponed.
Windows Insider for Business
Added the ability to download pre-release Windows 10 Insider Preview builds using Azure Active Directory (AAD) corporate credentials.
Update Delivery Optimization
Changes in the new version made it possible to provide full support for express updates in System Center Configuration Manager, starting with version 1702 of this product, as well as updates and management of third-party products that implement this functionality. It complemented the existing express update support in Windows Update, Windows Update for Business and WSUS.
Note. These changes are available in Windows 10 version 1607 after installing the April 2017 update.
Update delivery optimization policies now allow you to set additional restrictions, which makes it possible to better manage various update scenarios.
New policies include:
- load support at a given level of charge when the device is battery powered;
- peer caching support when connecting a device via VPN;
- memory definition (inclusive) that can be used for peer-to-peer caching;
- the minimum amount of disk space that is allowed to use for peer-to-peer caching;
- The minimum file size for peer caching content.
Previously installed applications are no longer automatically updated.
When upgrading to Windows 10 version 1703, the applications included with Windows that the user has previously uninstalled will not be automatically installed as part of the update process.
Control
New MDM features
The new version has a lot of new configuration service providers (CSP) for managing Windows 10 using mobile device management (MDM) or training packages. Among other things, these CSP providers allow you to manage several hundred of the most useful group policies through MDM.
New CSP Suppliers:
- DynamicManagement CSP allows you to control devices in different ways depending on their location, network connection and time. For example, on managed devices, you can turn off cameras when they are in the workplace, mobile support — when leaving the country to prevent high roaming costs; or wireless network — when the device is not in an organization or campus building. After configuration, these parameters can be applied even in the absence of communication with the management server due to a change in location or network. Dynamic Management CSP allows you to configure policies that change the order in which a device is managed in addition to setting the conditions under which such a change occurs.
- CleanPC CSP allows you to delete pre-installed and user-installed applications, while maintaining user data.
- BitLocker CSP is used to manage encryption on desktops and devices. For example, you can encrypt data on memory cards of devices or disks with the operating system.
- NetworkProxy CSP is used to configure a proxy server to connect via Ethernet or Wi-Fi.
- Office CSP allows you to install a Microsoft Office client on a device using the Office Deployment Tool.
- EnterpriseAppVManagement CSP is used to manage virtual applications on desktop computers running Windows 10 (as part of Enterprise and Education editions) and allows you to transfer virtualized App-V applications to computers, even if they are managed by MDM.
The MDM Migration Analysis Tool (MMAT) is used to determine the group policies that have been configured for the user or computer, and to cross-link these parameters with the built-in list of supported MDM policies. The tool allows you to receive reports in XML and HTML formats, which indicate the level of support for all parameters of group policies and their equivalents in MDM.
Mobile App Management in Windows 10
Windows Mobile Application Management (MAM) version is a lightweight solution for managing access to corporate data and security on personal devices. Starting with Windows 10 version 1703, MAM support is built into Windows over WIP (Windows Information Protection).
MDM Diagnosis
Work continued on the improvement of diagnostic tools that meet the requirements of modern management. The advent of automatic journaling for mobile devices has enabled Windows to automatically log errors in MDM in the log, eliminating the need to constantly keep a journal on devices with a small amount of memory. In addition, Microsoft Message Analyzer appeared - an additional tool that helps support staff to quickly identify the causes of problems and thus save time and money.
Mobile devices in Windows 10
Lockdown designer
The Lockdown Designer app helps you configure and create an XML blocking file that should be applied to devices running Windows 10, and also contains remote modeling functionality that allows you to define the configuration of tiles in the Start menu and on the initial screen. Using Lockdown Designer is easier than manually creating an XML lock file .
Other improvements
The following improvements also appeared:
- SD card encryption;
- Remote reset of PIN codes for Azure Active Directory accounts
- SMS text message archiving;
- Wi-Fi Direct Management;
- Continuum display control;
- individual shutdown of the monitor or phone screen in the absence of activity;
- individual definition of screen timeout;
- Continuum docking solutions;
- defining properties of Ethernet ports;
- definition of proxy properties for Ethernet ports.
Useful materials from our blog and not only
- Advanced Threat Protection in Windows Defender
- Collection and analysis of logs for beginners
- Windows Server 2016 and Hyper-V Integration Services
- Azure in plain language [Cheat Sheet]
- Microsoft Free Events: Hybrid Infrastructure , DevCon School: Modern Architecture , Azure Stack TP3 Technical Overview
UPD: About updates in Windows 10 Creators Update can be read in the company's blog .
Source: https://habr.com/ru/post/326234/
All Articles