Home

What’s new for IT pros in Windows 10, version 1803

Windows 10, version 1803 (also known as the Windows 10 April 2018 Update) is now available for download from Visual Studio Subscriptions (formerly MSDN Subscriptions) and the Software Download Center (via Update Assistant or the Media Creation Tool). It is also available through Windows Server Update Services (WSUS) and Windows Update for Business—and will begin rolling out globally through Windows Update on May 8th.

What's new for IT?

Windows 10, version 1803 is the fifth feature update for Windows 10, offering IT pros built-in intelligent security and advanced capabilities that help simplify device management and drive IT cost savings. Here's a quick rundown of what's new and what's changed since the last update:

Security

  • Windows Hello for Business – Supports FIDO 2.0 authentication for Azure AD-joined devices and offers strong portable credentials for shared devices using FIDO 2.0 security keys. Enhanced security by enabling users to set up Windows Hello from the lock screen and enabling PIN on reboot. Easier setup for Dynamic Lock, and actionable alerts in Windows Defender Security Center when Dynamic Lock stops working (for instance, if Bluetooth is turned off). Support for S/MIME for third-party lifecycle management solutions.
  • Windows Defender System Guard – Detects unauthorized code injection and exploits, elevation of privilege, and tampering with system firmware.
  • Windows Information Protection – Supports Files on Demand and allows file encryption while a file is open in another app.
  • Windows 10 in S Mode – Allows customers to disable passwords completely and go password-less with Windows Hello asymmetric credentials.

Deployment and management

  • Windows Analytics – Provides greater visibility into Delivery Optimization for updates, including how many devices are enabled and the bandwidth savings you've achieved. Offers new Device Health scenarios for logon health and app reliability. Provides insight into device protection against Meltdown and Spectre[i].
  • Windows as a service – Language packs, features on demand, and other components are automatically managed via the Unified Update Platform (UUP). Using express update delivery for feature updates and quality updates reduces the download size.
  • Windows Autopilot – New enrollment status page enables you to ensure your configurations are complete prior to users having access to the desktop. Windows Autopilot is now supported by Surface, Lenovo, and Dell with support from other OEM partners (such as HP, Toshiba, Panasonic, and Fujitsu) coming soon.
  • Subscription activation – Windows 10 virtual machines can be configured to inherit activation from their Windows 10 host.
  • Deployment Image Servicing and Management (DISM) – New DISM command-line options have been added to help you manage feature updates, including the length of the OS uninstall period.
  • Windows Update for Business – Provides greater control over updates, with the ability to pause and uninstall problematic updates using Microsoft Intune.
  • Shared devices (kiosk mode) – Simplified deployment and management of locked-down, single and multi-app devices so that users can focus on the task at hand, with only the apps you need. New Kiosk Browser app offers a tailored browsing experience for interactive web apps or digital signage.
  • Windows 10 in S Mode – Windows 10 S has been replaced with Windows 10 in S Mode. Anyone can now purchase a new Windows 10 Home or Windows 10 Pro PC with S Mode enabled and you can deploy Windows 10 Enterprise in S Mode by assigning a Windows 10 Enterprise license to the device.
  • Co-management – New policies in Microsoft Intune and System Center Configuration Manager to enable hybrid Azure AD-joined authentication. New MDMWinsOverGP policy enable an easier transition to modern, cloud-based management.
  • Mobile device management – Over 150 new policies and settings.
  • Windows SetupRun your own custom actions or scripts in parallel with Windows Setup. Windows Setup will migrate your scripts to the next feature update so you only need to add them once. New command-line options enable you to run a script if a user rolls back to a previous version of Windows and control BitLocker during the upgrade process.
  • Microsoft Store for Business – Admins can now create custom collections of apps (app groups/categories) in the private store. The time needed to make changes to the private store to occur is dramatically shortened. Desktop Bridge apps no longer require Microsoft approval when submitted as a line of business (LOB) app.
  • Privacy, trust, and control – Data delete allows a user to trigger the deletion of their Windows diagnostic data from any Windows device. Use the diagnostic viewer to see your own diagnostic data in real-time.

Productivity

  • Timeline – Easily jump back in time up to 30 days to continue where you left off.
  • Enterprise search in Windows – Quickly search documents shared by people, or in e-mails, and preview attachments.
  • Microsoft EdgeMicrosoft Edge for iOS and Android creates one continuous browsing experience for Windows 10 users across their devices.
  • Files On-Demand – Users can be productive after first logon by using Files On-Demand. See the status of a document by looking at the new status icons in Windows Explorer.
  • Windows Ink – Improved gestures, shape recognition, and integration with Microsoft Teams.
  • 3D in Windows 10 – Add dimension to Office with fully-rotatable 360-degree models, morphing transitions, and animations.

What action should I take today?

As announced by John Cable this morning, today marks the start of the 18-month servicing timeline for this Semi-Annual Channel release. We recommend that you test the newest features and functionality now—with a targeted deployment—in preparation for broad deployment to the devices in your organization in the weeks to come.

If you have not yet deployed Windows 10 and are looking to test this latest release for your organization, you can download the Windows 10 Enterprise Evaluation from the Microsoft Evaluation Center.

To help you better plan for and deploy this release, we have also updated the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and published a draft of the Security baseline for Windows 10, version 1803.

When will Windows 10, version 1803 be available on the Volume Licensing Service Center?

Volume License customers will be able to download Windows 10, version 1803 from the Volume Licensing Service Center on May 7, 2018.

Where can I learn more about what's new in this update?

Register today for a one-hour “What's new in Windows 10, version 1803 for IT pros” webcast hosted by Pieter Wigleven and Nathan Mercer, Senior Product Marketing Managers with the Windows Commercial team.

Windows 10, version 1803 webcast details

On Tuesday, May 22nd, from 10:00-11:00 a.m. Pacific Time (PT), Pieter and Nathan will walk you through the latest features for configuring, deploying, and managing Windows 10 devices, as well as the security capabilities that can help you protect your data and devices end-to-end. There's a lot to cover in just one hour so, instead of our usual live Q&A at the end, we'll be hosting a 24-hour Windows 10 IT Pro Ask Microsoft Anything (AMA) event on Tech Community that will start immediately following the conclusion of the live webcast and end at 11:00 a.m. PT the following day, May 23rd.

Since the 24-hour Windows 10 IT Pro AMA is a departure from our typical one-hour AMA format, here's an explanation of how it will work:

  • The Windows 10 AMA space on Tech Community will open for a 24-hour window beginning at 11:00 a.m. PT on May 22nd.
  • You can post your questions anytime during the 24-hour window. To submit a question, simply click Start a new conversation—and do this for each new question.
  • Engineering and members of the product teams will be answering your questions live from 11:00 a.m. to 12:00 p.m. PT on May 22nd, and from 10:00 a.m. to 11:00 a.m. PT on May 23rd. (They may also answer questions during other hours.)
  • At the end of the AMA, the Windows 10 AMA space will close and become a read-only resource. We will post a final recap within 72 hours.

To participate in the AMA, you must be a member of the Microsoft Tech Community. If you're not already a member, it only takes a minute to sign up:

  1. Visit https://techcommunity.microsoft.com.
  2. Click Sign In in the top right corner and sign up using your Microsoft account.
  3. Join the Windows 10 community, and any others you like. (Click See all for the full list.)
  4. Accept the terms and click Register.

You can also watch a quick recap of what's new in this video:

 

What is the Windows 10 Enterprise Evaluation?

The Windows 10 Enterprise Evaluation is a free, 90-day evaluation of Windows 10 Enterprise designed for IT professionals interested in testing Windows 10 Enterprise on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices.

If you haven't yet migrated to Windows 10, you can also take advantage of Upgrade Readiness, a free Windows Analytics service that helps you streamline and accelerate the Windows upgrade process by identifying compatibility issues that can block an upgrade and proactively suggesting fixes. You can use Upgrade Readiness standalone or integrate it with System Center Configuration Manager.

Additional resources

For more information on configuring and deploying updates, please see the following resources:

For more information on the latest features for end users, see What's new in the Windows 10 April 2018 Update.

To see a summary of the latest documentation updates, see What's new in Windows 10, version 1803 IT pro content on Docs.

For information on what's new for developers, see What's New in Windows 10 for developers, build 17134. For a full list of new namespaces added to the Windows SDK, see New APIs in Windows 10, build 17134. And, for a list of features and functionality that have been removed from Windows 10, or might be removed in future releases, see Features removed or planned for replacement starting with Windows 10, version 1803.

  


Continue the conversation. Find best practices. Bookmark the Windows 10 Tech Community.

Looking for support? Visit the Windows 10 IT pro forums.


[i] On Windows 7 Service Pack 1, Windows 8.1, and Windows 10

17 Comments
Frequent Visitor

I am incredibly confused why 1803 was designated "Semi-Annual Channel" prior to being "Semi-Annual Channel (Targeted)": https://www.microsoft.com/en-us/itpro/windows-10/release-information In your own post you say:

 

"We recommend that you test the newest features and functionality now—with a targeted deployment"

 

If you want us testing in a targeted deployment, shouldn't 1803 have been designated "Semi-Annual Channel (Targeted)" instead? Correct me if I'm wrong, but isn't this how the servicing channels are supposed to work?:

 

SAC Targeted (formerly current branch): Ready for targeted deployment, consumer ready

SAC (formerly current branch for business): Ready for broad deployment and "business ready"

 

Can you clarify? I was under the impression that Semi-Annual channel gave us ~4 months to test new Feature Updates, but your post implies that we only have "weeks" to get ready for it. "...in preparation for broad deployment to the devices in your organization in the weeks to come..."

Microsoft

@Christopher Gallen- There is only one Semi-Annual Channel version, which is released each 6-months. This one is this April 2018 Feature Update or 1803, and is the fifth of the Feature Updates.

SAC (targeted) is how we say the customer should deploy the update to their validation devices. They will have several rings typically. The first is the preview rings (for devices enrolled in the Windows Insider Program) and this gives 6-months or so to prepare (test and validate) for the SAC release 1803. Then the next ring is to validate the features work as planned, and there are no issues in production. Then once this has been validated they deploy to the next ring (wider ring, production ring, etc) and they may have several rings if they want to scale across large companies, or different business units etc. Hope that helps. 

https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/ 

Frequent Visitor

@Stephen Dillon In the blog you linked it states: "The Semi-Annual Channel replaces the Current Branch [CB] and Current Branch for Business [CBB] concepts." This implies that both CB and CBB are replaced with a single channel.

 

However, in your own documentation for setting up deployment rings (https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates and https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb) you state that CB and CBB are replaced with SAC-T and SAC respectively, i.e. they are still two separate deployment rings. If we have deployment rings set up per your documentation, with our TARGETED devices configured to SAC-Targeted (via GPO or otherwise) they will actually receive 1803 *AFTER* the SAC configured devices due to you designating 1803 as SAC BEFORE SAC-Targeted. This is the opposite result of what we expect, and the opposite of how you have release Feature Updates in the past.

 

For example: 1709 was designated SAC-Targeted BEFORE it was designated SAC. It was ready for TARGETED deployment (SAC-T on 10/17/2017) BEFORE it was ready for broad deployment (SAC on 12/12/2017).

 

Another example: 1703 was designated CB on 4/11/2017, then designated CBB on 7/11/2017

 

With 1803 you are doing the complete opposite. Do you see how this might cause confusion?

 

So, do we configure our TARGETED devices as SAC-Targeted, or as SAC with custom deferral lengths for each deployment ring? For the enterprise, what does configuring devices as Semi-Annual (Targeted) actually accomplish now? Either way your documentation needs to be updated and clarified to match what your current intention is.

Frequent Visitor
Your own documentation for setting up servicing rings has the "Semi-Annual Channel (Targeted)" as an available Servicing Channel: https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates ...we've followed this guide and have started setting up our internal "rings" but with 1803, you've promoted it straight to the Semi-Annual Channel immediately and didn't first send it to the SACT servicing channel. The previous four versions (1511, 1607, 1703, and 1709) all went through CBB or SACT, so I feel that this approach was not well communicated by Microsoft. If I configured one of my rings to use SAC+30 days, those settings with 1803 will mean those endpoints will receive 1803 several months sooner than my 1709 rollout where I expected SACT+10 to hit my pilot endpoints sooner to prepare our organization for broad rollout. It feels like we followed Microsoft's guidance only to have it get changed up with 1803.
Microsoft

Firstly, let's acknowledge that yes, the documentation is sometimes out of sync and there are documents which use older terminology still. I'd like to try and respond while avoiding the use of terms SAC-T and SAC, CB and CBB and respond to what I feel is the underlying question regarding the intent of this release:

  • Microsoft has released the April 2018 Feature update (aka 1803) for customers to use. The next Feature Update will be September 2018 or thereabouts (1809 or RS5) although we will still have Quality Updates released between now and then. 
  • Plan and Prepare or Evaluate phase: If you were registered in the Windows Insider Program, you will have had a while to do compatibility testing and to learn the new features and planned how to deploy these to meet your needs, in which case you can skip to the validation phase below. But if you haven't been leveraging the Windows insider Program, this may be the first time you've had to deploy these features. In which case we suggest you begin with an initial test and planning phase now, although Microsoft does not believe there will be many compatibility issues per se. This phase will take as long as you feel is required, typically weeks. Of course, the longer it takes to deploy the latest productivity, deployment, security features, and also the less time you have for use in the servicing window (which is 18 months after the update was released).
  • Target Pilot or Validation Phase: Once planning and preparation is complete, Microsoft suggests you deploy the Feature Update to a limited selection of devices so you can validate the new features work as planned, and ensure there are no issues when deployed to your environment. You may call this deployment ring, group, or collection what you will. Some people will refer to it as SAC-T or SAC(T) or SAC (Targeted) - either way, this is it's a targeted set of devices for the 1803 release. Some people refer to it as ring 1 or 2.
  • Broad deployment(s): The next deployment phase (after validation) is to reach a wider set of devices. This may be deployed to devices across the organisation, or via a self-nomination/subscription method. There may be multiple deployments to reach all of the organisation, depending on organisation deployment tools and techniques, network constraints, organisational structure, etc.

In short, I wouldn't let the terminology get in the way of the process of starting small and deploying wider. In this regard, we haven't changed anything. Typically, Microsoft envisage three (or even four) different releases of Windows being in use in the same organisation. Today, in an organisation set up to stay current with Windows as a Service, most will be on the previous release (1709 or RS3) while the new release is being deployed (1803 or RS4) and a few select devices will be enrolled on the Windows Insider Program (Slow, Fast and/or pre-release) to start planning and preparing for the next release (1809 or RS5 updates are available in the Windows Insider Program now)

Occasional Contributor

Hi Stephen, thanks for the detail explanation. We are still thoroughly confused unfortunately.

 

https://www.microsoft.com/en-us/itpro/windows-10/release-information shows:

 

Semi-Annual Channel (Targeted) as 1709 but Semi-Annual Channel as 1803 i.e. deploy latest public feature release to all users before Targeted users?!

 

OMS is now reporting the 391 machines we have on 1709 under 'Semi-Annual' as Not up-to date which confirms the above. Last week they were Up-to-date. Obtusely the 27 machines we have on 1709 under 'Semi-Annual (Targeted)' are reporting as up to date !

 

We fully understand the need to push updates in to the business via limited and then wider roll out and have adopted the MS channels pushed via WUfB and GP to do this as recommended.

 

Please clarify. This feels like a mistake and clearly we are not the only ones to feel this.

Frequent Visitor

Stephen,

 

We fully understand the concept of phased deployment. That is exactly what we are trying to accomplish using your own documentation and the configuration options built into Windows 10, GPOs/ADMX, etc.

 

You can't tell us to not let the terminology get in the way when that terminology is literally the basis of how we configure phased deployments based on your own documentation, GPOs, and settings in Windows 10.

 

In fact, 1803 still has the configurable option of Semi-Annual Channel and Semi-Annual Channel (Targeted). If these terms are out of date or no longer relevant, why are they still present in the latest release of Windows 10?

 

Windows 10 is configured as SAC(T) by default. Individuals or enterprises change their update channels to SAC in order to defer or avoid unexpected Feature Updates on those systems before testing it (i.e. phased deployment). By releasing 1803 directly to SAC, those computers will actually receive 1803 BEFORE everyone else, BEFORE having the opportunity to test.

 

EDIT: After testing on a Win10 1709 VM without GPOs applied, it seems that SAC(T) and SAC configurations work as originally intended per your documentation (as of today 5/3/2018). When set to SAC, it only downloads the latest 1709 quality update. When set to SAC(T) it downloads the 1803 feature update.

 

Your release information document should be updated to more accurately reflect this: https://www.microsoft.com/en-us/itpro/windows-10/release-information

 

I think there may be confusion as to what declaring a new Feature Update as "Semi-Annual Channel" actually means to Microsoft versus everyone else. Are you only referring to the beginning of the 18-24 month support period? Or are you referring to the distribution via that update channel? Or both? Right now they don't seem to line up.

Microsoft

Thanks for clarifying your concerns (and findings), @Christopher Gallen, and @Ian Clarke- that makes it clearer- Regarding changes in terminology or documentation, I would refer to this: Windows 10 release schedule

Meanwhile, just to emphasize that I wasn't suggesting Microsoft has dropped the terminology for SAC, it hasn't changed since Windows 10 release schedule. SAC (targeted) is now in use (rather than SAC-T) to identify the validation ring prior to broad deployment. I just wanted to make sure the process is understood first, and it seems it is, which is great to hear! Hope that helps for now, and I'm pleased to see that in your testing (in both cases) on 1709, SAC(T/Targeted) and SAC. So the process appears to be working even if there has been confusion in the terminology.  

 

Thanks again for the feedback and for clarifying the concerns. 

Occasional Visitor

If you saw this comment originally, nevermind.  1803 isn't listed in the description on VLSC, but if you continue to download, it's listed as one of the available options.

 

So,

 

Nevermind.

 

:-)

Occasional Contributor

I hate to labour this but I'm still totally confused. The Windows 10 release schedule is still reporting SAC (Targeted) as being an older feature release version (1709) than SAC (1803). Is there any possibility this is a mistake and if not what is the logic. How can we evaluate something with a subset of users that has already been broadly released.

 

Regards

Ian.

Frequent Visitor

@Ian Clarke

 

That's what I'm hoping Microsoft will clear up.  They promoted 1803 directly to SAC leaving 1709 in SACT.  If they would have followed the pattern of the previous versions (1511, 1607, 1703, and 1709), 1803 should have landed in the SACT channel, dethroning 1709 and leaving it in SAC with 1703.

 

My existing "rings" for a targeted Pilot and broad deployment look similar to this today:

  • Ring 1 = SACT+0
  • Ring 2 = SACT+30
  • Ring 3 = SACT+60
  • Ring 4 = SACT+90
  • Ring 5 = SAC+0
  • Ring 6 = SAC+30
  • Ring 7 = SAC+60
  • Ring 8 = SAC+120

Now with 1803, my "Ring 6" gets this Feature Update in late-May/early-June 2018 (30 days after initial release), whereas with 1709, it was approximately 90 days after initial release (~January 12, 2018).

Occasional Contributor

So as of this AM OMS has now updated to show devices on Semi Annual (1709) as up to date. Previously they were out of date as it was expecting 1803. So clearly the cogs within MS are churning. The release schedule page is still wrong though (and now disagrees with OMS report!). Ian.

 

oms.png

 

Visitor
Just to clarify the naming for SAC (targeted), its clearer now that this is more about piloting and not an edition type of Windows 10. With Windows Update for Business via Intune, there are multiple deployment rings available, one being the targeted ring. Do these servicing channels only refelect the deferral days? https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates
Occasional Contributor

So looks like as of last night MS have updated the release information page to reflect what we (thought) we knew already.

 

It's slightly frustrating that MS could not simply have said 'yes that looks wrong we will get it updated / clarified' rather than leave a lot of admins wondering if they have got something very wrong.

 

I have to say MS seem to still be pushing 1803 is deployed to everyone ASAP rather than following the Targeted > Semi Annual Channel methodology. It's hard when admins have put a load of process / GPs etc. in place to 'test' feature release with subset of users to then suddenly change that to roll it out to everyone whenever. This qualifier statement is a little confusing, are MS having second thoughts on the need for a 'targeted' group:

 

"(1) Windows 10, version 1803 designation has been updated to reflect the servicing option available in the operating system and to reflect existing deferral policies. We recommend organizations broadly deploy the latest version of Windows 10 when they are ready, and not wait until the “Targeted” designation has been removed."

Visitor

So what determines when the “targeted” designation is removed? It seems like Microsoft engineers and bloggers are also unsure about the terminology. It would be better if the targeted reference is removed all together. 

According to this post semi-annual channel targeted is only valid for office 365 and not windows 10

 

https://docs.microsoft.com/en-us/deployoffice/change-management-for-office-365-clients

We’re working with our engineering team to bring some more clarity around this. In the meantime, please check out John Wilcox’s blog post on Moving from project to process: digital transformation with Windows as a service to get a better idea of how to structure your deployment phases.

Occasional Contributor

Thanks @Caitlin Fitzgerald I will have a read of the blog post. We have however been left even more confused this AM as OMS (which was correct even before the release schedule page was updated) is now showing no machines on 1803 and suggesting we have 44 on Insider! 44 sounds about right for the number actually on 1803 and we have not even configured Insider within our org so would be very concerned were that the case.

 

Ian.

 

oms2.png