What's new in Windows 10, version 1903 for IT Pros

Applies to

  • Windows 10, version 1903

This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.

Note

New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see Reserved storage.

Deployment

Windows Autopilot

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:

  • Windows Autopilot for white glove deployment is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
  • The Intune enrollment status page (ESP) now tracks Intune Management Extensions​.
  • Cortana voiceover and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
  • Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
  • Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.

SetupDiag

SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.

Reserved storage

Reserved storage: Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.

Servicing

  • Delivery Optimization: Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with new policies. These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
  • Automatic Restart Sign-on (ARSO): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
  • Windows Update for Business: There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
  • Update rollback improvements: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
  • Pause updates: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
  • Improved update notifications: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
  • Intelligent active hours: To further enhance active hours, users will now be able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
  • Improved update orchestration to improve system responsiveness: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.

Security

Windows Information Protection

With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with Auto Labeling.

Security configuration framework

With this release of Windows 10, Microsoft is introducing a new taxonomy for security configurations, called the SECCON framework, comprised of 5 device security configurations.

Security baseline for Windows 10 and Windows Server

The draft release of the security configuration baseline settings for Windows 10, version 1903 and for Windows Server version 1903 is available.

Intune security baselines

Intune Security Baselines (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.

Microsoft Defender for Endpoint

  • Attack surface area reduction – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
  • Next generation protection – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
    • Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
    • Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
  • Platform support – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.

Microsoft Defender for Endpoint next-gen protection technologies:

  • Advanced machine learning: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
  • Emergency outbreak protection: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected.
  • Certified ISO 27001 compliance: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
  • Geolocation support: Support geolocation and sovereignty of sample data and configurable retention policies.

Threat Protection

  • Windows Sandbox: Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.

  • Microphone privacy settings: A microphone icon appears in the notification area letting you see which apps are using your microphone.

  • Windows Defender Application Guard enhancements:

    • Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.

    • WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.

      To try this extension:

      1. Configure WDAG policies on your device.
      2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
      3. Follow any of the other configuration steps on the extension setup page.
      4. Reboot the device.
      5. Navigate to an untrusted site in Chrome and Firefox.
    • WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.

  • Windows Defender Application Control (WDAC): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.

    • Multiple Policies: Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
    • Path-Based Rules: The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
      This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
    • Allow COM Object Registration: Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.

System Guard

System Guard has added a new feature in this version of Windows called SMM Firmware Measurement. This feature is built on top of System Guard Secure Launch to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they'll be coming out in the next few months.

This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:

System Guard.

Identity Protection

  • Windows Hello FIDO2 certification: Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
  • Streamlined Windows Hello PIN reset experience: Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
  • Sign-in with Password-less Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
  • Remote Desktop with Biometrics: Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.

Security management

Microsoft Edge

Several new features are coming in the next version of Edge. For more information, see the news from Build 2019.

See Also

What's New in Windows Server, version 1903: New and updated features in Windows Server.
Windows 10 Features: Review general information about Windows 10 features.
What's New in Windows 10: See what’s new in other versions of Windows 10.
What's new in Windows 10: See what’s new in Windows 10 hardware.
What's new in Windows 10 for developers: New and updated features in Windows 10 that are of interest to developers.