What's new in Windows ten, version 1903 for It Pros

  • Article
  • 10 minutes to read

Applies to

  • Windows 10, version 1903

This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows x, version 1809.

Note

New disk space requirement for Windows x, version 1903 applies simply to OEMs for the manufacture of new PCs. This new requirement does non utilise to existing devices. PCs that don't meet new device disk space requirements volition proceed to receive updates and the 1903 update will require about the same amount of gratis disk space as previous updates. For more than information, run across Reserved storage.

Deployment

Windows Autopilot

Windows Autopilot is a drove of technologies used to fix and pre-configure new devices, getting them gear up for productive use. The post-obit Windows Autopilot features are available in Windows ten, version 1903 and after:

  • Windows Autopilot for white glove deployment is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices and then they are fully configured and business ready for your users.
  • The Intune enrollment condition page (ESP) at present tracks Intune Direction Extensions​.
  • Cortana voiceover and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
  • Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
  • Windows Autopilot volition set the diagnostics data level to Full on Windows 10 version 1903 and subsequently during OOBE.

SetupDiag

SetupDiag is a control-line tool that can help diagnose why a Windows ten update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to friction match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file volition be updated as new versions of SetupDiag are made available.

Reserved storage

Reserved storage: Reserved storage sets aside deejay space to be used by updates, apps, temporary files, and system caches. Information technology improves the twenty-four hours-to-solar day function of your PC by ensuring critical Os functions ever have admission to disk infinite. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or subsequently pre-installed, and for make clean installs. It will non exist enabled when updating from a previous version of Windows 10.

Servicing

  • Delivery Optimization: Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of new policies. This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Managing director content coming soon!
  • Automatic Restart Sign-on (ARSO): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will exist completed.
  • Windows Update for Business: In that location will now be a single, common start date for phased deployments (no more than SAC-T designation). In improver, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
  • Update rollback improvements: You can at present automatically recover from startup failures past removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will at present automatically uninstall the updates to get the device back up and running normally.
  • Pause updates: Nosotros have extended the power to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows ten, including Home. You can suspension both characteristic and monthly updates for up to 35 days (seven days at a fourth dimension, upward to v times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
  • Improved update notifications: When there's an update requiring you lot to restart your device, yous'll come across a colored dot on the Power button in the Starting time carte and on the Windows icon in your taskbar.
  • Intelligent active hours: To further enhance active hours, users will now have the option to let Windows Update intelligently accommodate active hours based on their device-specific usage patterns. Yous must enable the intelligent agile hours feature for the system to predict device-specific usage patterns.
  • Improved update orchestration to improve system responsiveness: This feature will better system performance by intelligently coordinating Windows updates and Microsoft Shop updates, and then they occur when users are away from their devices to minimize disruptions.

Security

Windows Information Protection

With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with Auto Labeling.

Security configuration framework

With this release of Windows x, Microsoft is introducing a new taxonomy for security configurations, called the SECCON framework, comprised of 5 device security configurations.

Security baseline for Windows 10 and Windows Server

The draft release of the security configuration baseline settings for Windows 10, version 1903 and for Windows Server version 1903 is available.

Intune security baselines

Intune Security Baselines (Preview): Now includes many settings supported by Intune that you lot tin use to help secure and protect your users and devices. You lot tin can automatically set these settings to values recommended by security teams.

Microsoft Defender for Endpoint

  • Attack surface expanse reduction – It admins tin configure devices with advanced web protection that enables them to define allow and deny lists for specific URL's and IP addresses.
  • Side by side generation protection – Controls accept been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
    • Integrity enforcement capabilities – Enable remote runtime attestation of Windows x platform.
    • Tamper-proofing capabilities – Uses virtualization-based security to isolate disquisitional Microsoft Defender for Endpoint security capabilities away from the Bone and attackers.
  • Platform support – In addition to Windows x, Microsoft Defender for Endpoint'south functionality has been extended to back up Windows seven and Windows 8.1 clients, also as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.

Microsoft Defender for Endpoint side by side-gen protection technologies:

  • Advanced auto learning: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
  • Emergency outbreak protection: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
  • Certified ISO 27001 compliance: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
  • Geolocation support: Support geolocation and sovereignty of sample data too every bit configurable retentiveness policies.

Threat Protection

  • Windows Sandbox: Isolated desktop environment where you can run untrusted software without the fear of lasting affect to your device.

  • Microphone privacy settings: A microphone icon appears in the notification area letting you run across which apps are using your microphone.

  • Windows Defender Awarding Baby-sit enhancements:

    • Standalone users can install and configure their Windows Defender Application Guard settings without needing to alter Registry fundamental settings. Enterprise users can check their settings to come across what their administrators accept configured for their machines to better empathise the beliefs.

    • WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser surround, and would like to extend WDAG's browser isolation engineering science beyond Microsoft Border. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can speedily launch WDAG from their desktop using this app. This feature is also available in Windows ten, version 1803 or later with the latest updates.

      To try this extension:

      1. Configure WDAG policies on your device.
      2. Go to the Chrome Spider web Store or Firefox Add together-ons and search for Awarding Guard. Install the extension.
      3. Follow any additional configuration steps on the extension setup page.
      4. Reboot the device.
      5. Navigate to an untrusted site in Chrome and Firefox.

    • WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Border. Previously, users browsing in WDAG Border would see an error folio when they effort to go to a trusted site within the container browser. With this new characteristic, users volition automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is as well available in Windows x, version 1803 or later with the latest updates.

  • Windows Defender Application Command (WDAC): In Windows 10, version 1903 WDAC has a number of new features that calorie-free up key scenarios and provide feature parity with AppLocker.

    • Multiple Policies: WDAC now supports multiple simultaneous code integrity policies for ane device in order to enable the following scenarios: 1) enforce and audit side-past-side, two) simpler targeting for policies with different scope/intent, iii) expanding a policy using a new 'supplemental' policy.
    • Path-Based Rules: The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only lawmaking from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for not-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized past something other than a path dominion similar a signer or hash rule.
      This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
    • Allow COM Object Registration: Previously, WDAC enforced a built-in permit listing for COM object registration. While this machinery works for almost common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows ten introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.

Organisation Baby-sit

Organisation Guard has added a new feature in this version of Windows called SMM Firmware Measurement. This characteristic is congenital on height of System Baby-sit Secure Launch to check that the System Management Manner (SMM) firmware on the device is operating in a good for you manner - specifically, Os retention and secrets are protected from SMM. There are currently no devices out at that place with uniform hardware, only they will exist coming out in the next few months.

This new feature is displayed under the Device Security page with the string "Your device exceeds the requirements for enhanced hardware security" if configured properly:

System Guard.

Identity Protection

  • Windows Hello FIDO2 certification: Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such every bit Microsoft account and Azure AD.
  • Streamlined Windows Howdy PIN reset experience: Microsoft business relationship users have a revamped Windows Hello Pin reset feel with the aforementioned expect and experience as signing in on the web.
  • Sign-in with Password-less Microsoft accounts: Sign in to Windows 10 with a telephone number account. Then use Windows Hello for an even easier sign-in experience!
  • Remote Desktop with Biometrics: Azure Active Directory and Active Directory users using Windows Hello for Business tin employ biometrics to cosign to a remote desktop session.

Security direction

  • Windows Defender Firewall at present supports Windows Subsystem for Linux (WSL): Lets you add rules for WSL process, only like for Windows processes.
  • Windows Security app improvements now include Protection history, including detailed and easier to understand information nearly threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
  • Tamper Protection lets yous prevent others from tampering with important security features.

Microsoft Edge

Several new features are coming in the next version of Border. Meet the news from Build 2019 for more data.

See Also

What's New in Windows Server, version 1903: New and updated features in Windows Server.
Windows 10 Features: Review full general information about Windows ten features.
What'south New in Windows x: See what's new in other versions of Windows 10.
What'south new in Windows ten: See what's new in Windows 10 hardware.
What'southward new in Windows 10 for developers: New and updated features in Windows 10 that are of interest to developers.