Windows 10, version 1903
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see Reserved storage.
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
Windows Autopilot for white glove deployment is new in this version of Windows. “White glove” deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
Cortana voiceover and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.
Windows 10 Subscription Activation
Windows 10 Education support has been added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see Windows 10 Subscription Activation.
SetupDiag version 1.4.1 is available.
SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
Reserved storage: Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
Delivery Optimization: Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of new policies. This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
Automatic Restart Sign-on (ARSO): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
Windows Update for Business: There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
Update rollback improvements: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
Pause updates: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
Improved update notifications: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
Intelligent active hours: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
Improved update orchestration to improve system responsiveness: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
Windows Information Protection
With this release, Windows Defender ATP extends discovery and protection of sensitive information with Auto Labeling.
Security configuration framework
With this release of Windows 10, Microsoft is introducing a new taxonomy for security configurations, called the SECCON framework, comprised of 5 device security configurations.
Security baseline for Windows 10 and Windows Server
The draft release of the security configuration baseline settings for Windows 10, version 1903 and for Windows Server version 1903 is available.
Intune security baselines
Intune Security Baselines (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.
Microsoft Defender Advanced Threat Protection (ATP):
Attack surface area reduction – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
Next generation protection – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers.
Platform support – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
Microsoft Defender ATP next-gen protection technologies:
Advanced machine learning: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
Emergency outbreak protection: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
Certified ISO 27001 compliance: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
Geolocation support: Support geolocation and sovereignty of sample data as well as configurable retention policies.
Windows Sandbox: Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
Microphone privacy settings: A microphone icon appears in the notification area letting you see which apps are using your microphone.
Windows Defender Application Guard enhancements:
Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
To try this extension:
Configure WDAG policies on your device.
Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
Follow any additional configuration steps on the extension setup page.
Reboot the device.
Navigate to an untrusted site in Chrome and Firefox.
WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
Windows Defender Application Control (WDAC): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
Multiple Policies: WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
Path-Based Rules: The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
Allow COM Object Registration: Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
System Guard has added a new feature in this version of Windows called SMM Firmware Measurement. This feature is built on top of System Guard Secure Launch to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner – specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: