What’s new in Windows 10, version 1909 for IT Pros

Applies to

• WindowsВ 10, version 1909

This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903.

Servicing

Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements.

To deliver these updates in an optimal fashion, we are providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you are running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.

If you are updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see Evolving Windows 10 servicing and quality: the next steps.

Note: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, please see the Windows lifecycle fact sheet.

Windows Server Update Services (WSUS)

Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Manager version 1906 or later is required. For more information, see Publishing pre-release Windows 10 feature updates to WSUS.

The Windows 10, version 1909 enablement package will be available on WSUS as KB4517245, which can be deployed on existing deployments of Windows 10, version 1903.

Windows Update for Business (WUfB)

If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.

Security

Windows Defender Credential Guard

Windows Defender Credential Guard is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.

Microsoft BitLocker

BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.

Key-rolling and Key-rotation

Windows 10, version 1909 also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.

Transport Layer Security (TLS)

An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the Edge://flags dialog. Also see Microsoft Edge platform status.

Virtualization

Windows Sandbox

Windows Sandbox is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation.

Windows Virtual Desktop

Windows Virtual Desktop (WVD) is now generally available globally!

Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.

Deployment

Microsoft Endpoint Manager

Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now Microsoft Endpoint Manager. See the Nov. 4 2019 announcement. Also see Modern management and security principles driving our Microsoft Endpoint Manager vision.

Windows 10 Pro and Enterprise in S mode

You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices.

SetupDiag

SetupDiag version 1.6.0.42 is available.

SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. .

Windows Assessment and Deployment Toolkit (ADK)

A new Windows ADK will not be released for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.

Desktop Analytics

Desktop Analytics is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.

Microsoft Connected Cache

Together with Delivery Optimization, Microsoft Connected Cache installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a “configure once and forget it” solution that transparently caches content that your devices on your network need.

Accessibility

This release adds the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked).

Processor requirements and enhancements

Requirements

Windows Processor Requirements have been updated for this version of Windows.

Favored CPU Core Optimization

This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.

When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a «boost» in performance. These cores are called «favored cores» as they can offer better performance than the other cores on the die.

With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology «delivers more than 15% better single-threaded performance».

Debugging

Additional debugging capabilities for newer Intel processors have been added in this release. This is only relevant for hardware manufacturers.

Efficiency

General battery life and power efficiency improvements for PCs with certain processors have been added in this release.

What’s new in Windows 10, version 2004 for IT Pros

Applies to

• WindowsВ 10, version 2004

This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.

To download and install Windows 10, version 2004, use Windows Update (Settings > Update & Security > Windows Update). For more information, see this video.

The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003.

Security

Windows Hello

Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.

You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to Settings > Accounts > Sign-in options, and selecting On under Make your device passwordless. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.

Windows Hello PIN sign-in support is added to Safe mode.

Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of passwordless authentication. For more information, see Expanding Azure Active Directory support for FIDO2 preview to hybrid environments.

Windows Defender System Guard

In this release, Windows Defender System Guard enables an even higher level of System Management Mode (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.

With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.

Windows Defender Application Guard

Windows Defender Application Guard has been available for Chromium-based Edge since early 2020.

Deployment

Windows Setup

Improvements in Windows Setup with this release also include:

• Reduced offline time during feature updates
• Improved controls for reserved storage
• Improved controls and diagnostics
• New recovery options

For more information, see Windows Setup enhancements in the Windows IT Pro Blog.

SetupDiag

In Windows 10, version 2004, SetupDiag is now automatically installed.

SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.

During the upgrade process, Windows Setup will extract all its sources files to the %SystemDrive%$Windows.

bt\Sources directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.

Windows Autopilot

With this release, you can configure Windows Autopilot user-driven Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.

If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.

Microsoft Endpoint Manager

An in-place upgrade wizard is available in Configuration Manager. For more information, see Simplifying Windows 10 deployment with Configuration Manager.

Windows Assessment and Deployment Toolkit (ADK)

Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: Download and install the Windows ADK.

Microsoft Deployment Toolkit (MDT)

MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. There is an update available for MDT to address this issue.

For the latest information about MDT, see the MDT release notes.

Servicing

Delivery Optimization

Windows PowerShell cmdlets have been improved:

• Get-DeliveryOptimizationStatus has added the -PeerInfo option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
• Get-DeliveryOptimizationLogAnalysis is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the -ListConnections option to for in-depth look at peer-to-peer connections.
• Enable-DeliveryOptimizationVerboseLogs is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.

• Enterprise network throttling is enhanced to optimize foreground vs. background throttling.
• Automatic cloud-based congestion detection is available for PCs with cloud service support.

The following Delivery Optimization policies are removed in this release:

• Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
  • Reason: Replaced with separate policies for foreground and background.
• Max Upload Bandwidth (DOMaxUploadBandwidth)
  • Reason: Impacts uploads to internet peers only, which isn’t used in enterprises.
• Absolute max throttle (DOMaxDownloadBandwidth)
  • Reason: Separated to foreground and background.

Windows Update for Business

Windows Update for Business enhancements in this release include:

Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.

Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.

Update less: Last year, we changed update installation policies for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings Advanced Options page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received or Select when Quality Updates are received). For more information about this change, see Simplified Windows Update settings for end users.

Networking

Wi-Fi 6 and WPA3

Windows now supports the latest Wi-Fi standards with Wi-Fi 6 and WPA3. Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.

In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by enterprise policy.

Virtualization

Windows Sandbox

Windows Sandbox is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration.

• MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
• AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox.
• ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste.
• PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox.
• ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox.
• MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox.

Windows Media Player is also added back to the Sandbox image in this release.

Windows Sandbox also has improved accessibility in this release, including:

• Microphone support is available.
• Added functionality to configure the audio input device via the Windows Sandbox config file.
• A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode.
• A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode.

Windows Subsystem for Linux (WSL)

With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM’s memory could grow, but would not shrink when no longer needed.

WSL2 support has been added for ARM64 devices if your device supports virtualization.

For a full list of updates to WSL, see the WSL release notes.

Windows Virtual Desktop (WVD)

Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out Windows Virtual Desktop documentation for the latest and greatest information, as well as the WVD Virtual Event from March.

Microsoft Edge

Read about plans for the new Microsoft Edge and other innovations announced at Build 2020 and What’s new at Microsoft Edge Insider.

Also see information about the exciting new Edge browser here.

Application settings

This release enables explicit Control over restarting apps at sign-in (Build 18965) that were open when you restart your PC.

Windows Shell

Several enhancements to the Windows 10 user interface are implemented in this release:

Cortana

Cortana has been updated and enhanced in Windows 10, version 2004:

Productivity: chat-based UI gives you the ability to interact with Cortana using typed or spoken natural language queries to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.

• In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.

Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises as set out in the Online Services Terms.

Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.

For updated information, see the Microsoft 365 blog.

Windows Search

Windows Search is improved in several ways. For more information, see Supercharging Windows Search.

Virtual Desktops

There is a new Update on Virtual Desktop renaming (Build 18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.

Bluetooth pairing

Pairing Bluetooth devices with your computer will occur through notifications, so you won’t need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see Improving your Bluetooth pairing experience.

Reset this PC

The ‘reset this PC’ recovery function now includes a cloud download option.

Task Manager

The following items are added to Task Manager in this release:

• GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
• Disk type is now listed for each disk on the Performance tab.

Graphics & display

DirectX

New DirectX 12 features are available in this release.

2-in-1 PCs

See Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one’s keyboard, but you’ll still keep the familiar look of your desktop without interruption.

Specialized displays

With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose.

• Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators
• Medical imaging devices with custom panels, such as grayscale X-ray displays
• Video walls like those displayed in Microsoft Store
• Dedicated video monitoring
• Monitor panel testing and validation
• Independent Hardware Vendor (IHV) driver testing and validation

To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.

Desktop Analytics

Desktop Analytics is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.

For information about Desktop Analytics and this release of Windows 10, see What’s new in Desktop Analytics.