What’s new in Windows 10, version 20H2 for IT Pros

Applies to

• WindowsВ 10, version 20H2

This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.

With this release and future releases, the Windows 10 release nomenclature is changing from a year and month pattern (YYMM) to a year and half-year pattern (YYH1, YYH2).

As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an H2-targeted release, 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.

To download and install Windows 10, version 20H2, use Windows Update (Settings > Update & Security > Windows Update). For more information, including a video, see How to get the Windows 10 October 2020 Update.

Microsoft Edge

This release automatically includes the new Chromium-based Microsoft Edge browser instead of the legacy version of Edge. For more information, see the Microsoft Edge documentation.

Servicing

Windows Update

There are several changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for updates. For more information, see Changes to improve security for Windows devices scanning WSUS.

Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see Simplifying on-premises deployment of servicing stack updates.

Deployment

New guidance is available to help prepare a servicing strategy and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible.

Activities are grouped into the following phases: Plan > Prepare > Deploy:

Plan your deployment by evaluating and understanding essential activities:

• Create a phased deployment plan
• Assign roles and responsibilities within your organization
• Set criteria to establish readiness for the upgrade process
• Evaluate your infrastructure and tools
• Determine readiness for your business applications
• Create an effective, schedule-based servicing strategy

Prepare your devices and environment for deployment by performing necessary actions:

Deploy and manage Windows 10 strategically in your organization:

• Use Windows Autopilot to streamline the set up, configuration, and delivery of new devices
• Use Configuration Manager or MDT to deploy new devices and update existing devices
• Use Windows Update for Business with Group Policy to customize update settings for your devices
• Deploy Windows updates with Windows Server Update Services (WSUS)
• Manage bandwidth for updates with Delivery Optimization
• Monitor Windows Updates with Update Compliance

Windows Autopilot

Enhancements to Windows Autopilot since the last release of Windows 10 include:

• Windows Autopilot for HoloLens: Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
• Windows Autopilot with co-management: Co-management and Autopilot together can help you reduce cost and improve the end user experience.
• Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select Devices >Monitor and scroll down to the Enrollment section. Click Autopilot deployment (preview).

Windows Assessment and Deployment Toolkit (ADK)

There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see Download and install the Windows ADK.

Device management

Modern Device Management (MDM) policy is extended with new Local Users and Groups settings that match the options available for devices managed through Group Policy.

For more information about what’s new in MDM, see What’s new in mobile device enrollment and management

Security

Microsoft Defender for Endpoint

This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).

The DisableAntiSpyware parameter is deprecated in this release.

Microsoft Defender Application Guard for Office

Microsoft Defender Application Guard now supports Office: With Microsoft Defender Application Guard for Office, you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.

Windows Hello

With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user’s biometric authentication data.

Virtualization

Windows Sandbox

New policies for Windows Sandbox are available in this release. For more information, see Policy CSP — WindowsSandbox.

Windows Virtual Desktop (WVD)

Note: WVD is not tied directly to a Windows 10 release, but it is included here as an evolving capability of Windows.

Windows Shell

Some enhancements to the Windows 10 user interface are implemented in this release:

• With this release, the solid color behind tiles on the Start menu is replaced with a partially transparent background. Tiles are also theme-aware.
• Icons on the Start menu no longer have a square outline around each icon.
• Notifications are slightly updated in appearance.
• You can now change the monitor refresh rate on advanced display settings.
• Alt+Tab now shows Edge browser tabs by default. You can edit this setting under Settings >System >Multitasking: Alt+Tab.
• The System control panel under System and Security has been updated to the Settings > About page. Links to Device Manager, Remote desktop, System protection, Advanced system settings, and Rename this PC are moved to the About page.

2-in-1 PCs

On a 2-in-1 device, Windows will now automatically switch to tablet mode when you detach the screen.

Surface

Windows 10 Pro and Enterprise are now available on Surface Hub 2. For more information, see What’s new in Surface Hub 2S for IT admins.

Desktop Analytics

Desktop Analytics is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.

For information about Desktop Analytics and this release of Windows 10, see What’s new in Desktop Analytics.

What’s new in Windows 10, version 1909 for IT Pros

Applies to

• WindowsВ 10, version 1909

This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903.

Servicing

Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements.

To deliver these updates in an optimal fashion, we are providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you are running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.

If you are updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see Evolving Windows 10 servicing and quality: the next steps.

Note: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, please see the Windows lifecycle fact sheet.

Windows Server Update Services (WSUS)

Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Manager version 1906 or later is required. For more information, see Publishing pre-release Windows 10 feature updates to WSUS.

The Windows 10, version 1909 enablement package will be available on WSUS as KB4517245, which can be deployed on existing deployments of Windows 10, version 1903.

Windows Update for Business (WUfB)

If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.

Security

Windows Defender Credential Guard

Windows Defender Credential Guard is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.

Microsoft BitLocker

BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.

Key-rolling and Key-rotation

Windows 10, version 1909 also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.

Transport Layer Security (TLS)

An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the Edge://flags dialog. Also see Microsoft Edge platform status.

Virtualization

Windows Sandbox

Windows Sandbox is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation.

Windows Virtual Desktop

Windows Virtual Desktop (WVD) is now generally available globally!

Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.

Deployment

Microsoft Endpoint Manager

Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now Microsoft Endpoint Manager. See the Nov. 4 2019 announcement. Also see Modern management and security principles driving our Microsoft Endpoint Manager vision.

Windows 10 Pro and Enterprise in S mode

You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices.

SetupDiag

SetupDiag version 1.6.0.42 is available.

SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. .

Windows Assessment and Deployment Toolkit (ADK)

A new Windows ADK will not be released for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.

Desktop Analytics

Desktop Analytics is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.

Microsoft Connected Cache

Together with Delivery Optimization, Microsoft Connected Cache installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a “configure once and forget it” solution that transparently caches content that your devices on your network need.

Accessibility

This release adds the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked).

Processor requirements and enhancements

Requirements

Windows Processor Requirements have been updated for this version of Windows.

Favored CPU Core Optimization

This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.

When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a «boost» in performance. These cores are called «favored cores» as they can offer better performance than the other cores on the die.

With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology «delivers more than 15% better single-threaded performance».

Debugging

Additional debugging capabilities for newer Intel processors have been added in this release. This is only relevant for hardware manufacturers.

Efficiency

General battery life and power efficiency improvements for PCs with certain processors have been added in this release.