- Specops uReset review: Active Directory password reset as a self-service - Thu, May 21 2020
- Configure updates and reboot options for Windows 10 using group policies - Mon, May 4 2020
- Microsoft 365 Business: Configure macro security settings via group policies - Wed, Apr 29 2020
- Autumn updates for corporate customers
- Changes to the update process
- More flexible restart
- Recovery after failed updates
- Reserving disk space for updates
- Web browser
- Application Guard for Chrome und Firefox
- Group policies
- Security baseline without password expiration
- User interface
- Terminal and filenames
Windows 10 1903 seems to be the first release within Microsoft's once-again redesigned development cycle. One sign for this change is the so-called skip-ahead ring of the Insider Program.
So far, this gives users access to previews of the next upgrade even before the release of the current version. At this time, it would be Windows 10 1909, but Microsoft is already delivering previews for Windows 10 20H1 in this ring.
The official explanation for this approach is that version 20H1 receives features that require a longer development time. However, there is some evidence that after the quality issues in Windows 10 1809, Microsoft would like to reduce the update pressure by delivering only one release a year that has major changes.
Autumn updates for corporate customers ^
This will be the role of the spring update, and the following fall release will serve primarily for quality assurance. Accordingly, it makes sense for companies always to wait for the second update of the year because it essentially acts like a service pack.
A second indicator for a new development cycle with a major and a minor release per year is the recent change in Microsoft's support policy. Since version 1809, users of the Enterprise Edition receive 30 months of support for the autumn update, whereas in spring they only get 18 months.
Changes to the update process ^
Version 1903 also changes the actual update process. For Windows Update for Business, the semi-annual channel targeted (SAC-T) is no longer available, so that each release appears immediately in the semi-annual channel (SAC). As a result, users cannot postpone feature updates by choosing SAC.
A new option in the settings app can postpone the installation of quality and feature updates independently. This does not play a role in managed environments because the admin sets the time for installing updates via WSUS or SCCM.
More flexible restart ^
More interesting are two new features that help control restarting the computer during updates. The first feature is more flexible active hours, which the system automatically determines based on the user's habits.
The other feature is a new Group Policy Object (GPO) setting that forces a reboot after a certain period even outside the active hours and regardless of whether a user is logged on or not.
Recovery after failed updates ^
Microsoft improves the installation of updates by a so-called auto-rollback system. This ensures the system automatically resets itself to the previous state if an update fails.
This mechanism applies to both monthly cumulative updates as well as the installation of new drivers.
Reserving disk space for updates ^
A fresh install of Windows 10 1903 reserves approximately 7 GB of disk space for updates, apps, system cache, and temporary files, but it does not create a separate partition for it. The size of this storage also depends on the number of optional features and languages installed. The actual value is in the settings app.
Microsoft wants to ensure that system operations such as installing updates do not fail due to a lack of disk space. This reduces the capacity available to the user. On low-performance office PCs with small SSDs, the increased hardware requirements could be a problem.
The most important new feature is the Windows Sandbox. It is a contained environment from which no access to the host system is possible. In the Sandbox, IT professionals can perform tasks they should not do directly on an admin workstation, such as browsing the web.
Technically, it is a preconfigured lightweight virtual machine that does not require an explicit Hyper-V installation. It shares OS binaries with the host, so no separate patching is required.
The Sandbox discards all data and applications it contains upon exit. To save user files, you can create your own transfer directories and copy the data there before closing the Sandbox. When needed, you can install applications automatically with the help of a startup script. For both cases, you have to provide a configuration file.
Web browser ^
Windows 10 1903 will not deliver any substantial innovations yet to the integrated Web browser. Edge in its current form is a phase-out model, and the transition from Microsoft's own rendering engine to Chromium is on the way.
The Chromium-based Edge recently appeared as a public preview and still lacks many functions for use in organizations. These include the support for group policies. However, a first official release could find its way into Windows 10 1909.
Application Guard for Chrome und Firefox ^
Edge is still the only browser that Microsoft supports with Application Guard. It is a similar feature to the Sandbox but is limited to the shielded use of a web browser.
Microsoft recently released extensions for Chrome and Firefox. They pass URLs for external websites specified by the admin to Edge in the Sandbox, while internal pages, for example, continue to display in the default browser.
Group policies ^
As with every Windows 10 release, 1903 will add additional settings for group policies. These essentially do not apply to new features but only to existing ones.
You can now control Storage Sense centrally via GPOs. In addition, there is the abovementioned option for forcing a restart to install updates plus a setting to deactivate security questions in the event that users have forgotten their passwords.
Security baseline without password expiration ^
The security baseline is a collection of GPO settings Microsoft recommends to secure Windows servers and workstations. By using the Group Policy Analyzer, you can compare them with a backup of the policies currently in use. You can also import them when needed via Group Policy Management to secure the systems.
Currently, the baseline is still available as a preview, but it has already brought about controversial discussions. The reason for this is the removal of the password expiration policy, which forces users to change passwords regularly.
According to Microsoft, the disadvantages associated with the regular change of passwords (slightly modified variants of the same password, forgetting the new password and calling the helpdesk) outweigh the additional security.
Instead, companies should rely on multi-factor authentication or exclude trivial passwords using blacklists.
Of course, banning the expiration date for passwords from the baseline does not mean that the respective settings will disappear from group policies. Rather, it is just an update of the best practices.
User interface ^
A whole series of changes is obvious when you first log on to the system. This includes a slimmer Start menu, from which they've removed many of the preinstalled apps. Users can now also uninstall some of these apps, such as the 3D Viewer, Calculator, Calendar, Mail, or Groove Music. Until now, it was not possible to remove them interactively via the GUI.
Microsoft has lost the competition on digital assistants to Amazon and Google and therefore no longer sees any need to force Cortana on Windows users.
In managed environments, this step doesn't matter much, because you can deactivate Cortana via group policies. The same applies to the aforementioned manual deinstallation of apps, which the admin will usually delete from the OS image before deploying it to PCs.
Also, the significant expansion of the settings app to include more functions for configuring the system has no great relevance in companies. This includes, for example, IP configuration, for which users usually lack the permissions anyway and which the admin controls centrally.
There is also an update for the integrated search, which by default only indexes files within the user profile. The settings app now allows easy extension of the index to the entire PC, but this was already possible before via the Control Panel.
Terminal and filenames ^
Version 1903 brings a few minor changes to benefit IT pros. Those who work a lot from the command line will appreciate that you can now zoom in on PowerShell, bash, or command-prompt windows with Ctrl + the mouse wheel. Changing the small default font is therefore no longer necessary.
In the settings of command-line windows, a new tab labeled Terminal lets you define colors and cursor types.
The closer integration with the Linux subsystem is also noticeable; you can now create files in the Explorer whose names begin with a period. Many configuration files under Unix follow this convention.