Why a former open source fan trusts in Microsoft and their secure data handling

In the beginning of my IT "career" in mid-80's I was a open source fan and had bad prejudices against Microsoft. For me this was a huge "bad" US corporation and in these days it sounded also bad to pay money for software. Especially for kids having just their small pocket money. So illegal software copies were very widespread. Also people did not understand the concept of intellectual property in software these days. May be also as it was just too easy to make a simple copy of a program. Nobody was missing something (like it was physically stolen) as you made a copy out of "nothing".

Later on I was working as CAD administrator in my first job. There we also had Unix systems (Silicon Graphics IRIX, IBM AIX and still the evil Windows 3.1/3.11). Followed in my next job as 2nd level supporter for a SIEMENS affiliate company we used SCO Unix and Linux together with the (still evil) Windows 95/ NT 4.0. I loved Linux for the open source concept. Making things available for all for free.

But one day in my IT career a consulting company offered me a job to work as vendor lab engineer for (the big evil) Microsoft Corporation near Munich (Unterschleissheim). It took a while to think about it. I had so many (pre-)judices against them. But I realized I need to find out myself if I was right or wrong!

Until then I only got in contact with some Microsoft sales men and in these days these guys were very snobbish. At least it felt like snobbish. But I was willing to give it a chance and may be correct myself.

After a few weeks I realized the big difference between my thoughts and the reality. The tech guys there were as cool as the open source guys. Same techy mindset and all very open and friendly. But there was also this other difference which I understood better by then. Microsoft's techies realized they have to pay their bills at the end of each month for their houses, cars etc. So there was really a a very good justification for paying money for software. Actually this also paid my own bills :-$

So this was my personal conversion from a Linux open source minded "Saul" to a Microsoft/Windows minded "Paul"!

But when it comes to data protection (which is the origin topic of this article) then there is even a different story to tell. And why I absolutely trust in Microsoft's data handling way more than all others. I was one of the "victims" of this data handling. Victim in the sense as I learned on my own hands what does this really means to them!

Many people argue that Microsoft is making money with customers data. As far as I observed this is absolutely not true! Even the opposite is true!

First of all you have to think about different companies and their business models. Many of the "I-give- it-for-free" companies like Google, Facebook, Twitter (just to name a few more prominent) have a business model based on data. 

Rule of thumb is: "Whenever you do not pay for a product - YOU are the product."

Actually this is not bad and also very popular. Most people still like stuff they have not to pay for. But you need to make yourself aware that your personal usage pattern is used for marketing and advertisement purposes. So Google, Facebook and Co. doing their business based on advertisement.

If you use their services you need to accept that! And believe it or not I still use Google for searching.

Whenever you are a data protection officer arguing against Microsoft regarding data handling (obviously without knowing it better) then you also need to be consequent and stop using Google for search in your company!

Microsoft's business model is different. You actually pay for the services. The free stuff there is normally "just" to bind people to the paid stuff. Actually I myself use Office365 Home (for me and my family) and pay for it. I get all the cool new stuff and lots of services for a little price. So I do not care anymore. This meaning they make money with software & services not originally with data (only).

To be fair they are also getting usage data to help them making better advertisement to you (when it comes to Microsoft services) but they do not sell this data. 

To check this out in detail check it here in English or German (Microsoft Privacy statement).

Even Google states that they do not sell your data. They just create advertisement based on your behavior on their platform (or platform "legs" on other websites (with embedded google advertisement frames)) as stated here. As I was not working there I can not judge on this seriously!

Now lets come to Microsoft's internal data handling behavior. And this was even done by myself as how I was instructed to do:

1. Whenever a customer went into our lab with some sort of personal data we refused it.
2. If it was necessary we only allowed at least pseudonymized data.
1. Then the data need to reside on dedicated systems
   (hardware or VMs on dedicated hardware)
2. Not connected to any IP network
3. Accessible only by KVM switch (just keyboard, video, mouse extension, no data transmission)
4. KVM switch only accessible via dedicated VPN into our internal lab network and only from Microsoft corporate network
5. Data deleted with DoD wipe process (DOD 5220.22-M) afterwards with 5 times writing "trash" on the whole hard disk (certified)

Actually we "feared" real customer / personal data in our lab environment as we had to take it very serious which introduced also a lot of extra work for us!

In my life I have seen many companies handling with data. But none of them was by far so strict as Microsoft is. And in days of GDPR Microsoft take it even more serious. They have today literally a dozen different personal data classifications and different handling instructions.

Also in terms of layered security (starting with access, process data, store data and even data disposal) Microsoft is really THE ultimate model student). And less they can not accept.

Just think of their cyber defense operation center (CDOC) which takes care of all Microsoft's assets on premise an in the clouds (public and private). Or the Microsoft Digital Crime Unit (DCU). They are helping to make the world actively safer every day. Just checkout their current reports.

This is why I absolutely trust in security & secure data handling at Microsoft. They do much more then even my bank does (and I had a IT project with my own bank as well many years ago!)

    

Schrems-II OR the myth of data security outside of US companies like MS

UPDATED 18.12.2020 (Added 7. Dagger Complex)

Today its time to sort out some important things on cybersecurity & the Schrems II myth on "data is secure when it is not anymore in reach of NSA or US based companies forced by NSL (National Security Letters)" which would include Microsoft with its Cloud offerings (as its headquarter is based in Seattle Washington (State)) as well as Google, Facebook or Amazon.

The very short story: When it comes to cyber security and cyber protection there are multiple players. From some you can protect yourself (even with MS security tools and the Microsoft Security Graph and its relying toolset which is still unbeaten in this area). These include typical hackers. 

And others you simply can't protect yourself as they operate on a complete different level which includes NSA and probably also MOSSAD / SHIN BET (during my time in Israel I learned some former Israel militaries (e.g. Unit 8200) they are now working in cyber security. Did you ever thought why most of the cyber security startups coming from Israel? Its caused by their military as they are forced to be specialists on this while surrounded by their enemies). If you are more interested in this - here is a great article from Jerusalem Post

Now lets come to the really long story (Hopefully you have time. Its worth I think but grab a coffee! After the legal part it becomes better than James Bond!)

But first lets us sort out some things and be open.

1. Lets come first to Mr. Max Schrems. He is an austrian lawyer, author and data protection activist. I do not want to judge on his motives and if he is a US or MS hater or not who knows.

2. Now lets come the the current Schrems II court rule. Originally as answer of the Schrems I court rule the EU Privacy Shield was created. This was falling last summer.

"The CJEU ruled that the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States." ( epic.org Press Release)

Microsoft created a smart solution for this until (slower) law rulers in the EU and the US will sort out these things in another legal way.

a. the Microsoft cloud is acting under EU standard clauses which are independent of the EU Privacy Shield.

b. the very long story on this and how it relates to Microsoft365 in this blog post (from data protection lawyer Koellner (sorry its in German especially as this relates very much to Germans as we are taking everything very serious. What is a joke? I don't know Jokes. I am a German :-D)

c. Latest MS answer on this by Julie Brill (Corp VP for Privacy and Chief Privacy Officer at MS 11/19/2020) including financial commitment. I think this is up to now still a good reason to stick with the Microsoft Cloud.

Ok for now I think we can stop this legal discussion and come to the real beef!

3. Lets talk first about the NSAs global surveilance capabilities. The capabilities they had some years ago were revealed by the Snowden leak. And this is what is known (un-)officially. As this leak has passed 7 years for now; don't think they did not improved their systems.

We always talk about legal access to data in a central datacenter and we need to protect this. You are absolutely wrong! From a legal (only) perspective you are wright but not in the NSA case. 

If they had not (yet) direct access on the data in an US companies datacenter somewhere on earth. The data will be transmitted from or to your computer. And this is the real crown jewel. Then they have everything. Your data, access to your mic and your camera and everything that's going on on your screen. 

The toolset they have is utilizing lots of still unknown Zero day exploits in an very automated manner. They point to an IP and finally that's it. Game over (for you). 

And don't think "my virus scanner" is saving me. Often they cant as 50% of attacks are ongoing "in memory only" so the AV scanner does not see anything. 

Microsoft developed Advanced Threat Protection (Microsoft ATP; now called Microsoft Defender for Endpoints) to cover also this sort of attacks. 

Another serious and very hard to handle attack vector are firmware attacks. As this is done on a hardware layer no software can see or control it. Just imagine a hacked network adapters firmware. Everything is done and manipulated on the last piece before the bytes hit the wire!

4. Now lets talk about encryption. We believe (oh yeah) we use the latest and greatest encryption. (And I don't talk right now about quantum computing which is another huge threat just around the corner. I will cover this in another blog post). 

When you do some research on this you will come across NSA encryption suite B (WARNING NIST official website!) (now replaced by Commercial National Security Algorithm Suite CNSA) (WARNING NSA official website!)

Hmm lets think a moment! When there is a Suite B (officially known encryption algorithms) isn't there also a Suite A and when does NSA advice to use which one?

First of all. There is also a Suite A. While Suite B is using lots of algorithms you already know very well like AES (Advanced Encryption Standard) there are also others you may never heard of in Suite A. So fancy names like ACCORDION, BATON, FIREFLY, JOSEKI, KEESEE, MAYFLY, MEDLEY, SAVILLE, SHILLELAGH, WALBURN or WEASEL.

Ok when to use which one (according to official CNSSI 4009 National Information Assurance term definitions)

"Suite A:
A specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission critical information.

Suite B:
A specific set of cryptographic algorithms suitable for protecting both classified and unclassified national security systems and information throughout the US government and to support interoperability with allies and coalition partners."

Translated: When Suite B is not safe enough US government will use Suite A for the real sensitive stuff.

Wait a moment there is something which come into my (history) mind. When did the US government released officially SSL encryption in browsers with 128 bit encryption end of 1990's ? They started to release when they were able to break it!

Translated: We give others only encryption stuff when we are able to break it by ourselves.

5. And now lets come to the greatest coup CIA did ever (still cant stop laughing on it how bold they were). Its the case of Crypto AG also known as "Operation Rubikon". And that's actually why you are not even safe in Germany with German vendors!

But for a better understanding a short lesson on sigint (signal intelligence) history. The so-called 5-Eyes (US, UK, Canada, Australia, New Zealand) operating the global surveillance network. 

The German BND (Bundesnachrichtendienst / the German version of CIA) had it's roots from Organization Gehlen  the successor of the German military intelligence in 2nd world war. After the war lots of these guys were recruited again for Gehlen Org which become later the BND and had already in its early years very strong connection to the CIA. Also caused due to the cold war. So lets say BND is a very good buddy of CIA and NSA. Just read the book "Bedingt dienstbereit: Im Herzen des BND" (from the former BND agents Norbert Juretzko and Wilhelm Dietl, sorry its in german only)

And believe it or not many countries and militaries in the good old time thought hey its a bad idea to buy encryption stuff from US companies. They might have embedded backdoors. Lets go better to guys they have a strong "security" reputation in any way. And that's Switzerland. They are absolutely neutral to anybody (What they state. If they are really I don't know).

Lets look for a swiss company to get really trustworthy and reliable encryption devices for real safe communications to prevent any espionage on our communication and data.

CIA also realized this behavior. And they feared to loose control. Hmm what to do? This was the birth of "Operation Rubikon" and it lasts for 5 decades until 2018!

Here the story (directly form Wikipedia. I couldnt write it better):
"Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with the CIA continuing as sole owner until about 2018. With headquarters in Steinhausen, the company was a long-established manufacturer of encryption machines and a wide variety of cipher devices. 

The company had about 230 employees, had offices in Abidjan, Abu Dhabi, Buenos Aires, Kuala Lumpur, Muscat, Selsdon and Steinhausen, and did business throughout the world. The owners of Crypto AG were unknown, supposedly even to the managers of the firm, and they held their ownership through bearer shares. 

The company has been criticised for selling backdoored products to benefit the American, British and German national signals intelligence agencies, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), and the BND, respectively. On 11 February 2020, The Washington Post, ZDF and SRF revealed that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence, and the spy agencies could easily break the codes used to send encrypted messages. The operation was known first by the code name "Thesaurus" and later "Rubicon". According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying"."

6. And believe it our not it's getting even better. The new BND law is legalizing global data gathering (sorry its in German and also valid for other countries worldwide) the. Even into an amount of data the BND could probably not handle (initially "limited" to max 50% of all global communication). Just to give them a kind of limit. We do not want to have them off limits. :-D

7. Since the end of 2nd World War the US intelligence community had a couple SIGINT stations in Germany. For example checkout the story behind the Dagger Complex in Darmstadt (which soon is moved to Wiesbaden). Checkout the Wiki article.

Conclusion: Just thinking that you are a German company storing data in Germany with a German vendor does mean nothing! You are even not safe in your own premises. 

Unless you put your computer in an independent bunker with own electricity and no internet connection your are definitely not safe in this world!

So my recommendation: Don't do anything unlawful and you are not interesting for them.

Microsoft Security Report 2020 is out!

Recently MS news released the new Microsoft Security Report for 2020. The original press release text was in german only. But the report is in english.

The report shows the actual threat landscape. This year threats in relationship to Corona where very broadly used. Also nation state attacks and human driven threats as well. Also supply chain and IOT where at risk.

Get the full report here: https://www.microsoft.com/en-us/download/confirmation.aspx?id=101738

Microsoft Defender XDR

Upps they did it again. Another name change. But it make fully make sense! Microsoft Defender Advanced Threat Protection is becoming Microsoft Defender Endpoint Protection and much more! The whole thing is now Microsoft Defender XDR (eXtended Detection & Response)

Checkout this Microsoft Garage Video!

The Microsoft 365 Defender line will include:

• Microsoft 365 Defender (previously Microsoft Threat Protection)
• Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
• Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
• Microsoft Defender for Identity (previously Azure Advanced Threat Protection)

Similarly, the Azure Defender line will include:

• Azure Defender for Servers (previously Azure Security Center Standard Edition)
• Azure Defender for IoT (previously Azure Security Center for IoT)
• Azure Defender for SQL (previously Advanced Threat Protection for SQL)

Differences on Windows Versions Pro/Business/E3/E5

UPDATE 2021-05-10 (Update Link to PDF)

Recently a customer asked me about the specific differences between Windows Defender and Microsoft Defender Advanced Threat Protection (aka MD ATP or its new name "Microsoft Defender for Endpoints")

There is a great "Windows 10 commercial edition comparison" chart available which I want to share with you. Each feature is clickable and tells you more what MS is meaning with it!

Acutally the biggest differentiator is the security area. Standard security is pretty good so far even with Windows Defender (standalone). But the extra costs for E5 is bringing you cloud powered mega security facilitating the Microsoft Security Graph. So the extra bucks are running and operating the cloud facilities for you (hardware, power, cooling, people (3500 security researcher working for you day/night))

To see the full 8 pages version checkout here:
https://github.com/MicrosoftDocs/windows-itpro-docs/files/5363063/Windows10_CommercialEdition_Comparison.zip

Thanks to Simon for pointing me to this valuable ressource!

How to change the number of days to revert to previous Windows Installation

Recently I got the question how to change the number of days for reverting Windows 10 to the previous Windows 10 version. Just in case e.g. your hardware or software is running into trouble. Default value is 10 days but this might be too less for strange issues comming up later.

In the web there are several ways to do it (like renaming the .old Folder etc.)

But the offical supported way is this one (problably set during a task sequence)

It is actually a DISM command.

/Set-OSUninstallWindow

Run this command against an online image to set the number of days after an upgrade that an uninstall can be initiated.

Syntax:

DISM /Online /Set-OSUninstallWindow /Value:<days>

Default is set to 10 days. Can be set between 2 – 60 days.

See also here:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options

How to become a crack in Microsoft Defender ATP

Heike Ritter (Sr. PM of MD ATP) just shared a very interesting guide to become a professional threat hunter with Microsoft Defender ATP. And I think every professional in security operations should know this.

The full list can be found here: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647

Its really worth to have a deeper look!

You get shown step by step how to become an advanced threat hunter. 

Autopilot Diagnostics

Just today the "Father" of Windows Autopilot (Michael Niehaus) just wrote a great article about  Windows Autopilot diagnostics. And I just refer to this article for you and me for later use. 

He is speaking about the "GET-AutopilotESPStatus" and its evolution to the Powershell Commandlet "Get-AutopilotDiagnostics" which it is now. And also about the different steps and even much more stuff to dig deeper into Autopilot diagnostics.

Feel free to have a deeper look into the Windows Autopilot diagnostics here:
https://oofhours.com/2020/07/12/windows-autopilot-diagnostics-digging-deeper/

And you get the original script here:
https://www.powershellgallery.com/packages/Get-AutopilotDiagnostics

Win10 - Patchday 06/2020 Printing Issues

Normally I do not comment temporary issues. Especially as MS is mostly fixing them within the next update period. Unfortunately for this issue it does not seem MS is deploying it via Windows Update even in the near future. Therefore here a short notice.

When your system get patched with the 06/2020 cumulative update you may see issues with your printers. It does not matter if it is a USB printer or otherwise connected printers. The root cause is in the printer spooler itself. 

For more official information's please refer to this KB article.

https://support.microsoft.com/en-us/help/4567512/windows-10-update-kb4567512

MS is providing manual hotfixes for this issue. Currently not deployed via Windows Update. If you encounter such a problem then please check out depending on your Win10 version these updates:

• Windows 10 Version 2004: KB4567523
• Windows 10 Version 1903 & 1909: KB4567512
• Windows 10 Version 1809: KB4567513
• Windows 10 Version 1803: KB4567514
• Windows 10 Version 1709: KB4567515
• Windows 10 Version 1703: KB4567516
• Windows 10 Version 1607: KB4567517
• Windows 10 Version 1507: KB4567518

Windows Virtual Desktop - FSLogix container size limitations

Recently a customer asked me about the Windows Virtual Desktop (WVD) FSLogix file storage limitations. After some research and talks to the Product Group it turns out that there are not really limitations by FSLogix by itself. The limitations are defined by the underlying technologies.

First of all FSLogix mainly used the standard container format .VHD/.VHDX

and these disks are stored on underlaying files storage technologies. In the WVD world this is in general Azure Files.

In terms of different disk types in general you can use all of them:

https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference

These are the size limitations of the container formats:

Type	Size Limit Factor	Maximum Size Limit
VHD Fixed Size (recommended)	Underlying Filesystem in general NTFS	16 TB (4kb default cluster size) 256 TB (64kb cluster size)
VHD  Dynamic Size	VHD specification (Word Document)	2040 GB (Theoretically) 127 GB (Practically e.g. ATA Hard drive disk protocol limit)
VHDX  Fixed Size	Underlying Filesystem  (Azure Files)	64 TB (by VHDX definition)  1 TB practically due to  underlaying File System  (e.g. Azure Files  which is used in WVD)
VHDX  Dynamic Size (recommended) Used by default from WVD	Underlying Filesystem  (Azure Files)	64 TB (by VHDX definition)  1 TB practically due to   underlaying File System  (e.g. Azure Files   which is used in WVD)

Underlaying storage technology for FSLogix in Windows Virtual Desktop:

FSLogix Default for container disks is VHDX with Dynamic Size used on Azure Files. Maximum file size is up to 1 TB (as the file is set to dynamic it will start much smaller with the default profile size of your user profile and grow up the the specified limit. In this case the recommendation is to create dynamically VHDX files not greater than 1 TB).

When it comes to Azure Files there are more limits depending on the storage type you are using. A comprehensive list can be found here:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-scale-targets

Performance requirements per user:

This add another implication where you have to consider from the user side.

These are the performance and throughput requirements per User in FSLogix (thanks for Input from the PG)

The limitations (quotas) are usually not in FSLogix but in the underlying storage fabric that is being used to store FSLogix. Here are tables that show what FSLogix needs per one user. If we want to handle 100 users we need 1000 IOPS for steady used, 5000 IOPS for logon storm, etc.

Steady IOPS used per user	10
Boot / Login IOPS used per user	50

Steady throughput per user (MB per second)	1.5
Boot / Login  throughput per user (MB per second)	7.5

Quota 

Technically you can setup quota for the user profiles in Windows directly. Due to the used filterdriver the user profile directory behaves like a native folder where quota can be applied. So if the admin sets a quota for the user profile you get notified as usual. There is no dedicated quota management in FSLogix necessary or available. (Thanks to Stefan for clarification!)

Windows10 - 2004 whats new

Windows10 - Version 2004 
Build 10.0.19041.264

Comprehensive but not full list of all updates known and available:

Cortana

• Cortana has been redesigned with a conversation-based UI and support for light mode
• The Cortana window can now be moved across the desktop

Search

• Windows no longer indexes developer forlders like .git, .svn, .Nuget, .hg and more
• Search can now better identify high usage and only index when enough resources are available.

Taskbar + Action center

• Searching in Timeline when you didn't opt-in no longer requires you to tab past the opt-in text before you get to the search results
• Action center will now show a direct link to Notification settings
• You can now rename virtual desktops

File Explorer

• Search is now powered by Microsoft Search
• The Search bar in the File Explorer is now slightly longer by default
• The context menu for .HEIC-files will now include options to Print or Set as Desktop Background

Settings

System

• The App Volume and Device Preferences page has been redesigned
• Storage Sense's group policies have been updated with better explanations for their functionality
• You can now disable sounds for all notifications at once
• You can now sort notifications senders
• Under Notifications & actions, a setting has been added to disable the post-upgrade setup page

Devices

• You can now manage the mouse cursor speed
• When pairing with Swift Pair, the entire flow now happens within the notification with no need to open Settings
• One less notification has to be shown for the full pairing experience over Bluetooth
• You can now dismiss Swift Pair from the notification with the Dismiss-button
• The device name and category are now shown in a Swift Pair notification

Network & Internet

• The network Status page has been redesigned, showing the network usage for all active connections and integrating Data Usage

Apps

• You can now select multiple features to be installed on your device
• Features can now be searched through as well as sort them by Name, Size or Install date
• Features will now shown when they were installed and any other dependencies they have
• Latest actions has been added to Optional features and shows which installs, uninstalls and cancels you've performed

Accounts

• "Make your device passwordless" has been added as a new option under Sign-in options
• Your account picture will now sync faster through any Microsoft services
• Ease of Access settings can no longer be set to sync between devices
• The option "Automatically save my restartable apps when I sign out and restart them after I sign in." has been added on the Sign-in options page

Time & language

• Language will now show an overview of various aspects of the system and to which language they are set, including Windows display, Apps & websites, Regional format, Keyboard and Speech, providing quick access to the various settings
• The link to add a local experience pack has been removed
• Opening a language's options will now show an updated language features overview
• Required features are now listed below other features without a disabled checkmark
• Features and settings that depend on other features and settings are now shown as a subitem of their parents
• The various language feature will now show an icon on the right that will give the user a tooltip

Ease of Access

• There is now a tooltip when hovering over the various color options for your cursor

Update & Security

• You can now limit the bandwith usage by Delivery Optimization for both foreground and background
• "Cloud download" has been added as a new recovery option
• Windows Update will now list optional updates under "View optional updates"
• All driver updates are now listed under "View optional updates", removing the need to check for drivers in the Device Manager

General

• Improvements to the launch time when the Settings header is visible

Ink Workspace

• The Ink Workspace flyout has been replaced with a small flyout menu
• Sticky Notes are no longer accessible from the Ink Workspace
• Sketchboard has been replaced with the Microsoft Whiteboard app
• 
  

Accessibility

• Magnifier with larger pointers will now pan smoothly when as the pointer changes shape
• "Change how capitalized text is read" has been removed from Narrator
• Narrator now announced the toggle state of checkboxes in a Listview
• Scan mode will now turn off to allow typing in the edit field of a spinner control
• Narrator now has improved support for "invalid" and "required" properties on more controls
• Narrator Braille can now reliably activate links by routing key
• Narrator reliability has been improved from Chrome
• Narrator now reads tables more efficiently by only reading the deltas when navigating.
• Narrator + S now gives a webpage summary.
• You can now keep the text cursor in the center of the screen when typing with Magnifier
• Narrator can now say the title and url of a link
• Narrator will now read the header first, followed by the cell data, followed by the row/column - position of a cell
• When headers in data tables change, Narrator will now read them
• Eye Control now supports drag-and-drop
• Pausing Eye Control will now completely hide the launchpad
• Buttons can now be clicked with switches on joysticks or device that emulate joysticks
• Eye Control has been updated to provide more settings
• Narrator now automatically starts reading web pages and emails
• The Magnifier UI has been revamped with updated icon and moves the magnification in between the zoom buttons, it is no longer to change the view from the Magnifier window
• Narrator will now turn on Scan Mode when reading Outlook or Windows Mail mails automatically
• Each email will now be read with the status mentioned first in the list view
• The text cursor can now be changed to any given color
• Narrator will now start reading webpages from the top rather than from the main landmark on it
• Narrator now supports the arria-haspopup property
• You can now turn of Narrator input learning of by hitting Narrator + 1
• Improved Magnifier performance when moving the mouse around the screen
• Magnifier reading now support reading in more locations
• Narrator's volume for link and scroll sounds has been bumped up
• In Outlook, the "importance"-header is now always spoken by Narrator before the importance level
• Magnifier can no longer be set to an UI that is visible in the viewport as a magnifying glass

Language and input

• The on-screen keyboard now uses SwiftKey's Typing Intelligence on 39 new languages: Afrikaans (South Africa), Albanian (Albania), Arabic (Saudi Arabia), Armenian (Armenia), Azerbaijani (Azerbaijan), Basque (Spain), Bulgarian (Bulgaria), Catalan (Spain), Croatian (Croatia), Czech (Czech Republic), Danish (Denmark), Dutch (Netherlands), Estonian (Estonia), Finnish (Finland), Galician (Spain), Georgian (Georgia), Greek (Greece), Hausa (Nigeria), Hebrew (Israel), Hindi (India), Hungarian (Hungary), Indonesian (Indonesia), Kazakh (Kazakhstan), Latvian (Latvia), Lithuanian (Lithuania), Macedonian (Macedonia), Malay (Malaysia), Norwegian (Bokmal, Norway), Persian (Iran), Polish (Poland), Romanian (Romania), Serbian (Serbia), Serbian (Serbia), Slovak (Slovakia), Slovenian (Slovenia), Swedish (Sweden), Turkish (Turkey), Ukrainian (Ukraine), Uzbek (Uzbek)
• Dictation support for English (Canada), English (UK), English (Australia), English (India), French (France), French (Canada), German (Germany), Italian (Italy), Spanish (Spain), Spanish (Mexico), Portuguese (Brazil), and Chinese (Simplified, China) has been added
• A number of kaomoji have been added the to emoji picker.

Input Method Editor

• The development version of the Japanese IME from build 18277 has been restored
• Improved security and reliability in the revamped Chinese Simplified and Chinese Traditional IMEs, as well as a cleaner settings interface
• The Chinese Pinyin IME now refers to "Default mode" instead of "Input mode"
• A tip has been added to the Bopomofo IME settings that Ctrl + Space will toggle the conversation mode
• The Japanese IME now has as default assinged value of Ctrl + Space to be "None"
• Key assignment settings are now more discoverable in the Japanese IME
• Improved performance for the Bopomofo, ChangJie, and Quick IMEs
• You can now disable the Shift + Space keyboard shortcut in the Bopomofo IME as well as changing the candidate font size
• You can now hide the IME toolbar from the toolbar menu

Apps

Connect

• Connect is now an optional feature downloadable in Settings

Notepad

• Notepad can now restore unsaved content when Windows restarts for updates

Task Manager

• The disk type will now be shown in Task Manager
• Right clicking a process will now show "Provide Feedback" after "End task" and "End process tree" instead of between
• The GPU temperature is now shown under Performance > GPU

Windows Sandbox

• Support for capturing hotkeys in full screen has been added
• A configuration file can now be set for Windows Sandboxes
• Error dialogs will now show an error code and a link to Feedback Hub
• You can now use a microphone in Windows Sandbox
• The audio input device can now be set in the Sandbox config file
• Shift + Alt + PrtScn now opens the ease of access dialog for high contrast mode
• Ctrl + Alt + Break now toggles fullscreen mode
• Windows Sandbox no longer requires the use of Admin privileges

Windows Subsystem for Linux

• The file system of a Linux distro can now be accessed from File Explorer
• Windows Subsystem for Linux version 2 has been added to Windows, including a full Linux kernel
• Connections can now be made using localhost
• Improved performance for directory listings in \wsI$

Other features

• Tamper Protection will be set on by default again
• You can now sign in with your Windows Hello PIN when in Safe Mode

And further

• The "Windows Light" theme is now called "Windows (light)"
• All Emoji 12.0 emojis now have keywords in the emoji picker
• The OOBE will now show a lock icon with networks that are private
• Windows Defender ATP is being renamed to Microsoft Defender
• Windows will now periodically remind you to make backups if you do not have a backup solution installed
• You're prefered defragmentation settings are now preserved after upgrading Windows
• Support for Microsoft Bluetooth Mouse and Keyboard has been added to Swift Pair
• Update the Windows version name to version 2004

Thanks to the Team of ChangeWindows!

Configuration and Deployment

As this is stuff IT Pros are focused here more explanations:

Delivery Optimization enhancements

• Get-DeliveryOptimizationStatus -PeerInfo. Offers a real-time view behind-the-scenes of peer-to-peer activity (e.g. the peer IP Address, bytes received/sent).
• Get-DeliveryOptimizationLogAnalysis. Get a summary of the activity in your Delivery Optimization log (e.g. the total number of downloads, downloads from peers, and overall peer efficiency). Use the -ListConnections flag to for in-depth look at peer-to-peer connections.
• Enable-DeliveryOptimizationVerboseLogs. Offers a greater level of detail to assist in troubleshooting.
• Enterprise network throttling. We've made enhancements to foreground vs. background throttling.
• Automatic cloud-based congestion detection. Leverage the power of the Delivery Optimization cloud service to help identify download storms on your network. In short, the existing policy to delay background downloads from HTTP will indicate that the cloud service is allowed to dynamically back off downloading updates from the cloud for some devices while continuing to leverage local peer sources. Similarly, the same feature can help improve overall peer utilization by dynamically choosing which devices can download updates first. This feature is particularly useful to those of you who are deploying via rings and would like to avoid selecting individual devices in ring 0 (which can be cumbersome if you have thousands of sites). (Note: This client feature requires a cloud service support, which will be available in the near future, for full functionality.)

Servicing and deployment enhancements

• Reduced offline time during feature updates. Beginning with Windows 10, version 1703, we've steadily reduced end user downtime during a feature update. With Windows 10, version 2004, offline time continues to decrease, from a median time of over 80 minutes in version 1703, to 16 minutes in version 2004, including only a single reboot for many users.
• Improved controls for reserved storage. With the release of Windows 10, version 1903, we introduced reserved storage for newly manufactured PCs and clean Windows 10 installs. With Windows 10, version 2004, we've added a new set of Deployment Image Servicing and Management (DISM) commands and APIs so you can enable and disable reserved storage on demand, including reserved storage for Windows 10 devices that were not shipped with Windows 10, version 1903 and higher. For the full set of reserved storage command line options, see DISM Reserved Storage Command-line Options.
• Improved controls and diagnostics for Windows Setup. For those using Windows Setup, Windows 10, version 2004 offers more control when upgrading to the latest update. For example:
  • Dynamic Update. You can now search, download, and install Dynamic Updates, but exclude the latest quality update and/or driver updates.
  • Reduced offline time for users. Instruct Windows Setup to start update operations on the down-level OS without initiating a reboot to start the offline phase, then instruct Windows Setup to complete the installation at an appropriate time.
  • SetupDiag: SetupDiag provides additional diagnostic information to troubleshoot update failures. For more information, see Deployment Troubleshooting and Log Files.
• Recover Windows 10 from the cloud. With this release we've added the option to recover Windows 10 by downloading the necessary files from the cloud, resulting in increased reliability and, depending on your internet speed, a faster recovery. For more details about the cloud-reset process, see Reset this PC option: Cloud download.
• Windows Autopilot. Procure devices and have them delivered directly to the end user and provisioned from the cloud. Windows Autopilot has been available since Windows 10, version 1703 (with the 7D update) and with each new version of Windows 10 we add new, requested features. Today we're adding the ability to:
  • Configure user-driven Hybrid Azure AD Join with VPN support. This support has been backported to Windows 10, versions 1909 and 1903.
  • Configure language settings in the Windows Autopilot profile so that the out-of-box experience (OOBE) will skip the language, locale, and keyboard pages when the device is connected to ethernet.

Windows Update for Business

• Microsoft Intune console updates. The target version is now available in Intune, allowing you to specify to which Windows 10 OS version you want devices to move. This capability also enables you to keep devices on their current version until they reach end of service. Available now in the Intune console, you can also configure this as a Group Policy or Configuration Service Provider (CSP) policy.
• Validation improvements. To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. But we know this can interfere with validations. To better enable IT administrators to validate on the latest release, we have created a new policy to enable admins to opt devices out of the built-in safeguard holds.
• Deferral policies. See FAQ below for a description of how deferral policies work in Windows Update for Business.
• Documentation updates. We have improved our Windows Update for Business documentation to better communicate how to utilize Windows Update for Business to manage Windows Updates to keep devices secure and end users productive.

Windows Virtual Desktop

Windows Virtual Desktop continues to evolve and you can keep up with the latest enhancements by bookmarking the Windows Virtual Desktop community and staying tuned to the Windows IT Pro Blog. Most recently, we've published new PowerShell modules to PSGallery, including Remove-RdsRoleAssignment with the -AadTenantId parameter to remove role assignments of principals not associated to the Azure AD tenant, and Update-AzWvdHostPool -PersonalDesktopAssignmentType to automatically assign users to virtual machines. For more details, see the Windows Virtual Desktop PowerShell release notes.

Cortana enhancements

• Productivity[1]. A chat-based UI gives you the ability to interact with Cortana using typed or spoken natural language queries to easily get information across Microsoft 365 and stay on track. In the coming months, with regular app updates through the Microsoft Store, we'll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities (such as surfacing relevant emails and documents to help you prepare for meetings), and expand supported capabilities for international users.
• Security. You now must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tighter access, some skills including music, connected home, and third-party skills will no longer be available. Additionally, users get cloud-based assistance services that meet Office 365's enterprise-level privacy, security, and compliance promises as set out in the Online Services Terms.
• Move the Cortana window. With Windows 10, version 2004, you can drag the Cortana window to a more convenient location on your desktop.

and much more so please checkout also the full article here:https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764