From 806a912dea4d76b854392b1baedd81af33a33191 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Wed, 8 Sep 2021 12:57:15 -0700 Subject: [PATCH 01/13] Update virus-initiative-criteria.md Update to membership requirements, follow-up link for application, and high-level program summary. --- .../intelligence/virus-initiative-criteria.md | 29 +++++++------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 83ca25908d..360a4bde38 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,34 +18,27 @@ ms.technology: mde # Microsoft Virus Initiative -The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. - -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. +The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology & strategy. ## Become a member -You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. -1. Offer an antimalware or antivirus product that meets one of the following criteria: +To qualify for the MVI program, your organization must meet all the following requirements. - * Your organization's own creation. - * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. +1) Your security solution either replaces or compliments Microsoft Defender Antivirus. -2. Have your own malware research team unless you build a product based on an SDK. +2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows. -3. Be active and have a positive reputation in the antimalware industry. +3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. +4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft. -4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. +5) Your organization must sign a program license agreement. Maintaining this license agreement requires that you adhere to all program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. -5. Be willing to sign a program license agreement. +6) You must submit your app to Microsoft for periodic performance testing and feature review. -6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. - -7. Submit your app to Microsoft for periodic performance testing. - -8. Certified through independent testing by at least one industry standard organization. +7) Your solution must be certified through independent testing by at least one industry standard organization, and yearly certification must be maintained. Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- @@ -60,4 +53,4 @@ West Coast Labs | Checkmark Certified
http://www.checkmarkcertified.com/sm ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u). From 5c9fc1c94735a72644fd102d1987f05ca65cd365 Mon Sep 17 00:00:00 2001 From: Fojonx <90415493+Fojonx@users.noreply.github.com> Date: Thu, 9 Sep 2021 14:21:38 -0400 Subject: [PATCH 02/13] Update security-compliance-toolkit-10.md Adding Windows Server 2022 entry --- .../security/threat-protection/security-compliance-toolkit-10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 2ec5067168..3fe631aa97 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -37,6 +37,7 @@ The Security Compliance Toolkit consists of: - Windows 10, Version 1507 - Windows Server security baselines + - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 From 929d168ce509613966e31bf727b2b9abbae593f4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 13 Sep 2021 07:35:04 -0700 Subject: [PATCH 03/13] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 360a4bde38..844c34033a 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,7 +18,7 @@ ms.technology: mde # Microsoft Virus Initiative -The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology & strategy. +The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology and strategy. ## Become a member From 726b5b8b5f6b276f6debedd923b186976a39b9ee Mon Sep 17 00:00:00 2001 From: Rob Truxal <55893679+rotruxal@users.noreply.github.com> Date: Tue, 14 Sep 2021 08:50:53 -0700 Subject: [PATCH 04/13] removed Device Guard references replaced references to Device Guard with references to HVCI and/or WDAC where appropriate. --- ...tualization-based-protection-of-code-integrity.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 4065b2122a..59657cc8ed 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy @@ -21,14 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor Protected Code Integrity (HVCI,) a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. @@ -42,9 +42,9 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features. | -> **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. +> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. ## Additional qualifications for improved security @@ -76,4 +76,4 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | \ No newline at end of file +| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | From cd6397d4af697073515bd02390ec05239846f410 Mon Sep 17 00:00:00 2001 From: Rob Truxal <55893679+rotruxal@users.noreply.github.com> Date: Wed, 15 Sep 2021 09:41:25 -0700 Subject: [PATCH 05/13] Update windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nes-for-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 59657cc8ed..f8ce091fab 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy From b8eb11081ba758c0262ee35d1c6f3afcc31aebde Mon Sep 17 00:00:00 2001 From: Rob Truxal <55893679+rotruxal@users.noreply.github.com> Date: Wed, 15 Sep 2021 09:46:20 -0700 Subject: [PATCH 06/13] Update windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nes-for-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index f8ce091fab..3112632b29 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -21,7 +21,7 @@ ms.technology: mde **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor Protected Code Integrity (HVCI,) a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. From 0c62ac35444a6ad7fe65cc709efe378224469ac6 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Fri, 17 Sep 2021 10:34:20 -0700 Subject: [PATCH 07/13] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 844c34033a..e4459d2d4f 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -24,7 +24,7 @@ The Microsoft Virus Initiative (MVI) helps organizations develop better-together You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. -To qualify for the MVI program, your organization must meet all the following requirements. +To qualify for the MVI program, your organization must meet all the following requirements: 1) Your security solution either replaces or compliments Microsoft Defender Antivirus. From 3337a3c55206b1dc60327e2faf83846de0d833e4 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Fri, 17 Sep 2021 10:34:27 -0700 Subject: [PATCH 08/13] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index e4459d2d4f..e079bcdc67 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -30,7 +30,7 @@ To qualify for the MVI program, your organization must meet all the following re 2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows. -3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. +3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry-standard report such as AV-Comparatives, OPSWAT, or Gartner. 4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft. From 636b5f231abae09a437e40b8caf37b135447d767 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Fri, 17 Sep 2021 10:34:34 -0700 Subject: [PATCH 09/13] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index e079bcdc67..ccb2eb6624 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -38,7 +38,7 @@ To qualify for the MVI program, your organization must meet all the following re 6) You must submit your app to Microsoft for periodic performance testing and feature review. -7) Your solution must be certified through independent testing by at least one industry standard organization, and yearly certification must be maintained. +7) Your solution must be certified through independent testing by at least one industry-standard organization, and yearly certification must be maintained. Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- From c042afdbed4ae1d4e811f2277a97736f5ba9544e Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:24:08 +0100 Subject: [PATCH 10/13] Link to Feature Updates Deployment On line 53, added a link to the Feature Updates for Windows 10 documentation for added clarity. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index b301ed3de2..d8e46a6497 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. ## Cloud-based management From ee789c0ceb1293a053e3a698d277a628c7d6c7d9 Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:31:39 +0100 Subject: [PATCH 11/13] Extra clarification. Line 53 - Added extra clarification for the Feature Update Deployment to indicate holds. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index d8e46a6497..11ae4f3231 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management From 2a261bac7590e6a8a14913c99b3e652de542ed68 Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:54:17 +0100 Subject: [PATCH 12/13] Changing upper case in link Line 54 - changing upper case letters in the link as suggested by JaimeO. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 11ae4f3231..ad8033c027 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management From 61b73948e29f1d500056eeea83417868d1d995ce Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 22:03:05 +0100 Subject: [PATCH 13/13] Minor tweaks Line 53 - changed the second occurrence of feature update deployments to lower case, added "set at the version...". --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index ad8033c027..da063c4529 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management