diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index f5372d05f6..58a5040b72 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -196,7 +196,7 @@ Values: **CheckApplicability** -``` syntax +```xml @@ -223,7 +223,7 @@ Values: **Edition** -``` syntax +```xml @@ -241,7 +241,7 @@ Values: **LicenseKeyType** -``` syntax +```xml @@ -259,7 +259,7 @@ Values: **Status** -``` syntax +```xml @@ -277,7 +277,7 @@ Values: **UpgradeEditionWithProductKey** -``` syntax +```xml @@ -304,7 +304,7 @@ Values: **UpgradeEditionWithLicense** -``` syntax +```xml diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index ea9dd8e10a..ffd68aa965 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -39,7 +39,7 @@ Supported operations are Get and Replace. Enable logging of audit events. -``` syntax +```xml diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index aa221c4b9e..7ac4b1ff90 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -176,7 +176,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed 2. [Export the Start layout](#export-the-start-layout). 3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: - ``` syntax + ```xml ``` diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md index 5603c46bfa..4ea4c7f814 100644 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md @@ -462,7 +462,7 @@ Quick action buttons are locked down in exactly the same way as Settings pages/g You can specify the quick actions as follows: -``` syntax +```xml diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 299ba40be7..156e4af29b 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -241,7 +241,7 @@ Version identifies the version of the settings location template for administrat **Hint:** You can save notes about version changes using XML comment tags ``, for example: -``` syntax +```xml @@ -195,7 +195,7 @@ This table describes the behavior in the following example .xml file. -``` syntax +```xml File Migration Test @@ -231,7 +231,7 @@ This table describes the behavior in the following example .xml file. The behavior for this custom .xml file is described within the <`displayName`> tags in the code. -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 100e1e1f04..bbcdb94333 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -209,7 +209,7 @@ You must use the **/nocompress** option with the **/HardLink** option. The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 89b7d8fa3a..8d0ba60945 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -37,7 +37,7 @@ In this topic: The following .xml file migrates a single registry key. -``` syntax +```xml Component to migrate only registry value string @@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents including subfolders @@ -82,7 +82,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents without subfolders @@ -103,7 +103,7 @@ The following examples show how to migrate a folder from a specific drive, and f The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -``` syntax +```xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -123,7 +123,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated. -``` syntax +```xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -146,7 +146,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +```xml All .mp3 files to My Documents @@ -176,7 +176,7 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents @@ -195,13 +195,13 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated. - ``` syntax + ```xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ``` syntax + ```xml ``` diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index fad90a25bf..daba5ef2e2 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -294,7 +294,7 @@ To migrate these files you author the following migration XML: However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +```xml @@ -315,13 +315,13 @@ Analysis of this XML section reveals the migunit that was created when the migra An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: -``` syntax +```xml c:\data\* [*] ``` When the migration is preformed again with the modified tag, the diagnostic log reveals the following: -``` syntax +```xml @@ -396,7 +396,7 @@ You author the following migration XML: However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +```xml @@ -453,7 +453,7 @@ Upon reviewing the diagnostic log, you confirm that the files are still migratin Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log: -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 4ea1caaac3..ea0c442a2a 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -31,7 +31,7 @@ In this topic: The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +```xml Engineering Drafts Documents to Personal Folder @@ -60,7 +60,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +```xml All .mp3 files to My Documents @@ -88,7 +88,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +```xml Sample.doc into My Documents diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 13fcf0effc..d64010f54e 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -138,7 +138,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -212,7 +212,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -275,7 +275,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -455,7 +455,7 @@ For example, In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example: -``` syntax +```xml A @@ -468,7 +468,7 @@ In the code sample below, the <condition> elements, A and B, are joined to However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section. -``` syntax +```xml A @@ -826,7 +826,7 @@ For example: ~~~ For example: -``` syntax +```xml MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") ``` ~~~ @@ -914,7 +914,7 @@ For example: ~~~ For example: -``` syntax +```xml MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") %CSIDL_FAVORITES%\* [*] @@ -1055,7 +1055,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml MigXmlHelper.IsNative64Bit() @@ -1152,13 +1152,13 @@ The following functions generate patterns out of the content of an object. These ~~~ For example: -``` syntax +```xml ``` and -``` syntax +```xml ``` ~~~ @@ -1243,7 +1243,7 @@ and ~~~ For example: -``` syntax +```xml @@ -1365,7 +1365,7 @@ The following functions change the content of objects as they are migrated. Thes ~~~ For example: -``` syntax +```xml HKCU\Control Panel\Desktop [ScreenSaveUsePassword] @@ -1622,7 +1622,7 @@ Syntax: The following code sample shows how the <description> element defines the "My custom component" description.: -``` syntax +```xml My custom component ``` @@ -1677,7 +1677,7 @@ Syntax: For example: -``` syntax +```xml HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*] @@ -1807,7 +1807,7 @@ Syntax: The following example is from the MigApp.xml file. -``` syntax +```xml MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*") @@ -1878,7 +1878,7 @@ Syntax: For example: -``` syntax +```xml MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0") @@ -1889,7 +1889,7 @@ For example: and -``` syntax +```xml @@ -1945,7 +1945,7 @@ Syntax: For example: -``` syntax +```xml Command Prompt settings ``` @@ -2012,7 +2012,7 @@ Syntax: In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: -``` syntax +```xml @@ -2022,7 +2022,7 @@ In this scenario, you want to generate the location of objects at run time depen Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. -``` syntax +```xml %INSTALLPATH%\ [*.xyz] @@ -2032,7 +2032,7 @@ Then you can use an include rule as follows. You can use any of the [<script& Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\]. -``` syntax +```xml @@ -2050,7 +2050,7 @@ Second, you can also filter registry values that contain data that you need. The In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file: -``` syntax +```xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt] @@ -2064,7 +2064,7 @@ In this scenario, you want to migrate five files named File1.txt, File2.txt, and Instead of typing the path five times, you can create a variable for the location as follows: -``` syntax +```xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 @@ -2074,7 +2074,7 @@ Instead of typing the path five times, you can create a variable for the locatio Then, you can specify the variable in an <include> rule as follows: -``` syntax +```xml %DATAPATH% [File1.txt] @@ -2133,7 +2133,7 @@ Syntax: For example, from the MigUser.xml file: -``` syntax +```xml %CSIDL_MYMUSIC%\* [*] @@ -2190,7 +2190,7 @@ Syntax: Example: -``` syntax +```xml @@ -2297,7 +2297,7 @@ Syntax: For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: -``` syntax +```xml doc @@ -2305,7 +2305,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s is the same as specifying the following code below the <rules> element: -``` syntax +```xml @@ -2418,7 +2418,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Video @@ -2501,7 +2501,7 @@ The following functions return a Boolean value. You can use them to migrate cert For example: - ``` syntax + ```xml %CSIDL_COMMON_VIDEO%\* [*] @@ -2517,7 +2517,7 @@ The following functions return a Boolean value. You can use them to migrate cert In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer: - ``` syntax + ```xml HKCU\Control Panel\International [Locale] @@ -2634,7 +2634,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -2695,7 +2695,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip] @@ -2740,7 +2740,7 @@ The following functions change the location of objects as they are migrated when ~~~ For example: -``` syntax +```xml HKCU\Keyboard Layout\Toggle [] @@ -2817,7 +2817,7 @@ For example: ~~~ For example: -``` syntax +```xml %CSIDL_COMMON_FAVORITES%\* [*] @@ -2923,7 +2923,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml @@ -2948,7 +2948,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ```xml HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures] @@ -3037,7 +3037,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion] @@ -3097,7 +3097,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml ``` @@ -3138,7 +3138,7 @@ This filter helper function can be used to filter the migration of files based o -``` syntax +```xml File_size @@ -3194,7 +3194,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -3230,7 +3230,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Music @@ -3273,7 +3273,7 @@ This is an internal USMT element. Do not use this element. You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: -``` syntax +```xml C:\Folder\* [Sample.doc] ``` @@ -3336,13 +3336,13 @@ For example: - To migrate a single registry key: - ``` syntax + ```xml HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] ``` - To migrate the EngineeringDrafts folder and any subfolders from the C: drive: - ``` syntax + ```xml C:\EngineeringDrafts\* [*] ``` @@ -3352,13 +3352,13 @@ For example: - To migrate the Sample.doc file from C:\\EngineeringDrafts: - ``` syntax + ```xml C:\EngineeringDrafts\ [Sample.doc] ``` - To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. - ``` syntax + ```xml C:\* [Sample.doc] ``` @@ -3484,7 +3484,7 @@ Syntax: The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: -``` syntax +```xml Start Menu @@ -3571,7 +3571,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Music @@ -3679,7 +3679,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated. -``` syntax +```xml ``` @@ -3744,7 +3744,7 @@ These functions return either a string or a pattern. ~~~ For example: -``` syntax +```xml @@ -3849,7 +3849,7 @@ If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called whil The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. -``` syntax +```xml @@ -3915,7 +3915,7 @@ This helper function invokes the document finder to scan the system for all file -``` syntax +```xml MigDocUser @@ -3942,7 +3942,7 @@ The following scripts have no return value. You can use the following errors wit - **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: - ``` syntax + ```xml @@ -3952,7 +3952,7 @@ The following scripts have no return value. You can use the following errors wit - **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: - ``` syntax + ```xml @@ -3960,7 +3960,7 @@ The following scripts have no return value. You can use the following errors wit - **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: - ``` syntax + ```xml @@ -3970,7 +3970,7 @@ The following scripts have no return value. You can use the following errors wit - **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: - ``` syntax + ```xml @@ -4020,7 +4020,7 @@ Syntax: For example: -``` syntax +```xml %CSIDL_COMMON_APPDATA%\QuickTime @@ -4045,7 +4045,7 @@ Syntax: The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). -``` syntax +```xml Test @@ -4116,7 +4116,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml HKLM\Software @@ -4168,7 +4168,7 @@ Syntax: For example: -``` syntax +```xml 4.* ``` diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 8baca0f103..89576c00a4 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -20,20 +20,20 @@ When creating custom .xml files, note the following requirements: - **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ``` syntax + ```xml ``` - **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ``` syntax + ```xml ``` - **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: - ``` syntax + ```xml My Application ``` diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 034bbfc2c8..cc4e0d99a9 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -36,7 +36,7 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” ``` - Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ``` syntax + ```powershell Import-Module .\VAMT.psd1 ``` Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index dfab99ad78..31a483c26e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -43,7 +43,7 @@ Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -132,7 +132,7 @@ Figure 6. The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -``` syntax +```powershell Get-VamtProduct ``` diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index c67ea0ab51..870cc58a84 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -143,7 +143,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 2e1a83d9b7..582af34a67 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -96,7 +96,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -112,7 +112,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -121,7 +121,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -172,7 +172,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -363,7 +363,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 0b6d13f777..dae9193c68 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -25,7 +25,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -216,7 +216,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 8029b9b1b9..acd70ac9ea 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -206,7 +206,7 @@ This command returns the volumes on the target, current encryption status and vo For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -237,7 +237,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -382,13 +382,13 @@ Occasionally, all protectors may not be shown when using Get-BitLockerVo If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. Using this information, we can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` > **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. @@ -398,19 +398,19 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. To enable BitLocker with just the TPM protector. This can be done using the command: -``` syntax +```powershell Enable-BitLocker C: ``` The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` ### Data volume Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -423,12 +423,12 @@ The ADAccountOrGroup protector is an Active Directory SID-based protector. This To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` > **Note:**  Use of this command requires the RSAT-AD-PowerShell feature. @@ -437,7 +437,7 @@ get-aduser -filter {samaccountname -eq "administrator"} In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` > **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. @@ -469,7 +469,7 @@ Administrators who prefer a command line interface can utilize manage-bde to che To check the status of a volume using manage-bde, use the following command: -``` syntax +```powershell manage-bde -status ``` > **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status. @@ -480,7 +480,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: -``` syntax +```powershell Get-BitLockerVolume -Verbose | fl ``` This command will display information about the encryption method, volume type, key protectors, etc. @@ -506,12 +506,12 @@ Once decryption is complete, the drive will update its status in the control pan Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: -``` syntax +```powershell manage-bde -off C: ``` This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command: -``` syntax +```powershell manage-bde -status C: ``` ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets @@ -520,12 +520,12 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is: -``` syntax +```powershell Disable-BitLocker ``` If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: -``` syntax +```powershell Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 70ba14d6a6..f8d1a6e1f9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -52,14 +52,14 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. -``` syntax +```powershell Install-WindowsFeature BitLocker -WhatIf ``` The results of this command show that only the BitLocker Drive Encryption feature installs using this command. To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` @@ -75,7 +75,7 @@ The result of this command displays the following list of all the administration The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` @@ -85,7 +85,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. -``` syntax +```powershell Get-WindowsOptionalFeature -Online | ft ``` @@ -93,13 +93,13 @@ From this output, we can see that there are three BitLocker related optional fea To install BitLocker using the `dism` module, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` ## More information diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 6545ca0992..49b3e4f60f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -313,7 +313,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Verify the clients were rebooted after applying the policy. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: - ``` syntax + ```powershell manage-bde –protectors –get C: ``` >**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index f21beec5e9..bde16da8e3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -278,26 +278,25 @@ You can reset the recovery password in two ways: 1. Remove the previous recovery password - ``` syntax + ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` 2. Add the new recovery password - ``` syntax + ```powershell Manage-bde –protectors –add C: -RecoveryPassword - ``` 3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. - ``` syntax + ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword - ``` + 4. Backup the new recovery password to AD DS - ``` syntax + ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` >**Warning:**  You must include the braces in the ID string. @@ -315,7 +314,7 @@ You can reset the recovery password in two ways: You can use the following sample script to create a VBScript file to reset the recovery passwords. -``` syntax +```vb ' Target drive letter strDriveLetter = "c:" ' Target computer name @@ -404,7 +403,7 @@ The following sample script exports all previously-saved key packages from AD D You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- @@ -551,7 +550,7 @@ The following sample script exports a new key package from an unlocked, encrypte **cscript GetBitLockerKeyPackage.vbs -?** -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 30fea18843..20ab73acfb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -46,7 +46,7 @@ Listed below are examples of basic valid commands for operating system volumes. A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: -``` syntax +```powershell manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: @@ -55,7 +55,7 @@ This command returns the volumes on the target, current encryption status, encry The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -64,7 +64,7 @@ manage-bde -on C: An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: -``` syntax +```powershell manage-bde -protectors -add C: -pw -sid ``` @@ -72,13 +72,13 @@ This command will require you to enter and then confirm the password protector b On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: -``` syntax +```powershell manage-bde -on C: ``` This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: -``` syntax +```powershell manage-bde -protectors -get ``` ### Using manage-bde with data volumes @@ -87,7 +87,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -257,7 +257,7 @@ If you want to remove the existing protectors prior to provisioning BitLocker on A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` @@ -266,7 +266,7 @@ Using this, you can display the information in the $keyprotectors variable to de Using this information, you can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` @@ -278,13 +278,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the ma The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: -``` syntax +```powershell Enable-BitLocker C: - ``` + In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` @@ -293,7 +293,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -306,7 +306,7 @@ The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2 To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` @@ -314,7 +314,7 @@ For users who wish to use the SID for the account or group, the first step is to >**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` @@ -322,7 +322,7 @@ get-aduser -filter {samaccountname -eq "administrator"} The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index e19f192e4c..01c9fe213f 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -66,13 +66,13 @@ BitLocker encryption is available for disks before or after addition to a cluste 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster - ``` + 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` @@ -88,32 +88,32 @@ When the cluster service owns a disk resource already, it needs to be set into m 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" ``` 3. Put the physical disk resource into maintenance mode using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` 4. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster ``` 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. 6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` @@ -146,7 +146,7 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps 6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. -``` syntax +```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 44a4ae63d3..300f56c569 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate: ## Appendix E – Annotated baseline subscription event query -``` syntax +```xml @@ -578,8 +578,7 @@ Here are the minimum steps for WEF to operate: ## Appendix F – Annotated Suspect Subscription Event Query -``` syntax - +```xml diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 7ee34ff838..575ad0d393 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -41,6 +41,6 @@ You can also manually merge AppLocker policies. For the procedure to do this, se Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. -``` syntax +```powershell C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge ``` diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 9c6966b525..5ded02bd51 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -80,7 +80,7 @@ This script does the following: Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell # Create a Security Group for the computers that will get the policy $pathname = (Get-ADDomain).distinguishedname New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` @@ -120,7 +120,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell #Set up the certificate $certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" $myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop @@ -173,7 +173,7 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: 6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: - ``` syntax + ```xml ERROR_IPSEC_IKE_NO_CERT 32 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 79ee3e58bd..4daaa5d367 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -67,7 +67,7 @@ netsh advfirewall set allprofiles state on **Windows PowerShell** -``` syntax +```powershell Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True ``` @@ -88,7 +88,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile Windows PowerShell -``` syntax +```powershell Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` @@ -140,7 +140,7 @@ netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow ``` @@ -157,7 +157,7 @@ netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name ``` @@ -169,7 +169,7 @@ The following performs the same actions as the previous example (by adding a Tel Windows PowerShell -``` syntax +```powershell $gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo Save-NetGPO –GPOSession $gpo @@ -191,7 +191,7 @@ netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2 Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2 ``` @@ -205,7 +205,7 @@ In the following example, we assume the query returns a single firewall rule, wh Windows PowerShell -``` syntax +```powershell Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2 ``` @@ -213,7 +213,7 @@ You can also query for rules using the wildcard character. The following example Windows PowerShell -``` syntax +```powershell Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule ``` @@ -223,7 +223,7 @@ In the following example, we add both inbound and outbound Telnet firewall rules Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” ``` @@ -232,7 +232,7 @@ If the group is not specified at rule creation time, the rule can be added to th Windows PowerShell -``` syntax +```powershell $rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet” $rule.Group = “Telnet Management” $rule | Set-NetFirewallRule @@ -250,7 +250,7 @@ netsh advfirewall firewall set rule group="Windows Defender Firewall remote mana Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True ``` @@ -258,7 +258,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g Windows PowerShell -``` syntax +```powershell Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose ``` @@ -276,7 +276,7 @@ netsh advfirewall firewall delete rule name=“Allow Web 80” Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Allow Web 80” ``` @@ -284,7 +284,7 @@ Like with other cmdlets, you can also query for rules to be removed. Here, all b Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –Action Block ``` @@ -292,7 +292,7 @@ Note that it may be safer to query the rules with the **Get** command and save i Windows PowerShell -``` syntax +```powershell $x = Get-NetFirewallRule –Action Block $x $x[0-3] | Remove-NetFirewallRule @@ -306,7 +306,7 @@ The following example returns all firewall rules of the persistent store on a de Windows PowerShell -``` syntax +```powershell Get-NetFirewallRule –CimSession RemoteDevice ``` @@ -314,7 +314,7 @@ We can perform any modifications or view rules on remote devices by simply usin Windows PowerShell -``` syntax +```powershell $RemoteSession = New-CimSession –ComputerName RemoteDevice Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm ``` @@ -342,7 +342,7 @@ netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name ``` @@ -365,7 +365,7 @@ netsh advfirewall consec add rule name="Require Outbound Authentication" endpoin Windows PowerShell -``` syntax +```powershell $AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name @@ -379,7 +379,7 @@ You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway ``` @@ -395,7 +395,7 @@ Copying individual rules is a task that is not possible through the Netsh interf Windows PowerShell -``` syntax +```powershell $Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication” $Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name $Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name @@ -407,7 +407,7 @@ To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAc Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue ``` @@ -415,7 +415,7 @@ Note that the use of wildcards can also suppress errors, but they could potentia Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” ``` @@ -423,7 +423,7 @@ When using wildcards, if you want to double-check the set of rules that is match Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf ``` @@ -431,7 +431,7 @@ If you only want to delete some of the matched rules, you can use the *–Confir Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm ``` @@ -439,7 +439,7 @@ You can also just perform the whole operation, displaying the name of each rule Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose ``` @@ -457,7 +457,7 @@ netsh advfirewall consec show rule name=all Windows PowerShell -``` syntax +```powershell Show-NetIPsecRule –PolicyStore ActiveStore ``` @@ -473,7 +473,7 @@ netsh advfirewall monitor show mmsa all Windows PowerShell -``` syntax +```powershell Get-NetIPsecMainModeSA ``` @@ -485,7 +485,7 @@ For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is sp Windows PowerShell -``` syntax +```powershell Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore ``` @@ -506,7 +506,7 @@ netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profi Windows PowerShell -``` syntax +```powershell $kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos $Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation @@ -524,7 +524,7 @@ netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0. Windows PowerShell -``` syntax +```powershell $QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name @@ -548,7 +548,7 @@ netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in pro Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow ``` @@ -562,7 +562,7 @@ netsh advfirewall consec add rule name="Authenticate Both Computer and User" end Windows PowerShell -``` syntax +```powershell $mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM $P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop @@ -593,7 +593,7 @@ The following example shows you how to create an SDDL string that represents sec Windows PowerShell -``` syntax +```powershell $user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”) $SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value $secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)" @@ -603,7 +603,7 @@ By using the previous scriptlet, you can also get the SDDL string for a secure c Windows PowerShell -``` syntax +```powershell $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)" ``` @@ -622,7 +622,7 @@ netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Gr Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation ``` @@ -634,7 +634,7 @@ In this example, we set the global IPsec setting to only allow transport mode tr Windows PowerShell -``` syntax +```powershell Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup ``` @@ -653,7 +653,7 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec Windows PowerShell -``` syntax +```powershell New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation ```