From 1f6af493121b8e4132737c5c8a4506d0bab6e8f8 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Mon, 3 Oct 2022 15:16:23 -0700
Subject: [PATCH 01/15] Update configure-md-app-guard.md
fixed a minor glitch
---
.../configure-md-app-guard.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 382528bfa0..ce6c3c7ddf 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -60,7 +60,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higherWindows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
From 675c0e151f3a3a9442267df27eec4db855594468 Mon Sep 17 00:00:00 2001
From: Rafal Sosnowski <51166236+rafals2@users.noreply.github.com>
Date: Tue, 4 Oct 2022 10:05:57 -0700
Subject: [PATCH 02/15] Update bitlocker-countermeasures.md
added info about the rogue OS attack
---
.../bitlocker/bitlocker-countermeasures.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 4f129193e8..b4a4825f7b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -155,6 +155,12 @@ It also blocks automatic or manual attempts to move the paging file.
Enable secure boot and mandatorily prompt a password to change BIOS settings.
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
+### Tricking BitLocker to pass the key to a rogue Operating system
+
+An attacker can modify the boot manager (BootMgr) configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue OS on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, Microsoft doesn’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+
+Also, an attacker can replace the entire OS disk while preserving the platform hardware and firmware and then could extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0 and to successfully unseal the blob, PCR 11 in the TPM must have value of 0. However, when boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the Bitlocker key.
+
## Attacker countermeasures
The following sections cover mitigations for different types of attackers.
From 1a0db1f8677550c317734e3d1000d8fa23bbe2c0 Mon Sep 17 00:00:00 2001
From: Chad Simmons
Date: Mon, 10 Oct 2022 11:29:10 -0500
Subject: [PATCH 03/15] spelling issue: Azure AD integration with MDM
fixed spelling issue since Old English "thee" isn't really used anymore. :)
---
.../mdm/azure-active-directory-integration-with-mdm.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 467e007dd7..a7d44b2534 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -204,7 +204,7 @@ The following table shows the required information to create an entry in the Azu
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
-However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
+However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
## Themes
From 7901eeb850ae82a6fbecf31a02a14fc5df1f4898 Mon Sep 17 00:00:00 2001
From: Chad Simmons
Date: Tue, 11 Oct 2022 11:16:51 -0500
Subject: [PATCH 04/15] Update
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../mdm/azure-active-directory-integration-with-mdm.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index a7d44b2534..209999ccfd 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -202,7 +202,7 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
-There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
+There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
From af828fcd3fc8b408dbcb428964cc0c994309996f Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 17 Nov 2022 10:00:15 -0500
Subject: [PATCH 05/15] modified: education/docfx.json modified:
windows/security/docfx.json
---
education/docfx.json | 3 ---
windows/security/docfx.json | 20 ++++++++++++++++++--
2 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/education/docfx.json b/education/docfx.json
index df077d1783..484c0f38c5 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -63,9 +63,6 @@
]
},
"fileMetadata": {
- "ms.localizationpriority": {
- "windows/tutorial-school-deployment/**/**.md": "medium"
- },
"ms.topic": {
"windows/tutorial-school-deployment/**/**.md": "tutorial"
}
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 84eb2da0af..77dc68a304 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -36,8 +36,12 @@
"recommendations": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
+ "ms.localizationpriority": "medium",
"ms.topic": "article",
- "manager": "dansimp",
+ "ms.collection": "M365-identity-device-management",
+ "ms.prod": "windows-client",
+ "ms.technology": "itpro-security",
+ "manager": "aaroncz",
"audience": "ITPro",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
@@ -56,14 +60,26 @@
"claydetels19",
"jborsecnik",
"tiburd",
+ "AngelaMotherofDragons",
+ "dstrome",
+ "v-dihans",
"garycentric"
],
- "searchScope": ["Windows 10"]
+ "searchScope": ["Windows"]
},
"fileMetadata": {
"titleSuffix":{
"threat-protection/**/*.md": "Windows security"
}
+ "author":{
+ "/identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
+ }
+ "ms.author":{
+ "/identity-protection/hello-for-business/**/*.md": "paoloma"
+ }
+ "ms.reviewer":{
+ "/identity-protection/hello-for-business/**/*.md": "erikdau"
+ }
},
"template": [],
"dest": "security",
From a11a28776cff7a181a2e7e9ddc5e520c8429ef1c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 17 Nov 2022 10:07:52 -0500
Subject: [PATCH 06/15] updates
---
windows/security/docfx.json | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 77dc68a304..e30800fe0a 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -68,15 +68,12 @@
"searchScope": ["Windows"]
},
"fileMetadata": {
- "titleSuffix":{
- "threat-protection/**/*.md": "Windows security"
- }
"author":{
"/identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
- }
+ },
"ms.author":{
"/identity-protection/hello-for-business/**/*.md": "paoloma"
- }
+ },
"ms.reviewer":{
"/identity-protection/hello-for-business/**/*.md": "erikdau"
}
From cf74c4bcf71030de1c3401be24073937125a61d0 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 17 Nov 2022 11:12:02 -0800
Subject: [PATCH 07/15] Apply suggestions from code review
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../bitlocker/bitlocker-countermeasures.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index b4a4825f7b..039978c46a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -155,11 +155,11 @@ It also blocks automatic or manual attempts to move the paging file.
Enable secure boot and mandatorily prompt a password to change BIOS settings.
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
-### Tricking BitLocker to pass the key to a rogue Operating system
+### Tricking BitLocker to pass the key to a rogue operating system
-An attacker can modify the boot manager (BootMgr) configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue OS on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, Microsoft doesn’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
-Also, an attacker can replace the entire OS disk while preserving the platform hardware and firmware and then could extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0 and to successfully unseal the blob, PCR 11 in the TPM must have value of 0. However, when boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the Bitlocker key.
+An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the Bitlocker key.
## Attacker countermeasures
From b0273ae8a6e96341887a7ca0a79f85c976d7ab51 Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Thu, 17 Nov 2022 13:27:15 -0600
Subject: [PATCH 08/15] Update
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
---
.../bitlocker/bitlocker-countermeasures.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 813daa0b78..03c95bbdde 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -159,7 +159,7 @@ For customers requiring protection against these advanced attacks, configure a T
An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
-An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the Bitlocker key.
+An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
## Attacker countermeasures
From 06f7e227447e1e9efa0b3276efae3ebe2e68a3ff Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 17 Nov 2022 16:10:25 -0500
Subject: [PATCH 09/15] updates based on feedback
---
windows/security/docfx.json | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e30800fe0a..bc4553d9c3 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -37,12 +37,9 @@
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.localizationpriority": "medium",
- "ms.topic": "article",
- "ms.collection": "M365-identity-device-management",
"ms.prod": "windows-client",
"ms.technology": "itpro-security",
"manager": "aaroncz",
- "audience": "ITPro",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@@ -65,7 +62,7 @@
"v-dihans",
"garycentric"
],
- "searchScope": ["Windows"]
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {
"author":{
From 7fb73bd6ac1032253091bc22aa835655682d90bd Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 17 Nov 2022 16:17:02 -0500
Subject: [PATCH 10/15] removed title suffix
---
windows/security/docfx.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index bc4553d9c3..e440797194 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -49,7 +49,6 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows security",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
From 63b9656f5c8a6516f39b56fa1125c80226c2d749 Mon Sep 17 00:00:00 2001
From: computeronix <19168174+computeronix@users.noreply.github.com>
Date: Thu, 17 Nov 2022 16:30:56 -0500
Subject: [PATCH 11/15] Update kiosk-policies.md
fixed typo - drives not drivers
---
windows/configuration/kiosk-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index dec9776934..32f8c08e76 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -56,7 +56,7 @@ Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled – Remove and disable setting
-Prevent access to drives from My Computer | Enabled - Restrict all drivers
+Prevent access to drives from My Computer | Enabled - Restrict all drives
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
From 2a88a9ae7ef6e65d1f8ee946245fdbac18ab4440 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Thu, 17 Nov 2022 18:11:50 -0500
Subject: [PATCH 12/15] USMT code blocks standarization
---
...rted-with-the-user-state-migration-tool.md | 6 ++---
.../usmt/migrate-application-settings.md | 2 +-
.../usmt/offline-migration-reference.md | 4 ++--
.../usmt/understanding-migration-xml-files.md | 24 +++++++++----------
.../deployment/usmt/usmt-best-practices.md | 2 +-
windows/deployment/usmt/usmt-common-issues.md | 10 ++++----
.../deployment/usmt/usmt-configxml-file.md | 4 ++--
.../usmt/usmt-conflicts-and-precedence.md | 8 +++----
.../usmt/usmt-custom-xml-examples.md | 6 ++---
.../usmt-estimate-migration-store-size.md | 6 ++---
.../usmt/usmt-exclude-files-and-settings.md | 20 ++++++++--------
...files-from-a-compressed-migration-store.md | 10 ++++----
.../usmt/usmt-general-conventions.md | 4 ++--
.../usmt/usmt-hard-link-migration-store.md | 4 ++--
.../usmt/usmt-include-files-and-settings.md | 18 +++++++-------
windows/deployment/usmt/usmt-log-files.md | 8 +++----
...usmt-migrate-efs-files-and-certificates.md | 2 +-
.../usmt/usmt-migrate-user-accounts.md | 14 +++++------
.../usmt/usmt-reroute-files-and-settings.md | 6 ++---
.../deployment/usmt/usmt-scanstate-syntax.md | 2 +-
...ndition-of-a-compressed-migration-store.md | 8 +++----
.../deployment/usmt/xml-file-requirements.md | 6 ++---
22 files changed, 87 insertions(+), 87 deletions(-)
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index a5d392e636..d9550203d8 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -34,7 +34,7 @@ This article outlines the general process that you should follow to migrate file
6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files:
- ``` syntax
+ ```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
```
@@ -51,7 +51,7 @@ This article outlines the general process that you should follow to migrate file
3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example,
- ``` syntax
+ ```cmd
ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
```
@@ -78,7 +78,7 @@ This article outlines the general process that you should follow to migrate file
For example, the following command migrates the files and settings:
- ``` syntax
+ ```cmd
LoadState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log
```
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 4b4868af71..677f59ca0c 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -131,7 +131,7 @@ On a test computer, install the operating system that will be installed on the d
To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter:
-``` syntax
+```cmd
/ue:*\* /ui:user1
```
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index fb362c9ab3..390cc4ad37 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -61,7 +61,7 @@ The following table defines the supported combination of online and offline oper
User-group membership isn't preserved during offline migrations. You must configure a **<ProfileControl>** section in the `Config.xml` file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
-``` xml
+```xml
@@ -146,7 +146,7 @@ Syntax: `0`
The following XML example illustrates some of the elements discussed earlier in this article.
-``` xml
+```xml
C:\Windows
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index bbfd70227a..8862f18acc 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -164,7 +164,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t
For example, you can use all of the XML migration file types for a single migration, as in the following example:
-``` syntax
+```cmd
ScanState.exe /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml
```
@@ -194,14 +194,14 @@ To generate the XML migration rules file for a source computer:
4. At the command prompt, enter:
- ``` syntax
+ ```cmd
cd /d
ScanState.exe /genmigxml:
```
Where *<USMTpath>* is the location on your source computer where you've saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, enter:
- ``` syntax
+ ```cmd
cd /d c:\USMT
ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
```
@@ -230,13 +230,13 @@ The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes thr
**Usage:**
-``` syntax
+```cmd
MigXmlHelper.GenerateDocPatterns ("", "", "")
```
To create include data patterns for only the system drive:
-``` xml
+```xml
@@ -246,7 +246,7 @@ To create include data patterns for only the system drive:
To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
-``` xml
+```xml
@@ -256,7 +256,7 @@ To create an include rule to gather files for registered extensions from the %PR
To create exclude data patterns:
-``` xml
+```xml
@@ -339,7 +339,7 @@ To exclude the new text document.txt file and any .txt files in "new folder", yo
To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
-``` xml
+```xml
D:\Newfolder\[new text document.txt]
@@ -352,7 +352,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f
If you don't know the file name or location of the file, but you do know the file name extension, you can use the `GenerateDrivePatterns` function. However, the rule will be less specific than the default include rule generated by the `MigDocs.xml` file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-``` xml
+```xml
@@ -364,7 +364,7 @@ If you don't know the file name or location of the file, but you do know the fil
If you want the **<UnconditionalExclude>** element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
-``` xml
+```xml
MigDocExcludes
@@ -389,7 +389,7 @@ The application data directory is the most common location that you would need t
This rule will include .pst files that are located in the default location, but aren't linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
-``` xml
+```xml
%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]
@@ -401,7 +401,7 @@ This rule will include .pst files that are located in the default location, but
For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
-``` xml
+```xml
%CSIDL_PROGRAM_FILES%\*[*.pst]
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index e1f6f61c40..cebdc6bf49 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -91,7 +91,7 @@ As the authorized administrator, it is your responsibility to protect the privac
Although it isn't a requirement, it's good practice for **<CustomFileName>** to match the name of the file. For example, the following example is from the `MigApp.xml` file:
- ``` xml
+ ```xml
```
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 6262d58456..e5164ba2e5 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -107,7 +107,7 @@ To remove encryption from files that have already been migrated incorrectly, you
**Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example,
-``` syntax
+```cmd
LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore
/progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1
```
@@ -138,7 +138,7 @@ The following sections describe common XML file problems. Expand the section to
**Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command:
-``` syntax
+```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log
```
@@ -248,7 +248,7 @@ The following sections describe common offline migration problems. Expand the se
**Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example:
-``` syntax
+```cmd
ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021*
```
@@ -262,7 +262,7 @@ You can also use patterns for SIDs that identify generic users or groups. For ex
**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter:
-``` syntax
+```cmd
reg.exe unload hklm\$dest$software
```
@@ -282,7 +282,7 @@ The following sections describe common hard-link migration problems. Expand the
**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter:
-``` syntax
+```cmd
UsmtUtils.exe /rd
```
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 4d4f72d27c..96846a8e88 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -50,7 +50,7 @@ The following example specifies that all locked files, regardless of their locat
Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed.
-``` xml
+```xml
* [*]
@@ -152,7 +152,7 @@ The **<HardLinkStoreControl>** sample code below specifies that hard links
> [!IMPORTANT]
> The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file's location.
-``` xml
+```xml
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index d6433d0ca6..e12ed6ff62 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -37,7 +37,7 @@ If you have an **<include>** rule in one component and a **<locationMod
The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the **<exclude>** rule is specified in a separate component.
-``` xml
+```xml
User Documents
@@ -71,7 +71,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil
Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
-``` xml
+```xml
%CSIDL_PERSONAL%\* [*.doc]
@@ -103,7 +103,7 @@ If there are conflicting rules within a component, the most specific rule is app
In the following example, mp3 files won't be excluded from the migration. The mp3 files won't be excluded because directory names take precedence over the file extensions.
-``` xml
+```xml
C:\Data\* [*]
@@ -181,7 +181,7 @@ The destination computer contains the following files:
You have a custom .xml file that contains the following code:
-``` xml
+```xml
c:\data\* [*]
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 40514b888a..88db104333 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -22,7 +22,7 @@ The following template is a template for the sections that you need to migrate y
Expand to show Example 1 application template:
-``` xml
+```xml
@@ -161,7 +161,7 @@ The sample patterns describe the behavior in the following example .xml file.
Expand to show Example 3 XML file:
-``` xml
+```xml
File Migration Test
@@ -203,7 +203,7 @@ The behavior for this custom .xml file is described within the `` t
Expand to show Example 4 XML file:
-``` xml
+```xml
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 45c30d631c..2e1ddfc773 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -47,7 +47,7 @@ To run the ScanState tool on the source computer with USMT installed:
2. Navigate to the USMT tools. For example, enter:
- ``` syntax
+ ```cmd
cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\"
```
@@ -55,13 +55,13 @@ To run the ScanState tool on the source computer with USMT installed:
3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter:
- ``` syntax
+ ```cmd
ScanState.exe /p:
```
Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example:
- ``` syntax
+ ```cmd
ScanState.exe c:\store /p:c:\spaceRequirements.xml
```
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 3821597500..0956d47d63 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -50,7 +50,7 @@ The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contai
The following .xml file migrates all files located on the C: drive, except any .mp3 files.
-``` xml
+```xml
@@ -77,7 +77,7 @@ The following .xml file migrates all files located on the C: drive, except any .
The following .xml file migrates all files and subfolders in `C:\Data`, except the files and subfolders in `C:\Data\tmp`.
-``` xml
+```xml
Test component
@@ -103,7 +103,7 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t
The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but excludes all files that are in `C:\EngineeringDrafts`.
-``` xml
+```xml
Component to migrate all Engineering Drafts Documents without subfolders
@@ -129,7 +129,7 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but
The following .xml file migrates all files and subfolders in `C:\EngineeringDrafts`, except for the `Sample.doc` file in `C:\EngineeringDrafts`.
-``` xml
+```xml
Component to migrate all Engineering Drafts Documents except Sample.doc
@@ -155,13 +155,13 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
To exclude a Sample.doc file from any location on the C: drive, use the **<pattern>** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
-``` xml
+```xml
C:\* [Sample.doc]
```
To exclude a Sample.doc file from any drive on the computer, use the **<script>** element. If multiple files exist with the same name, all of these files will be excluded.
-``` xml
+```xml
```
@@ -173,7 +173,7 @@ Here are some examples of how to use XML to exclude files, folders, and registry
The following .xml file excludes all `.mp3` files from the migration:
-``` xml
+```xml
Test
@@ -194,7 +194,7 @@ The following .xml file excludes all `.mp3` files from the migration:
The following .xml file excludes only the files located on the C: drive.
-``` xml
+```xml
Test
@@ -215,7 +215,7 @@ The following .xml file excludes only the files located on the C: drive.
The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registry key and all of its subkeys.
-``` xml
+```xml
@@ -242,7 +242,7 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **<unconditionalExclude>** element takes precedence over the **<include>** element.
-``` xml
+```xml
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 20b48b006b..f1a46e9c78 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -29,7 +29,7 @@ In addition, you can specify the file patterns that you want to extract by using
To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
-``` syntax
+```cmd
UsmtUtils.exe /extract [/i:] [/e:] [/l:] [/decrypt[:] {/key: | /keyfile:}] [/o]
```
@@ -57,7 +57,7 @@ Where the placeholders have the following values:
To extract everything from a compressed migration store to a file on the `C:\` drive, enter:
-``` syntax
+```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
```
@@ -65,7 +65,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter:
-``` syntax
+```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
```
@@ -75,7 +75,7 @@ In this example, the file is encrypted and the encryption key is located in a te
To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter:
-``` syntax
+```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
```
@@ -83,7 +83,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedS
To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
-``` syntax
+```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
```
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index ffa159f0c3..98148b856d 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -55,13 +55,13 @@ You can use the XML helper functions in the [XML elements library](usmt-xml-elem
As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
- ``` syntax
+ ```cmd
SomeFunction("My String argument",NULL,NULL)
```
is equivalent to:
- ``` syntax
+ ```cmd
SomeFunction("My String argument")
```
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index 2c3791c771..b4790b2a5a 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -92,7 +92,7 @@ It isn't necessary to estimate the size of a hard-link migration store since har
Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
- ``` syntax
+ ```cmd
ScanState.exe /hardlink c:\USMTMIG […]
```
@@ -144,7 +144,7 @@ A new section in the `Config.xml` file allows optional configuration of some of
The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the ``** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
-``` xml
+```xml
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index 52126c877e..7249c768be 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -19,7 +19,7 @@ When you specify the migration .xml files, User State Migration Tool (USMT) 10.0
The following .xml file migrates a single registry key.
-``` xml
+```xml
Component to migrate only registry value string
@@ -44,7 +44,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Including subfolders.** The following .xml file migrates all files and subfolders from `C:\EngineeringDrafts` to the destination computer.
- ``` xml
+ ```xml
Component to migrate all Engineering Drafts Documents including subfolders
@@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Excluding subfolders.** The following .xml file migrates all files from `C:\EngineeringDrafts`, but it doesn't migrate any subfolders within `C:\EngineeringDrafts`.
- ``` xml
+ ```xml
Component to migrate all Engineering Drafts Documents without subfolders
@@ -84,7 +84,7 @@ The following examples show how to migrate a folder from a specific drive, and f
The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
-``` xml
+```xml
Component to migrate all Engineering Drafts Documents folder on any drive on the computer
@@ -104,7 +104,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra
The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any location on the `C:\` drive. If multiple folders exist with the same name, they're all migrated.
-``` xml
+```xml
Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive
@@ -126,7 +126,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra
The following .xml file migrates `.mp3` files located in the specified drives on the source computer into the `C:\Music` folder on the destination computer.
-``` xml
+```xml
All .mp3 files to My Documents
@@ -155,7 +155,7 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from a folder.** The following .xml file migrates only the `Sample.doc` file from `C:\EngineeringDrafts` on the source computer to the destination computer.
- ``` xml
+ ```xml
Component to migrate all Engineering Drafts Documents
@@ -174,13 +174,13 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from any location.** To migrate the `Sample.doc` file from any location on the `C:\` drive, use the **<pattern>** element, as the following example shows. If multiple files exist with the same name on the `C:\` drive, all of files with this name are migrated.
- ``` xml
+ ```xml
C:\* [Sample.doc]
```
To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
- ``` xml
+ ```xml
```
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index e15edd680e..06ccc91749 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -104,7 +104,7 @@ The following examples describe common scenarios in which you can use the diagno
Let's imagine that we have the following directory structure and that we want the **data** directory to be included in the migration along with the **New Text Document.txt** file in the **New Folder**. The directory of `C:\data` contains:
-``` console
+```console
01/21/2009 10:08 PM .
01/21/2009 10:08 PM ..
01/21/2009 10:08 PM New Folder
@@ -115,7 +115,7 @@ Let's imagine that we have the following directory structure and that we want th
The directory of `C:\data\New Folder` contains:
-``` console
+```console
01/21/2009 10:08 PM .
01/21/2009 10:08 PM ..
01/21/2009 10:08 PM 0 New Text Document.txt
@@ -198,7 +198,7 @@ This diagnostic log confirms that the modified **<pattern>** value enables
In this scenario, you have the following directory structure and you want all files in the **Data** directory to migrate, except for text files. The `C:\Data` folder contains:
-``` console
+```console
Directory of C:\Data
01/21/2009 10:08 PM .
@@ -211,7 +211,7 @@ Directory of C:\Data
The `C:\Data\New Folder\` contains:
-``` console
+```console
01/21/2009 10:08 PM .
01/21/2009 10:08 PM ..
01/21/2009 10:08 PM 0 New Text Document.txt
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index f7f5a3ff7f..7b8526be55 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -34,7 +34,7 @@ Before using the **ScanState** tool for a migration that includes encrypted file
You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter:
-``` syntax
+```cmd
cipher.exe /D /S:
```
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 8c124420e9..b0b1ba2611 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -23,7 +23,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
- ``` syntax
+ ```cmd
ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o
````
@@ -33,13 +33,13 @@ Links to detailed explanations of commands are available in the [Related article
- If you're migrating domain accounts, enter:
- ``` syntax
+ ```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
- If you're migrating local accounts along with domain accounts, enter:
- ``` syntax
+ ```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae
```
@@ -54,7 +54,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
- ``` syntax
+ ```cmd
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o
```
@@ -62,7 +62,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
- ``` syntax
+ ```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
@@ -74,7 +74,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
- ``` syntax
+ ```cmd
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o
```
@@ -82,7 +82,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
- ``` syntax
+ ```cmd
LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
```
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index ba1aa306c6..026a457ea7 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -19,7 +19,7 @@ To reroute files and settings, create a custom .xml file and specify the .xml fi
The following custom .xml file migrates the directories and files from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
-``` xml
+```xml
Engineering Drafts Documents to Personal Folder
@@ -47,7 +47,7 @@ The following custom .xml file migrates the directories and files from `C:\Engin
The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the `C:\Music` folder on the destination computer.
-``` xml
+```xml
All .mp3 files to My Documents
@@ -74,7 +74,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o
The following custom .xml file migrates the `Sample.doc` file from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
-``` xml
+```xml
Sample.doc into My Documents
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index a05ce994e0..e8fd16c69f 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -43,7 +43,7 @@ The `ScanState.exe` command's syntax is:
For example, to create a `Config.xml` file in the current directory, use:
-``` syntax
+```cmd
ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13
```
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index 5bb2cf2322..2f004c83ff 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -59,7 +59,7 @@ Where the placeholders have the following values:
To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter:
-``` syntax
+```cmd
UsmtUtils.exe /verify D:\MyMigrationStore\store.mig
```
@@ -69,7 +69,7 @@ Because no report type is specified, **UsmtUtils** displays the default summary
To verify whether the catalog file is corrupted or intact, enter:
-``` syntax
+```cmd
UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
```
@@ -77,7 +77,7 @@ UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter:
-``` syntax
+```cmd
UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
```
@@ -87,7 +87,7 @@ In addition to verifying the status of all files, this example decrypts the file
In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted.
-``` syntax
+```cmd
UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
```
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index e717e950c9..156809cb6d 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -17,20 +17,20 @@ When creating custom .xml files, note the following requirements:
- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
- ``` xml
+ ```xml
```
- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line won't be processed. The second file won't be processed because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
- ``` xml
+ ```xml
```
- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the `Config.xml` file defines the components by the display name and the migration URL ID. For example, specify the following syntax:
- ``` xml
+ ```xml
My Application
```
From c95c61f592e0763877ad0b25edd1669332704de5 Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Thu, 17 Nov 2022 15:12:59 -0800
Subject: [PATCH 13/15] Update windows-11-se-overview.md
Merge conflict on the below app, not released.
| Absolute Software Endpoint Agent | 7.21-15655 | Win32 | Absolute Software Corporation|
---
education/windows/windows-11-se-overview.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 96a201ab55..f7ea182a40 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -82,7 +82,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
-| Absolute Software Endpoint Agent | 7.21-15655 | Win32 | Absolute Software Corporation|
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 106.0.5249.65 | Win32 | Brave |
From d15914e473f68e2a8a98261ed927a114b48ea7f8 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 17 Nov 2022 16:18:01 -0700
Subject: [PATCH 14/15] Update kiosk-policies.md
---
windows/configuration/kiosk-policies.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 32f8c08e76..3c18ff8347 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -9,6 +9,9 @@ ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.technology: itpro-configure
+appliesto:
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
---
# Policies enforced on kiosk devices
From 5c1a0a966f736559129063e67becad659dd73dc6 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 17 Nov 2022 16:26:44 -0700
Subject: [PATCH 15/15] Revert "Update kiosk-policies.md"
---
windows/configuration/kiosk-policies.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 3c18ff8347..32f8c08e76 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -9,9 +9,6 @@ ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.technology: itpro-configure
-appliesto:
-- Windows 10 Pro, Enterprise, and Education
-- Windows 11
---
# Policies enforced on kiosk devices