deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20221117-WHFB-metadata-headers

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-11-18 07:14:40 -05:00
parent 35652b7eeb a10c747cfd
commit a6d7166511
29 changed files with 112 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -202,9 +202,9 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
## Themes

2
windows/configuration/kiosk-policies.md
View File

@ -56,7 +56,7 @@ Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
Prevent access to drives from My Computer | Enabled - Restrict all drives
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.

6
windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
View File

@ -34,7 +34,7 @@ This article outlines the general process that you should follow to migrate file
6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files:
``` syntax
```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
```
@ -51,7 +51,7 @@ This article outlines the general process that you should follow to migrate file
3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example,
``` syntax
```cmd
ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
```
@ -78,7 +78,7 @@ This article outlines the general process that you should follow to migrate file
For example, the following command migrates the files and settings:
``` syntax
```cmd
LoadState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log
```

2
windows/deployment/usmt/migrate-application-settings.md
View File

@ -131,7 +131,7 @@ On a test computer, install the operating system that will be installed on the d
To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter:
``` syntax
```cmd
/ue:*\* /ui:user1
```

4
windows/deployment/usmt/offline-migration-reference.md
View File

@ -61,7 +61,7 @@ The following table defines the supported combination of online and offline oper
User-group membership isn't preserved during offline migrations. You must configure a **<ProfileControl>** section in the `Config.xml` file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
``` xml
```xml
<Configuration>
<ProfileControl>
<localGroups>
@ -146,7 +146,7 @@ Syntax: `<failOnMultipleWinDir>0</failOnMultipleWinDir>`
The following XML example illustrates some of the elements discussed earlier in this article.
``` xml
```xml
<offline>
<winDir>
<path>C:\Windows</path>

24
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -164,7 +164,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t
For example, you can use all of the XML migration file types for a single migration, as in the following example:
``` syntax
```cmd
ScanState.exe <store> /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml
```
@ -194,14 +194,14 @@ To generate the XML migration rules file for a source computer:
4. At the command prompt, enter:
``` syntax
```cmd
cd /d <USMTpath>
ScanState.exe /genmigxml: <filepath.xml>
```
Where *&lt;USMTpath&gt;* is the location on your source computer where you've saved the USMT files and tools, and *&lt;filepath.xml&gt;* is the full path to a file where you can save the report. For example, enter:
``` syntax
```cmd
cd /d c:\USMT
ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
```
@ -230,13 +230,13 @@ The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes thr
**Usage:**
``` syntax
```cmd
MigXmlHelper.GenerateDocPatterns ("<ScanProgramFiles>", "<IncludePatterns>", "<SystemDrive>")
```
To create include data patterns for only the system drive:
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("FALSE","TRUE","TRUE")</script>
@ -246,7 +246,7 @@ To create include data patterns for only the system drive:
To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("TRUE","TRUE","FALSE")</script>
@ -256,7 +256,7 @@ To create an include rule to gather files for registered extensions from the %PR
To create exclude data patterns:
``` xml
```xml
<exclude filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("FALSE","FALSE","FALSE")</script>
@ -339,7 +339,7 @@ To exclude the new text document.txt file and any .txt files in "new folder", yo
To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
``` xml
```xml
<exclude>
<objectSet>
<pattern type="File">D:\Newfolder\[new text document.txt]</pattern>
@ -352,7 +352,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f
If you don't know the file name or location of the file, but you do know the file name extension, you can use the `GenerateDrivePatterns` function. However, the rule will be less specific than the default include rule generated by the `MigDocs.xml` file, so it will not have precedence. You must use the &lt;UnconditionalExclude&gt; element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
``` xml
```xml
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("*[*.txt]", "Fixed")</script>
@ -364,7 +364,7 @@ If you don't know the file name or location of the file, but you do know the fil
If you want the **&lt;UnconditionalExclude&gt;** element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
``` xml
```xml
<component type="Documents" context="UserandSystem">
<displayName>MigDocExcludes</displayName>
<role role="Data">
@ -389,7 +389,7 @@ The application data directory is the most common location that you would need t
This rule will include .pst files that are located in the default location, but aren't linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]</pattern>
@ -401,7 +401,7 @@ This rule will include .pst files that are located in the default location, but
For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_PROGRAM_FILES%\*[*.pst]</pattern>

2
windows/deployment/usmt/usmt-best-practices.md
View File

@ -91,7 +91,7 @@ As the authorized administrator, it is your responsibility to protect the privac
Although it isn't a requirement, it's good practice for **&lt;CustomFileName&gt;** to match the name of the file. For example, the following example is from the `MigApp.xml` file:
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
```

10
windows/deployment/usmt/usmt-common-issues.md
View File

@ -107,7 +107,7 @@ To remove encryption from files that have already been migrated incorrectly, you
**Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example,
``` syntax
```cmd
LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore
/progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1
```
@ -138,7 +138,7 @@ The following sections describe common XML file problems. Expand the section to
**Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command:
``` syntax
```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log
```
@ -248,7 +248,7 @@ The following sections describe common offline migration problems. Expand the se
**Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example:
``` syntax
```cmd
ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021*
```
@ -262,7 +262,7 @@ You can also use patterns for SIDs that identify generic users or groups. For ex
**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter:
``` syntax
```cmd
reg.exe unload hklm\$dest$software
```
@ -282,7 +282,7 @@ The following sections describe common hard-link migration problems. Expand the
**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter:
``` syntax
```cmd
UsmtUtils.exe /rd <storedir>
```

4
windows/deployment/usmt/usmt-configxml-file.md
View File

@ -50,7 +50,7 @@ The following example specifies that all locked files, regardless of their locat
Additionally, the order in the **&lt;ErrorControl&gt;** section implies priority. In this example, the first **&lt;nonFatal&gt;** tag takes precedence over the second **&lt;fatal&gt;** tag. This precedence is applied, regardless of how many tags are listed.
``` xml
```xml
<ErrorControl>
<fileError>
<nonFatal errorCode="33">* [*]</nonFatal>
@ -152,7 +152,7 @@ The **&lt;HardLinkStoreControl&gt;** sample code below specifies that hard links
> [!IMPORTANT]
> The **&lt;ErrorControl&gt;** section can be configured to conditionally ignore file access errors, based on the file's location.
``` xml
```xml
<Policy>
<HardLinkStoreControl>
<fileLocked>

8
windows/deployment/usmt/usmt-conflicts-and-precedence.md
View File

@ -37,7 +37,7 @@ If you have an **&lt;include&gt;** rule in one component and a **&lt;locationMod
The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the **&lt;exclude&gt;** rule is specified in a separate component.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/UserDocs">
<component type="Documents" context="System">
<displayName>User Documents</displayName>
@ -71,7 +71,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil
Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
``` xml
```xml
<include>
<objectSet>
<pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
@ -103,7 +103,7 @@ If there are conflicting rules within a component, the most specific rule is app
In the following example, mp3 files won't be excluded from the migration. The mp3 files won't be excluded because directory names take precedence over the file extensions.
``` xml
```xml
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
@ -181,7 +181,7 @@ The destination computer contains the following files:
You have a custom .xml file that contains the following code:
``` xml
```xml
<include>
<objectSet>
<pattern type="File">c:\data\* [*]</pattern>

6
windows/deployment/usmt/usmt-custom-xml-examples.md
View File

@ -22,7 +22,7 @@ The following template is a template for the sections that you need to migrate y
<details>
<summary>Expand to show <b>Example 1</b> application template:</summary>
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migtestapp">
<component type="Application">
<!-- Name of the application -->
@ -161,7 +161,7 @@ The sample patterns describe the behavior in the following example .xml file.
<details>
<summary>Expand to show <b>Example 3</b> XML file:</summary>
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/testfilemig">
<component type="Application" context="System">
<displayName>File Migration Test</displayName>
@ -203,7 +203,7 @@ The behavior for this custom .xml file is described within the `<displayName>` t
<details>
<summary>Expand to show <b>Example 4</b> XML file:</summary>
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">

6
windows/deployment/usmt/usmt-estimate-migration-store-size.md
View File

@ -47,7 +47,7 @@ To run the ScanState tool on the source computer with USMT installed:
2. Navigate to the USMT tools. For example, enter:
``` syntax
```cmd
cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\<architecture>"
```
@ -55,13 +55,13 @@ To run the ScanState tool on the source computer with USMT installed:
3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter:
``` syntax
```cmd
ScanState.exe <StorePath> /p:<path to a file>
```
Where *&lt;StorePath&gt;* is a path to a directory where the migration store will be saved and *&lt;path to a file&gt;* is the path and filename where the XML report for space requirements will be saved. For example:
``` syntax
```cmd
ScanState.exe c:\store /p:c:\spaceRequirements.xml
```

20
windows/deployment/usmt/usmt-exclude-files-and-settings.md
View File

@ -50,7 +50,7 @@ The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contai
The following .xml file migrates all files located on the C: drive, except any .mp3 files.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/mp3files">
<!-- This component migrates all files except those with .mp3 extension-->
<component type="Documents" context="UserAndSystem">
@ -77,7 +77,7 @@ The following .xml file migrates all files located on the C: drive, except any .
The following .xml file migrates all files and subfolders in `C:\Data`, except the files and subfolders in `C:\Data\tmp`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName _locID="miguser.sharedvideo">Test component</displayName>
@ -103,7 +103,7 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t
The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but excludes all files that are in `C:\EngineeringDrafts`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
@ -129,7 +129,7 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but
The following .xml file migrates all files and subfolders in `C:\EngineeringDrafts`, except for the `Sample.doc` file in `C:\EngineeringDrafts`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
@ -155,13 +155,13 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
``` xml
```xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files will be excluded.
``` xml
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```
@ -173,7 +173,7 @@ Here are some examples of how to use XML to exclude files, folders, and registry
The following .xml file excludes all `.mp3` files from the migration:
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
<component context="System" type="Documents">
<displayName>Test</displayName>
@ -194,7 +194,7 @@ The following .xml file excludes all `.mp3` files from the migration:
The following .xml file excludes only the files located on the C: drive.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/allfiles">
<component type="Documents" context="System">
<displayName>Test</displayName>
@ -215,7 +215,7 @@ The following .xml file excludes only the files located on the C: drive.
The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registry key and all of its subkeys.
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="User">
@ -242,7 +242,7 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="System">

10
windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
View File

@ -29,7 +29,7 @@ In addition, you can specify the file patterns that you want to extract by using
To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
``` syntax
```cmd
UsmtUtils.exe /extract <filePath> <destinationPath> [/i:<includePattern>] [/e:<excludePattern>] [/l:<logfile>] [/decrypt[:<AlgID>] {/key:<keystring> | /keyfile:<filename>}] [/o]
```
@ -57,7 +57,7 @@ Where the placeholders have the following values:
To extract everything from a compressed migration store to a file on the `C:\` drive, enter:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
```
@ -65,7 +65,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
```
@ -75,7 +75,7 @@ In this example, the file is encrypted and the encryption key is located in a te
To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
```
@ -83,7 +83,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedS
To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
```

4
windows/deployment/usmt/usmt-general-conventions.md
View File

@ -55,13 +55,13 @@ You can use the XML helper functions in the [XML elements library](usmt-xml-elem
As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
``` syntax
```cmd
SomeFunction("My String argument",NULL,NULL)
```
is equivalent to:
``` syntax
```cmd
SomeFunction("My String argument")
```

4
windows/deployment/usmt/usmt-hard-link-migration-store.md
View File

@ -92,7 +92,7 @@ It isn't necessary to estimate the size of a hard-link migration store since har
Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
``` syntax
```cmd
ScanState.exe /hardlink c:\USMTMIG […]
```
@ -144,7 +144,7 @@ A new section in the `Config.xml` file allows optional configuration of some of
The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the `<createhardlink>`** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
``` xml
```xml
<Policies>
<HardLinkStoreControl>
<fileLocked>

18
windows/deployment/usmt/usmt-include-files-and-settings.md
View File

@ -19,7 +19,7 @@ When you specify the migration .xml files, User State Migration Tool (USMT) 10.0
The following .xml file migrates a single registry key.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Application" context="System">
<displayName>Component to migrate only registry value string</displayName>
@ -44,7 +44,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Including subfolders.** The following .xml file migrates all files and subfolders from `C:\EngineeringDrafts` to the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents including subfolders</displayName>
@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Excluding subfolders.** The following .xml file migrates all files from `C:\EngineeringDrafts`, but it doesn't migrate any subfolders within `C:\EngineeringDrafts`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
@ -84,7 +84,7 @@ The following examples show how to migrate a folder from a specific drive, and f
The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents folder on any drive on the computer </displayName>
@ -104,7 +104,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra
The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any location on the `C:\` drive. If multiple folders exist with the same name, they're all migrated.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive </displayName>
@ -126,7 +126,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra
The following .xml file migrates `.mp3` files located in the specified drives on the source computer into the `C:\Music` folder on the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>All .mp3 files to My Documents</displayName>
@ -155,7 +155,7 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from a folder.** The following .xml file migrates only the `Sample.doc` file from `C:\EngineeringDrafts` on the source computer to the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents</displayName>
@ -174,13 +174,13 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from any location.** To migrate the `Sample.doc` file from any location on the `C:\` drive, use the **&lt;pattern&gt;** element, as the following example shows. If multiple files exist with the same name on the `C:\` drive, all of files with this name are migrated.
``` xml
```xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To migrate the Sample.doc file from any drive on the computer, use &lt;script&gt; as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
``` xml
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```

8
windows/deployment/usmt/usmt-log-files.md
View File

@ -104,7 +104,7 @@ The following examples describe common scenarios in which you can use the diagno
Let's imagine that we have the following directory structure and that we want the **data** directory to be included in the migration along with the **New Text Document.txt** file in the **New Folder**. The directory of `C:\data` contains:
``` console
```console
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM <DIR> New Folder
@ -115,7 +115,7 @@ Let's imagine that we have the following directory structure and that we want th
The directory of `C:\data\New Folder` contains:
``` console
```console
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM 0 New Text Document.txt
@ -198,7 +198,7 @@ This diagnostic log confirms that the modified **&lt;pattern&gt;** value enables
In this scenario, you have the following directory structure and you want all files in the **Data** directory to migrate, except for text files. The `C:\Data` folder contains:
``` console
```console
Directory of C:\Data
01/21/2009 10:08 PM <DIR> .
@ -211,7 +211,7 @@ Directory of C:\Data
The `C:\Data\New Folder\` contains:
``` console
```console
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM 0 New Text Document.txt

2
windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
View File

@ -34,7 +34,7 @@ Before using the **ScanState** tool for a migration that includes encrypted file
You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter:
``` syntax
```cmd
cipher.exe /D /S:<PATH>
```

14
windows/deployment/usmt/usmt-migrate-user-accounts.md
View File

@ -23,7 +23,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
``` syntax
```cmd
ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o
````
@ -33,13 +33,13 @@ Links to detailed explanations of commands are available in the [Related article
- If you're migrating domain accounts, enter:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
- If you're migrating local accounts along with domain accounts, enter:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae
```
@ -54,7 +54,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
``` syntax
```cmd
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o
```
@ -62,7 +62,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
@ -74,7 +74,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
``` syntax
```cmd
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o
```
@ -82,7 +82,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
```

6
windows/deployment/usmt/usmt-reroute-files-and-settings.md
View File

@ -19,7 +19,7 @@ To reroute files and settings, create a custom .xml file and specify the .xml fi
The following custom .xml file migrates the directories and files from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="User">
<displayName>Engineering Drafts Documents to Personal Folder</displayName>
@ -47,7 +47,7 @@ The following custom .xml file migrates the directories and files from `C:\Engin
The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the `C:\Music` folder on the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>All .mp3 files to My Documents</displayName>
@ -74,7 +74,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o
The following custom .xml file migrates the `Sample.doc` file from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="User">
<displayName>Sample.doc into My Documents</displayName>

2
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -43,7 +43,7 @@ The `ScanState.exe` command's syntax is:
For example, to create a `Config.xml` file in the current directory, use:
``` syntax
```cmd
ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13
```

8
windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
View File

@ -59,7 +59,7 @@ Where the placeholders have the following values:
To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter:
``` syntax
```cmd
UsmtUtils.exe /verify D:\MyMigrationStore\store.mig
```
@ -69,7 +69,7 @@ Because no report type is specified, **UsmtUtils** displays the default summary
To verify whether the catalog file is corrupted or intact, enter:
``` syntax
```cmd
UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
```
@ -77,7 +77,7 @@ UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter:
``` syntax
```cmd
UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
```
@ -87,7 +87,7 @@ In addition to verifying the status of all files, this example decrypts the file
In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted.
``` syntax
```cmd
UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
```

6
windows/deployment/usmt/xml-file-requirements.md
View File

@ -17,20 +17,20 @@ When creating custom .xml files, note the following requirements:
- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
```
- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line won't be processed. The second file won't be processed because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/<CustomFileName>">
```
- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the `Config.xml` file defines the components by the display name and the migration URL ID. For example, specify the following syntax:
``` xml
```xml
<displayName>My Application</displayName>
```

21
windows/security/docfx.json
View File

@ -36,9 +36,10 @@
"recommendations": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
"manager": "dansimp",
"audience": "ITPro",
"ms.localizationpriority": "medium",
"ms.prod": "windows-client",
"ms.technology": "itpro-security",
"manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@ -48,7 +49,6 @@
"folder_relative_path_in_docset": "./"
}
},
"titleSuffix": "Windows security",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
@ -56,13 +56,22 @@
"claydetels19",
"jborsecnik",
"tiburd",
"AngelaMotherofDragons",
"dstrome",
"v-dihans",
"garycentric"
],
"searchScope": ["Windows 10"]
},
"fileMetadata": {
"titleSuffix":{
"threat-protection/**/*.md": "Windows security"
"author":{
"/identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
},
"ms.author":{
"/identity-protection/hello-for-business/**/*.md": "paoloma"
},
"ms.reviewer":{
"/identity-protection/hello-for-business/**/*.md": "erikdau"
}
},
"template": [],

6
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -155,6 +155,12 @@ It also blocks automatic or manual attempts to move the paging file.
Enable secure boot and mandatorily prompt a password to change BIOS settings.
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
### Tricking BitLocker to pass the key to a rogue operating system
An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we dont recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
## Attacker countermeasures
The following sections cover mitigations for different types of attackers.

2
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -60,7 +60,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|