diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c77fa4d405..aaf6321d69 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -8,7 +8,7 @@ { "source_path": "devices/hololens/hololens-whats-new.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-upgrade-enterprise.md", @@ -28,7 +28,7 @@ { "source_path": "devices/hololens/hololens-setup.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens1-setup", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-use-apps.md", @@ -38,17 +38,17 @@ { "source_path": "devices/hololens/hololens-get-apps.md", "redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-spaces-on-hololens.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-spaces", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-clicker.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-clicker-restart-recover.md", @@ -108,7 +108,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", @@ -173,12 +173,12 @@ { "source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", "redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-add", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md", "redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md", @@ -860,6 +860,11 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction", @@ -1435,6 +1440,11 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", + "redirect_document_id": true + }, { "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", @@ -6213,27 +6223,27 @@ { "source_path": "devices/surface/surface-diagnostic-toolkit.md", "redirect_url": "https://docs.microsoft.com/surface/index", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/surface/manage-surface-dock-firmware-updates.md", "redirect_url": "https://docs.microsoft.com/surface/indexdevices/surface/update", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", "redirect_url": "https://docs.microsoft.com/surface-hub/finishing-your-surface-hub-meeting", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-microsoft-layout-app.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-microsoft-dynamics-365-layout-app", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md", "redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md", diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 6e878defd1..f709de39d0 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -17,7 +17,9 @@ ms.date: 02/28/2020 The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates. -> **Note**   The CertificateStore configuration service provider does not support installing client certificates. +> [!Note] +> The CertificateStore configuration service provider does not support installing client certificates. +> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. @@ -643,4 +645,3 @@ Configure the device to automatically renew an MDM client certificate with the s - diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 15b21d0197..44ff431b60 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1022,7 +1022,6 @@ The XML below is for Windows 10, version 1803. - diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index 739c11d55d..f708897928 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -16,6 +16,9 @@ manager: dansimp In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. +> [Note] +> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). + To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. ![Adapters](images/nm-adapters.png) diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index fa8b0e3378..c5fc3f7733 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -44,7 +44,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en - **Feature suggestions, fun facts, tips** - The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. + The lock screen background will occasionally make reccomendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services. ![fun facts](images/funfacts.png) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 7e06abfeb3..5c8972471b 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -170,13 +170,16 @@ The key to successful management of drivers for MDT, as well as for any other de On **MDT01**: +> [!IMPORTANT] +> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. + 1. Using File Explorer, create the **D:\\drivers** folder. 2. In the **D:\\drivers** folder, create the following folder structure: 1. WinPE x86 2. WinPE x64 3. Windows 10 x64 3. In the new Windows 10 x64 folder, create the following folder structure: - - Dell + - Dell Inc - Latitude E7450 - Hewlett-Packard - HP EliteBook 8560w @@ -185,8 +188,8 @@ On **MDT01**: - Microsoft Corporation - Surface Laptop ->[!NOTE] ->Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. +> [!NOTE] +> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. ### Create the logical driver structure in MDT @@ -197,7 +200,7 @@ When you import drivers to the MDT driver repository, MDT creates a single insta 2. WinPE x64 3. Windows 10 x64 3. In the **Windows 10 x64** folder, create the following folder structure: - - Dell + - Dell Inc - Latitude E7450 - Hewlett-Packard - HP EliteBook 8560w @@ -281,12 +284,12 @@ The folder you select and all sub-folders will be checked for drivers, expanding For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). -In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder. +In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc\\Latitude E7450** folder. On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node. -2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450** +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node. +2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450** ### For the HP EliteBook 8560w diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 76cdb58597..9480bdbc84 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -6,6 +6,7 @@ ms.reviewer: manager: laurawi ms.audience: itpro author: greg-lindsay +ms.author: greglin keywords: deployment, USB, device, BitLocker, workspace, security, data ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 4650acce95..f665e396be 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -6,6 +6,7 @@ ms.reviewer: manager: laurawi ms.audience: itpro author: greg-lindsay +ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 412a9a556a..90f83f5802 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: deploy audience: itpro author: greg-lindsay +ms.author: greglin ms.date: 02/13/2018 ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index a202b57844..f128528a5e 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -1,238 +1,239 @@ ---- -title: Available Data Types and Operators in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. -ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Available Data Types and Operators in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool provides a way to query your custom-compatibility databases. - -## Available Data Types - - -Customized-compatibility databases in Compatibility Administrator contain the following data types. - -- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value. - -- **String**. A series of alphanumeric characters manipulated as a group. - -- **Boolean**. A value of True or False. - -## Available Attributes - - -The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
AttributeDescriptionData type

APP_NAME

Name of the application.

String

DATABASE_GUID

Unique ID for your compatibility database.

String

DATABASE_INSTALLED

Specifies if you have installed the database.

Boolean

DATABASE_NAME

Descriptive name of your database.

String

DATABASE_PATH

Location of the database on your computer.

String

FIX_COUNT

Number of compatibility fixes applied to a specific application.

Integer

FIX_NAME

Name of your compatibility fix.

String

MATCH_COUNT

Number of matching files for a specific, fixed application.

Integer

MATCHFILE_NAME

Name of a matching file used to identify a specific, fixed application.

String

MODE_COUNT

Number of compatibility modes applied to a specific, fixed application.

Integer

MODE_NAME

Name of your compatibility mode.

String

PROGRAM_APPHELPTYPE

Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.

Integer

PROGRAM_DISABLED

Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.

Boolean

PROGRAM_GUID

Unique ID for an application.

String

PROGRAM_NAME

Name of the application that you are fixing.

String

- - - -## Available Operators - - -The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator. - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SymbolDescriptionData typePrecedence

>

Greater than

Integer or string

1

>=

Greater than or equal to

Integer or string

1

<

Less than

Integer or string

1

<=

Less than or equal to

Integer or string

1

<>

Not equal to

Integer or string

1

=

Equal to

Integer, string, or Boolean

1

HAS

A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.

Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME

-
-Note

Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.

-
-
- -
-

Right-hand operand. String

1

OR

Logical OR operator

Boolean

2

AND

Logical AND operator

Boolean

2

- - - -## Related topics -[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) - - - - - - - - - +--- +title: Available Data Types and Operators in Compatibility Administrator (Windows 10) +description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. +ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Available Data Types and Operators in Compatibility Administrator + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Compatibility Administrator tool provides a way to query your custom-compatibility databases. + +## Available Data Types + + +Customized-compatibility databases in Compatibility Administrator contain the following data types. + +- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value. + +- **String**. A series of alphanumeric characters manipulated as a group. + +- **Boolean**. A value of True or False. + +## Available Attributes + + +The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionData type

APP_NAME

Name of the application.

String

DATABASE_GUID

Unique ID for your compatibility database.

String

DATABASE_INSTALLED

Specifies if you have installed the database.

Boolean

DATABASE_NAME

Descriptive name of your database.

String

DATABASE_PATH

Location of the database on your computer.

String

FIX_COUNT

Number of compatibility fixes applied to a specific application.

Integer

FIX_NAME

Name of your compatibility fix.

String

MATCH_COUNT

Number of matching files for a specific, fixed application.

Integer

MATCHFILE_NAME

Name of a matching file used to identify a specific, fixed application.

String

MODE_COUNT

Number of compatibility modes applied to a specific, fixed application.

Integer

MODE_NAME

Name of your compatibility mode.

String

PROGRAM_APPHELPTYPE

Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.

Integer

PROGRAM_DISABLED

Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.

Boolean

PROGRAM_GUID

Unique ID for an application.

String

PROGRAM_NAME

Name of the application that you are fixing.

String

+ + + +## Available Operators + + +The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SymbolDescriptionData typePrecedence

>

Greater than

Integer or string

1

>=

Greater than or equal to

Integer or string

1

<

Less than

Integer or string

1

<=

Less than or equal to

Integer or string

1

<>

Not equal to

Integer or string

1

=

Equal to

Integer, string, or Boolean

1

HAS

A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.

Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME

+
+Note

Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.

+
+
+ +
+

Right-hand operand. String

1

OR

Logical OR operator

Boolean

2

AND

Logical AND operator

Boolean

2

+ + + +## Related topics +[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) + + + + + + + + + diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md index 98986e0bfd..ea3a21ed29 100644 --- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md +++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md @@ -1,76 +1,77 @@ ---- -title: Fixing Applications by Using the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. -ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Fixing Applications by Using the SUA Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. - -**To fix an application by using the SUA tool** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, open the SUA tool. - -3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands. - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mitigation menu commandDescription

Apply Mitigations

Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.

Undo Mitigations

Removes the application fixes that you just applied.

-

This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.

Export Mitigations as Windows Installer file

Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.

- -   - -  - -  - - - - - +--- +title: Fixing Applications by Using the SUA Tool (Windows 10) +description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. +ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Fixing Applications by Using the SUA Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. + +**To fix an application by using the SUA tool** + +1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). + +2. After you finish testing, open the SUA tool. + +3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands. + + + + + + + + + + + + + + + + + + + + + + + + + + +
Mitigation menu commandDescription

Apply Mitigations

Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.

Undo Mitigations

Removes the application fixes that you just applied.

+

This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.

Export Mitigations as Windows Installer file

Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.

+ +   + +  + +  + + + + + diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md index 08db3b24d6..d4b510cd08 100644 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md @@ -1,80 +1,81 @@ ---- -title: Showing Messages Generated by the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. -ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Showing Messages Generated by the SUA Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. - -**To show the messages that the SUA tool has generated** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, in the SUA tool, click the **App Info** tab. - -3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
View menu commandDescription

Error Messages

When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.

-

This command is selected by default.

Warning Messages

When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.

Information Messages

When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.

Detailed Information

When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.

- -   - -  - -  - - - - - +--- +title: Showing Messages Generated by the SUA Tool (Windows 10) +description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. +ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Showing Messages Generated by the SUA Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. + +**To show the messages that the SUA tool has generated** + +1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). + +2. After you finish testing, in the SUA tool, click the **App Info** tab. + +3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
View menu commandDescription

Error Messages

When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.

+

This command is selected by default.

Warning Messages

When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.

Information Messages

When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.

Detailed Information

When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.

+ +   + +  + +  + + + + + diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md index d58bf1d2ce..d3c279c3eb 100644 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md @@ -1,105 +1,106 @@ ---- -title: Tabs on the SUA Tool Interface (Windows 10) -description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. -ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Tabs on the SUA Tool Interface - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. - -The following table provides a description of each tab on the user interface for the SUA tool. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Tab nameDescription

App Info

Provides the following information for the selected application:

-
    -

  • Debugging information

    • -

  • Error, warning, and informational messages (if they are enabled)

    • -

  • Options for running the application

    • -

File

Provides information about access to the file system.

-

For example, this tab might show an attempt to write to a file that only administrators can typically access.

Registry

Provides information about access to the system registry.

-

For example, this tab might show an attempt to write to a registry key that only administrators can typically access.

INI

Provides information about WriteProfile API issues.

-

For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.

Token

Provides information about access-token checking.

-

For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.

Privilege

Provides information about permissions.

-

For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.

Name Space

Provides information about creation of system objects.

-

For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.

Other Objects

Provides information related to applications accessing objects other than files and registry keys.

Process

Provides information about process elevation.

-

For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.

- -  - -  - -  - - - - - +--- +title: Tabs on the SUA Tool Interface (Windows 10) +description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. +ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Tabs on the SUA Tool Interface + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. + +The following table provides a description of each tab on the user interface for the SUA tool. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Tab nameDescription

App Info

Provides the following information for the selected application:

+
    +

  • Debugging information

    • +

  • Error, warning, and informational messages (if they are enabled)

    • +

  • Options for running the application

    • +

File

Provides information about access to the file system.

+

For example, this tab might show an attempt to write to a file that only administrators can typically access.

Registry

Provides information about access to the system registry.

+

For example, this tab might show an attempt to write to a registry key that only administrators can typically access.

INI

Provides information about WriteProfile API issues.

+

For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.

Token

Provides information about access-token checking.

+

For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.

Privilege

Provides information about permissions.

+

For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.

Name Space

Provides information about creation of system objects.

+

For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.

Other Objects

Provides information related to applications accessing objects other than files and registry keys.

Process

Provides information about process elevation.

+

For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.

+ +  + +  + +  + + + + + diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index b38891eae2..cb84beaa58 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -1,94 +1,95 @@ ---- -title: Using the Compatibility Administrator Tool (Windows 10) -description: This section provides information about using the Compatibility Administrator tool. -ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the Compatibility Administrator Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about using the Compatibility Administrator tool. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

Available Data Types and Operators in Compatibility Administrator

The Compatibility Administrator tool provides a way to query your custom-compatibility databases.

Searching for Fixed Applications in Compatibility Administrator

With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.

Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator

You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.

Creating a Custom Compatibility Fix in Compatibility Administrator

The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.

Creating a Custom Compatibility Mode in Compatibility Administrator

Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.

Creating an AppHelp Message in Compatibility Administrator

The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.

Viewing the Events Screen in Compatibility Administrator

The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.

Enabling and Disabling Compatibility Fixes in Compatibility Administrator

You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.

Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator

The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.

- - - - - - - - - - - +--- +title: Using the Compatibility Administrator Tool (Windows 10) +description: This section provides information about using the Compatibility Administrator tool. +ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the Compatibility Administrator Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +This section provides information about using the Compatibility Administrator tool. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

Available Data Types and Operators in Compatibility Administrator

The Compatibility Administrator tool provides a way to query your custom-compatibility databases.

Searching for Fixed Applications in Compatibility Administrator

With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.

Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator

You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.

Creating a Custom Compatibility Fix in Compatibility Administrator

The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.

Creating a Custom Compatibility Mode in Compatibility Administrator

Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.

Creating an AppHelp Message in Compatibility Administrator

The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.

Viewing the Events Screen in Compatibility Administrator

The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.

Enabling and Disabling Compatibility Fixes in Compatibility Administrator

You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.

Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator

The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.

+ + + + + + + + + + + diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 464e7e03de..965ad4dad7 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -1,60 +1,61 @@ ---- -title: Windows 10 compatibility (Windows 10) -description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. -ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, update, appcompat -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows 10 compatibility - - -**Applies to** - -- Windows 10 - -Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. - -For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. - -Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. - -Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. - -For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031) - -## Recommended application testing process - - -Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level: - -- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. - -- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. - -## Related topics - - -[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) - -[Windows 10 deployment considerations](windows-10-deployment-considerations.md) - -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -  - -  - - - - - +--- +title: Windows 10 compatibility (Windows 10) +description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. +ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, update, appcompat +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows 10 compatibility + + +**Applies to** + +- Windows 10 + +Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. + +For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. + +Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. + +Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. + +For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031) + +## Recommended application testing process + + +Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level: + +- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. + +- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. + +## Related topics + + +[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) + +[Windows 10 deployment considerations](windows-10-deployment-considerations.md) + +[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 95db4ede75..bd70149a69 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -27,7 +27,8 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | -| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) will end on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 8/13/2020 | +| Connect app | The [Connect app](https://docs.microsoft.com/windows-hardware/design/device-experiences/wireless-projection-understanding) for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 | +| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 | | Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | | Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | | Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 94b207185c..37b3315a1d 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -11,6 +11,7 @@ ms.reviewer: manager: laurawi ms.audience: itpro author: greg-lindsay +ms.author: greglin audience: itpro ms.topic: article --- diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index 99bb88d5a4..fc8013e00c 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -4,7 +4,6 @@ description: This topic lists new and updated topics in the Update Windows 10 do ms.prod: w10 ms.mktglfcycl: manage audience: itpro -itproauthor: jaimeo author: jaimeo ms.author: jaimeo ms.reviewer: diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index da74aafced..5e3223976c 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -4,7 +4,6 @@ description: Learn how to deploy feature updates during a maintenance window ms.prod: w10 ms.mktglfcycl: manage audience: itpro -itproauthor: jaimeo author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md index 688a3eabd6..645903d80f 100644 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -7,11 +7,12 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage audience: itpro -author: jaimeo ms.localizationpriority: medium ms.audience: itpro ms.topic: article ms.collection: M365-modern-desktop +ms.author: jaimeo +author: jaimeo --- # Determine application readiness diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 5953fcc349..312c0ec84c 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -16,7 +16,7 @@ ms.topic: article # Feature Update Status -![The Feature Update Status report](images/UC_workspace_FU_status.png) +[ ![The Feature Update Status report](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox) The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). @@ -41,7 +41,14 @@ Microsoft uses diagnostic data to determine whether devices that use Windows Upd ### Opting out of compatibility hold -Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. +Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. +To opt out, set the registry key as follows: + +- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion** +- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0** +- Name :: **DataRequireGatedScanForFeatureUpdates** +- Type :: **REG_DWORD** +- Value :: **0** Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 13b02958f8..db7cd77c90 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -82,6 +82,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. ![Example of UI](images/waas-wsus-fig5.png) + + >[!IMPORTANT] + > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations > [!NOTE] > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index a39aa81b7e..92ee39c436 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -4,13 +4,14 @@ description: Configure Windows Update for Business settings using Microsoft Intu ms.prod: w10 ms.mktglfcycl: manage audience: itpro -author: jaimeo ms.localizationpriority: medium ms.audience: itpro ms.date: 07/27/2017 ms.reviewer: manager: laurawi ms.topic: article +ms.author: jaimeo +author: jaimeo --- # Walkthrough: use Microsoft Intune to configure Windows Update for Business diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 7f9fd87d53..17dce5c494 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -4,13 +4,14 @@ description: Use these resource to troubleshoot and reset Windows Update. ms.prod: w10 ms.mktglfcycl: audience: itpro -author: jaimeo ms.localizationpriority: medium ms.audience: itpro ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article +ms.author: jaimeo +author: jaimeo --- # Windows Update - additional resources diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 3a7f854132..9cef992dea 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -1,64 +1,65 @@ ---- -title: Resolve Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Resolve Windows 10 upgrade errors : Technical information for IT Pros - -**Applies to** -- Windows 10 - ->[!IMPORTANT] ->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). - -This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. - -The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. - -The following four levels are assigned: - -Level 100: Basic
-Level 200: Moderate
-Level 300: Moderate advanced
-Level 400: Advanced
- -## In this guide - -See the following topics in this article: - -- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
-- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. -- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
-- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. -- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained. - - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes. - - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes. -- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. - - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. - - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. -- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes. - - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code. - - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800. - - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. - - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. -- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) -
+--- +title: Resolve Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Resolve Windows 10 upgrade errors : Technical information for IT Pros + +**Applies to** +- Windows 10 + +>[!IMPORTANT] +>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). + +This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. + +The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. + +The following four levels are assigned: + +Level 100: Basic
+Level 200: Moderate
+Level 300: Moderate advanced
+Level 400: Advanced
+ +## In this guide + +See the following topics in this article: + +- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
+- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. +- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
+- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. +- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained. + - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes. + - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes. +- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. + - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. + - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. +- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes. + - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code. + - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800. + - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. + - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. +- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) +
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 6062bfa905..91c5da4243 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -1,79 +1,80 @@ ---- -title: Windows Upgrade and Migration Considerations (Windows 10) -description: Windows Upgrade and Migration Considerations -ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows upgrade and migration considerations -Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. - -## Upgrade from a previous version of Windows -You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. - -## Migrate files and settings -Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. - -For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349). - -The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer. - -### Migrate with Windows Easy Transfer -Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download. - -With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. - -> [!NOTE] -> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). - -### Migrate with the User State Migration Tool -You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. - -## Upgrade and migration considerations -Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: - -### Application compatibility -For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). - -### Multilingual Windows image upgrades -When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. - -If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. - -### Errorhandler.cmd -When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. - -### Data drive ACL migration -During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. - -Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: - -``` syntax -Key: HKLM\System\Setup -Type: REG_DWORD -Value: "DDACLSys_Disabled" = 1 -``` - -This feature is disabled if this registry key value exists and is configured to `1`. - -## Related topics -[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
-[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md) - - -  - -  - - - - - +--- +title: Windows Upgrade and Migration Considerations (Windows 10) +description: Windows Upgrade and Migration Considerations +ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows upgrade and migration considerations +Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. + +## Upgrade from a previous version of Windows +You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. + +## Migrate files and settings +Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. + +For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349). + +The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer. + +### Migrate with Windows Easy Transfer +Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download. + +With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. + +> [!NOTE] +> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). + +### Migrate with the User State Migration Tool +You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. + +## Upgrade and migration considerations +Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: + +### Application compatibility +For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). + +### Multilingual Windows image upgrades +When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. + +If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. + +### Errorhandler.cmd +When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. + +### Data drive ACL migration +During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. + +Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: + +``` syntax +Key: HKLM\System\Setup +Type: REG_DWORD +Value: "DDACLSys_Disabled" = 1 +``` + +This feature is disabled if this registry key value exists and is configured to `1`. + +## Related topics +[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md) + + +  + +  + + + + + diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 8ca3e5b215..4b6585af49 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -1,172 +1,173 @@ ---- -title: Migrate Application Settings (Windows 10) -description: Migrate Application Settings -ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate Application Settings - - -You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. - -This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. - -This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. - -## In this Topic - - -- [Before You Begin](#bkmk-beforebegin) - -- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). - -- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). - -- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). - -- [Step 4: Create the migration XML component for the application](#bkmk-step4). - -- [Step 5: Test the application settings migration](#bkmk-step5). - -## Before You Begin - - -You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. - -## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. - - -Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. - -There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. - -### Check the registry for an application uninstall key. - -When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. - -Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. - -### Check the file system for the application executable file. - -You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. - -## Step 2: Identify settings to collect and determine where each setting is stored on the computer. - - -Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. - -### - -**How To Determine Where Each Setting is Stored** - -1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109). - -2. Shut down as many applications as possible to limit the registry and file system activity on the computer. - -3. Filter the output of the tools so it only displays changes being made by the application. - - **Note**   - Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. - - - -4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. - -5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. - - **Note**   - Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. - - - -## Step 3: Identify how to apply the gathered settings. - - -If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: - -### Case 1: The version of the application on the destination computer is newer than the one on the source computer. - -In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: - -- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. - - To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. - -- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - -### Case 2: The destination computer already contains settings for the application. - -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. - -### Case 3: The application overwrites settings when it is installed. - -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. - -## Step 4: Create the migration XML component for the application - - -After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. - -**Note**   -We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. - - - -**Important**   -Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. - - - -Your script should do the following: - -1. Check whether the application and correct version is installed by: - - - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. - - - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. - -2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. - - - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. - - - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - - - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. - -For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). - -## Step 5: Test the application settings migration - - -On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. - -To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[XML Elements Library](usmt-xml-elements-library.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Migrate Application Settings (Windows 10) +description: Migrate Application Settings +ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate Application Settings + + +You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. + +This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. + +This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. + +## In this Topic + + +- [Before You Begin](#bkmk-beforebegin) + +- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). + +- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). + +- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). + +- [Step 4: Create the migration XML component for the application](#bkmk-step4). + +- [Step 5: Test the application settings migration](#bkmk-step5). + +## Before You Begin + + +You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. + +## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. + + +Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. + +There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. + +### Check the registry for an application uninstall key. + +When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. + +Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. + +### Check the file system for the application executable file. + +You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. + +## Step 2: Identify settings to collect and determine where each setting is stored on the computer. + + +Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. + +### + +**How To Determine Where Each Setting is Stored** + +1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109). + +2. Shut down as many applications as possible to limit the registry and file system activity on the computer. + +3. Filter the output of the tools so it only displays changes being made by the application. + + **Note**   + Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. + + + +4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. + +5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. + + **Note**   + Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. + + + +## Step 3: Identify how to apply the gathered settings. + + +If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: + +### Case 1: The version of the application on the destination computer is newer than the one on the source computer. + +In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: + +- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. + + To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. + +- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. + +### Case 2: The destination computer already contains settings for the application. + +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. + +### Case 3: The application overwrites settings when it is installed. + +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. + +## Step 4: Create the migration XML component for the application + + +After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. + +**Note**   +We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. + + + +**Important**   +Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. + + + +Your script should do the following: + +1. Check whether the application and correct version is installed by: + + - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. + + - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. + +2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. + + - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. + + - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. + + - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. + +For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). + +## Step 5: Test the application settings migration + + +On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. + +To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + +[Conflicts and Precedence](usmt-conflicts-and-precedence.md) + +[XML Elements Library](usmt-xml-elements-library.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 2d1d744fa6..c5a12de2fc 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -1,81 +1,82 @@ ---- -title: Migration Store Types Overview (Windows 10) -description: Migration Store Types Overview -ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migration Store Types Overview - - -When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. - -## In This Topic - - -[Migration Store Types](#bkmk-types) - -[Local Store vs. Remote Store](#bkmk-localvremote) - -[The /localonly Command-Line Option](#bkmk-localonly) - -## Migration Store Types - - -This section describes the three migration store types available in USMT. - -### Uncompressed (UNC) - -The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. - -### Compressed - -The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. - -### Hard-Link - -A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. - -You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). - -The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. - -![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) - -## Local Store vs. Remote Store - - -If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. - -If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. - -**Important**   -If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. - - - -### The /localonly Command-Line Option - -You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: Migration Store Types Overview (Windows 10) +description: Migration Store Types Overview +ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migration Store Types Overview + + +When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. + +## In This Topic + + +[Migration Store Types](#bkmk-types) + +[Local Store vs. Remote Store](#bkmk-localvremote) + +[The /localonly Command-Line Option](#bkmk-localonly) + +## Migration Store Types + + +This section describes the three migration store types available in USMT. + +### Uncompressed (UNC) + +The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. + +### Compressed + +The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. + +### Hard-Link + +A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. + +You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). + +The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. + +![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) + +## Local Store vs. Remote Store + + +If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. + +If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. + +**Important**   +If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. + + + +### The /localonly Command-Line Option + +You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 75c4393563..682ad7ff15 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -1,65 +1,66 @@ ---- -title: Choose a Migration Store Type (Windows 10) -description: Choose a Migration Store Type -ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Choose a Migration Store Type - - -One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - -

Migration Store Types Overview

Choose the migration store type that works best for your needs and migration scenario.

Estimate Migration Store Size

Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

Hard-Link Migration Store

Learn about hard-link migration stores and the scenarios in which they are used.

Migration Store Encryption

Learn about the using migration store encryption to protect user data integrity during a migration.

- - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - - - - - - - - - +--- +title: Choose a Migration Store Type (Windows 10) +description: Choose a Migration Store Type +ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Choose a Migration Store Type + + +One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + +

Migration Store Types Overview

Choose the migration store type that works best for your needs and migration scenario.

Estimate Migration Store Size

Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

Hard-Link Migration Store

Learn about hard-link migration stores and the scenarios in which they are used.

Migration Store Encryption

Learn about the using migration store encryption to protect user data integrity during a migration.

+ + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 43d9d9c686..045feda6ef 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -1,54 +1,55 @@ ---- -title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) -description: User State Migration Tool (USMT) Command-line Syntax -ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Command-line Syntax - - -The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. - -## In This Section - - - ---- - - - - - - - - - - - - - - -

ScanState Syntax

Lists the command-line options for using the ScanState tool.

LoadState Syntax

Lists the command-line options for using the LoadState tool.

UsmtUtils Syntax

Lists the command-line options for using the UsmtUtils tool.

- - - - - - - - - - - +--- +title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) +description: User State Migration Tool (USMT) Command-line Syntax +ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Command-line Syntax + + +The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. + +## In This Section + + + ++++ + + + + + + + + + + + + + + +

ScanState Syntax

Lists the command-line options for using the ScanState tool.

LoadState Syntax

Lists the command-line options for using the LoadState tool.

UsmtUtils Syntax

Lists the command-line options for using the UsmtUtils tool.

+ + + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 49aa08dbfe..3800f43309 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -1,340 +1,341 @@ ---- -title: Common Issues (Windows 10) -description: Common Issues -ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.date: 09/19/2017 -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Common Issues - - -The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. - -## In This Topic - - -[User Account Problems](#user) - -[Command-line Problems](#command) - -[XML File Problems](#xml) - -[Migration Problems](#migration) - -[Offline Migration Problems](#bkmk-offline) - -[Hard Link Migration Problems](#bkmk-hardlink) - -[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) - -## General Guidelines for Identifying Migration Problems - - -When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: - -- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. - - In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. - - **Note** - Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. - - - -- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -- Create a progress log using the **/Progress** option to monitor your migration. - -- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. - -- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. - -- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. - - **Note** - USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. - - - -## User Account Problems - - -The following sections describe common user account problems. Expand the section to see recommended solutions. - -### I'm having problems creating local accounts on the destination computer. - -**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -### Not all of the user accounts were migrated to the destination computer. - -**Causes/Resolutions** There are two possible causes for this problem: - -When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: - -1. Click **Start**. - -2. Click **All Programs**. - -3. Click **Accessories**. - -4. Right-click **Command Prompt**. - -5. Click **Run as administrator**. - -Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. - -Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. - -### User accounts that I excluded were migrated to the destination computer. - -**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. - -**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. - -### I am using the /uel option, but many accounts are still being included in the migration. - -**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. - -**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. - -### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. - -**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. - -**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: - -1. Open the registry editor by typing `regedit` at an elevated command prompt. - -2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. - - Each user profile is stored in a System Identifier key under `ProfileList`. - -3. Delete the key for the user profile you are trying to remove. - -### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. - -**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. - -**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. - -To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. - -### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. - -**Cause:** The computer name was changed during an offline migration of a local user profile. - -**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, - -``` syntax -loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore -/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 -``` - -## Command-line Problems - - -The following sections describe common command-line problems. Expand the section to see recommended solutions. - -### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." - -**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. - -**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. - -### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." - -**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. - -**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. - -## XML File Problems - - -The following sections describe common XML file problems. Expand the section to see recommended solutions. - -### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? - -**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. - -**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: - -`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` - -### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. - -**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. - -### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? - -**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. - -**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. - -## Migration Problems - - -The following sections describe common migration problems. Expand the section to see recommended solutions. - -### Files that I specified to exclude are still being migrated. - -**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. - -**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). - -### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. - -**Cause:** There might be an error in the XML syntax. - -**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -[Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -[Include Files and Settings](usmt-include-files-and-settings.md) - -[Custom XML Examples](usmt-custom-xml-examples.md) - -### After LoadState completes, the new desktop background does not appear on the destination computer. - -There are three typical causes for this issue. - -**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. - -**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. - -**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. - -**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. - -**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. - -**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. - -### I included MigApp.xml in the migration, but some PST files aren’t migrating. - -**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. - -**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. - -### USMT does not migrate the Start layout - -**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. - -**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. - -**Resolution:** The following workaround is available: - -1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: - - ``` - Export-StartLayout -Path "C:\Layout\user1.xml" - ``` -2. Migrate the user's profile with USMT. -3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: - - ``` - Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% - ``` - -This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. - -## Offline Migration Problems - - -The following sections describe common offline migration problems. Expand the section to see recommended solutions. - -### Some of my system settings do not migrate in an offline migration. - -**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -**Resolution:** In an offline migration, these system settings must be restored manually. - -### The ScanState tool fails with return code 26. - -**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". - -**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. - -### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. - -**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. - -**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: - -``` syntax -Scanstate /ui:S1-5-21-124525095-708259637-1543119021* -``` - -The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. - -You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277). - -### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. - -**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. - -**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: - -``` syntax -reg.exe unload hklm\$dest$software -``` - -## Hard-Link Migration Problems - - -The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. - -### EFS files are not restored to the new partition. - -**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. - -**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. - -### The ScanState tool cannot delete a previous hard-link migration store. - -**Cause:** The migration store contains hard links to locked files. - -**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: - -``` syntax -USMTutils /rd -``` - -You should also reboot the machine. - - - - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Frequently Asked Questions](usmt-faq.md) - -[Return Codes](usmt-return-codes.md) - -[UsmtUtils Syntax](usmt-utilities.md) - - - - - - - - - +--- +title: Common Issues (Windows 10) +description: Common Issues +ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 09/19/2017 +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Common Issues + + +The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. + +## In This Topic + + +[User Account Problems](#user) + +[Command-line Problems](#command) + +[XML File Problems](#xml) + +[Migration Problems](#migration) + +[Offline Migration Problems](#bkmk-offline) + +[Hard Link Migration Problems](#bkmk-hardlink) + +[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) + +## General Guidelines for Identifying Migration Problems + + +When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: + +- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. + + In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. + + **Note** + Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. + + + +- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). + +- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +- Create a progress log using the **/Progress** option to monitor your migration. + +- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. + +- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. + +- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. + + **Note** + USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. + + + +## User Account Problems + + +The following sections describe common user account problems. Expand the section to see recommended solutions. + +### I'm having problems creating local accounts on the destination computer. + +**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +### Not all of the user accounts were migrated to the destination computer. + +**Causes/Resolutions** There are two possible causes for this problem: + +When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: + +1. Click **Start**. + +2. Click **All Programs**. + +3. Click **Accessories**. + +4. Right-click **Command Prompt**. + +5. Click **Run as administrator**. + +Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. + +Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. + +### User accounts that I excluded were migrated to the destination computer. + +**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. + +**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. + +### I am using the /uel option, but many accounts are still being included in the migration. + +**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. + +**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. + +### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. + +**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. + +**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: + +1. Open the registry editor by typing `regedit` at an elevated command prompt. + +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. + + Each user profile is stored in a System Identifier key under `ProfileList`. + +3. Delete the key for the user profile you are trying to remove. + +### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. + +**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. + +**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. + +To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. + +### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. + +**Cause:** The computer name was changed during an offline migration of a local user profile. + +**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, + +``` syntax +loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore +/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 +``` + +## Command-line Problems + + +The following sections describe common command-line problems. Expand the section to see recommended solutions. + +### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." + +**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. + +**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. + +### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." + +**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. + +**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. + +## XML File Problems + + +The following sections describe common XML file problems. Expand the section to see recommended solutions. + +### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? + +**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. + +**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: + +`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` + +### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. + +**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. + +### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? + +**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. + +**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. + +## Migration Problems + + +The following sections describe common migration problems. Expand the section to see recommended solutions. + +### Files that I specified to exclude are still being migrated. + +**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. + +**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). + +### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. + +**Cause:** There might be an error in the XML syntax. + +**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: + +[Conflicts and Precedence](usmt-conflicts-and-precedence.md) + +[Exclude Files and Settings](usmt-exclude-files-and-settings.md) + +[Reroute Files and Settings](usmt-reroute-files-and-settings.md) + +[Include Files and Settings](usmt-include-files-and-settings.md) + +[Custom XML Examples](usmt-custom-xml-examples.md) + +### After LoadState completes, the new desktop background does not appear on the destination computer. + +There are three typical causes for this issue. + +**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. + +**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. + +**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. + +**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. + +**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. + +**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. + +### I included MigApp.xml in the migration, but some PST files aren’t migrating. + +**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. + +**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. + +### USMT does not migrate the Start layout + +**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. + +**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. + +**Resolution:** The following workaround is available: + +1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: + + ``` + Export-StartLayout -Path "C:\Layout\user1.xml" + ``` +2. Migrate the user's profile with USMT. +3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: + + ``` + Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% + ``` + +This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. + +## Offline Migration Problems + + +The following sections describe common offline migration problems. Expand the section to see recommended solutions. + +### Some of my system settings do not migrate in an offline migration. + +**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + +**Resolution:** In an offline migration, these system settings must be restored manually. + +### The ScanState tool fails with return code 26. + +**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". + +**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. + +### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. + +**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. + +**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: + +``` syntax +Scanstate /ui:S1-5-21-124525095-708259637-1543119021* +``` + +The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. + +You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277). + +### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. + +**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. + +**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: + +``` syntax +reg.exe unload hklm\$dest$software +``` + +## Hard-Link Migration Problems + + +The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. + +### EFS files are not restored to the new partition. + +**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. + +**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. + +### The ScanState tool cannot delete a previous hard-link migration store. + +**Cause:** The migration store contains hard links to locked files. + +**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: + +``` syntax +USMTutils /rd +``` + +You should also reboot the machine. + + + + + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Frequently Asked Questions](usmt-faq.md) + +[Return Codes](usmt-return-codes.md) + +[UsmtUtils Syntax](usmt-utilities.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 9376707ccd..8eb09c18ae 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -1,138 +1,139 @@ ---- -title: Customize USMT XML Files (Windows 10) -description: Customize USMT XML Files -ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Customize USMT XML Files - - -## In This Topic - - -[Overview](#bkmk-overview) - -[Migration .xml Files](#bkmk-migxml) - -[Custom .xml Files](#bkmk-customxmlfiles) - -[The Config.xml File](#bkmk-configxml) - -[Examples](#bkmk-examples) - -[Additional Information](#bkmk-addlinfo) - -## Overview - - -If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. - -If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. - -To modify the migration, do one or more of the following. - -- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. - -- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. - -- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. - -For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. - -## Migration .xml Files - - -This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. - -**Note**   -You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. - - - -- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. - -- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. - -- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. - - **Note**   - Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. - - - -## Custom .xml Files - - -You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. - -## The Config.xml File - - -The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. - -If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. - -When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. - -After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. - -In addition, note the following functionality with the Config.xml file: - -- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. - -- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. - -- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - - - -### Examples - -- The following command creates a Config.xml file in the current directory, but it does not create a store: - - `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` - -- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: - - `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` - -- The following command decrypts the store and migrates the files and settings: - - `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` - -## Additional Information - - -- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. - -- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[USMT Resources](usmt-resources.md) - - - - - - - - - +--- +title: Customize USMT XML Files (Windows 10) +description: Customize USMT XML Files +ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Customize USMT XML Files + + +## In This Topic + + +[Overview](#bkmk-overview) + +[Migration .xml Files](#bkmk-migxml) + +[Custom .xml Files](#bkmk-customxmlfiles) + +[The Config.xml File](#bkmk-configxml) + +[Examples](#bkmk-examples) + +[Additional Information](#bkmk-addlinfo) + +## Overview + + +If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. + +If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. + +To modify the migration, do one or more of the following. + +- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. + +- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. + +- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. + +For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. + +## Migration .xml Files + + +This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. + +**Note**   +You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. + + + +- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. + +- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. + +- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. + + **Note**   + Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. + + + +## Custom .xml Files + + +You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. + +## The Config.xml File + + +The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. + +If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. + +When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. + +After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. + +In addition, note the following functionality with the Config.xml file: + +- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. + +- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. + +- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. + +**Note**   +To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + + + +### Examples + +- The following command creates a Config.xml file in the current directory, but it does not create a store: + + `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` + +- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: + + `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` + +- The following command decrypts the store and migrates the files and settings: + + `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` + +## Additional Information + + +- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. + +- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + +[USMT Resources](usmt-resources.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 21a829f394..45bad6ef55 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -1,279 +1,280 @@ ---- -title: Exclude Files and Settings (Windows 10) -description: Exclude Files and Settings -ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Exclude Files and Settings -When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). - -In this topic: - -- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: - - - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. - - - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. - -- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. - -## Create a custom .xml file -We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. - -### <include> and <exclude> -The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). - -**Note**   -If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. - -- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) - -- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) - -- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) - -- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) - -- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) - -### Example 1: How to migrate all files from C:\\ except .mp3 files -The following .xml file migrates all files located on the C: drive, except any .mp3 files. - -``` xml - - - - MP3 Files - - - - - C:\* [*] - - - - - C:\* [*.mp3] - - - - - - -``` -### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp -The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. - -``` xml - - - Test component - - - - - C:\Data\* [*] - - - - - C:\Data\temp\* [*] - - - - - - -``` - -### Example 3: How to exclude the files in a folder but include all subfolders -The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. - -``` xml - - - Component to migrate all Engineering Drafts Documents without subfolders - - - - - C:\EngineeringDrafts\* [*] - - - - - C:\EngineeringDrafts\ [*] - - - - - - -``` - -### Example 4: How to exclude a file from a specific folder -The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. - -``` xml - - - Component to migrate all Engineering Drafts Documents except Sample.doc - - - - - C:\EngineeringDrafts\* [*] - - - - - C:\EngineeringDrafts\ [Sample.doc] - - - - - - -``` - -### Example 5: How to exclude a file from any location -To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. - -``` xml - C:\* [Sample.doc] -``` - -To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. - -``` xml - -``` -#### Examples of how to use XML to exclude files, folders, and registry keys -Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) - -**Example 1: How to exclude all .mp3 files**
-The following .xml file excludes all .mp3 files from the migration: - -``` xml - - - Test - - - - - - - - - - - -``` -**Example 2: How to exclude all of the files on a specific drive**
-The following .xml file excludes only the files located on the C: drive. - -``` xml - - - Test - - - - - c:\*[*] - - - - - - -``` -**Example 3: How to exclude registry keys**
-The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. - -``` xml - - - - Test - - - - - HKCU\testReg[*] - - - - - HKCU\*[*] - - - - - - -``` -**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
-The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. - -``` xml - - - - Test - - - - - - - - - - - - C:\Program Files\* [*] -C:\Windows\* [*] - - - - - - -``` -## Create a Config XML File -You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. - -- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. - -- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. - -- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. - -See [Config.xml File](usmt-configxml-file.md) for more information. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - -## Related topics -- [Customize USMT XML Files](usmt-customize-xml-files.md) -- [USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: Exclude Files and Settings (Windows 10) +description: Exclude Files and Settings +ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Exclude Files and Settings +When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). + +In this topic: + +- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: + + - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. + + - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. + +- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. + +## Create a custom .xml file +We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. + +### <include> and <exclude> +The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). + +**Note**   +If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. + +- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) + +- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) + +- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) + +- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) + +- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) + +### Example 1: How to migrate all files from C:\\ except .mp3 files +The following .xml file migrates all files located on the C: drive, except any .mp3 files. + +``` xml + + + + MP3 Files + + + + + C:\* [*] + + + + + C:\* [*.mp3] + + + + + + +``` +### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp +The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. + +``` xml + + + Test component + + + + + C:\Data\* [*] + + + + + C:\Data\temp\* [*] + + + + + + +``` + +### Example 3: How to exclude the files in a folder but include all subfolders +The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. + +``` xml + + + Component to migrate all Engineering Drafts Documents without subfolders + + + + + C:\EngineeringDrafts\* [*] + + + + + C:\EngineeringDrafts\ [*] + + + + + + +``` + +### Example 4: How to exclude a file from a specific folder +The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. + +``` xml + + + Component to migrate all Engineering Drafts Documents except Sample.doc + + + + + C:\EngineeringDrafts\* [*] + + + + + C:\EngineeringDrafts\ [Sample.doc] + + + + + + +``` + +### Example 5: How to exclude a file from any location +To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. + +``` xml + C:\* [Sample.doc] +``` + +To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. + +``` xml + +``` +#### Examples of how to use XML to exclude files, folders, and registry keys +Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) + +**Example 1: How to exclude all .mp3 files**
+The following .xml file excludes all .mp3 files from the migration: + +``` xml + + + Test + + + + + + + + + + + +``` +**Example 2: How to exclude all of the files on a specific drive**
+The following .xml file excludes only the files located on the C: drive. + +``` xml + + + Test + + + + + c:\*[*] + + + + + + +``` +**Example 3: How to exclude registry keys**
+The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. + +``` xml + + + + Test + + + + + HKCU\testReg[*] + + + + + HKCU\*[*] + + + + + + +``` +**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
+The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. + +``` xml + + + + Test + + + + + + + + + + + + C:\Program Files\* [*] +C:\Windows\* [*] + + + + + + +``` +## Create a Config XML File +You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. + +- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. + +- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. + +- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. + +See [Config.xml File](usmt-configxml-file.md) for more information. + +**Note**   +To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + +## Related topics +- [Customize USMT XML Files](usmt-customize-xml-files.md) +- [USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 6a97acb78b..3033623b75 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -1,122 +1,123 @@ ---- -title: Extract Files from a Compressed USMT Migration Store (Windows 10) -description: Extract Files from a Compressed USMT Migration Store -ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Extract Files from a Compressed USMT Migration Store - - -When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. - -Options used with the **/extract** option can specify: - -- The cryptographic algorithm that was used to create the migration store. - -- The encryption key or the text file that contains the encryption key. - -- Include and exclude patterns for selective data extraction. - -In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. - -## In this topic - - -- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) - -- [To extract all files from a compressed migration store](#bkmk-extractallfiles) - -- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) - -- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) - -- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) - -### To run the USMTutils tool with the /extract option - -To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: - -Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] - -Where the placeholders have the following values: - -- *<USMTpath>* is the location where you have saved the USMT files and tools. - -- *<filePath>* is the location of the migration store. - -- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. - -- *<includePattern>* specifies the pattern for the files to include in the extraction. - -- *<excludePattern>* specifies the pattern for the files to omit from the extraction. - -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. - -- *<logfile>* is the location and name of the log file. - -- *<keystring>* is the encryption key that was used to encrypt the migration store. - -- *<filename>* is the location and name of the text file that contains the encryption key. - -### To extract all files from a compressed migration store - -To extract everything from a compressed migration store to a file on the C:\\ drive, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore -``` - -### To extract specific file types from an encrypted compressed migration store - -To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt -``` - -In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. - -### To extract all but one, or more, file types from an encrypted compressed migration store - -To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt -``` - -### To extract file types using the include pattern and the exclude pattern - -To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o -``` - -In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. - -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - +--- +title: Extract Files from a Compressed USMT Migration Store (Windows 10) +description: Extract Files from a Compressed USMT Migration Store +ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Extract Files from a Compressed USMT Migration Store + + +When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. + +Options used with the **/extract** option can specify: + +- The cryptographic algorithm that was used to create the migration store. + +- The encryption key or the text file that contains the encryption key. + +- Include and exclude patterns for selective data extraction. + +In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. + +## In this topic + + +- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) + +- [To extract all files from a compressed migration store](#bkmk-extractallfiles) + +- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) + +- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) + +- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) + +### To run the USMTutils tool with the /extract option + +To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: + +Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] + +Where the placeholders have the following values: + +- *<USMTpath>* is the location where you have saved the USMT files and tools. + +- *<filePath>* is the location of the migration store. + +- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. + +- *<includePattern>* specifies the pattern for the files to include in the extraction. + +- *<excludePattern>* specifies the pattern for the files to omit from the extraction. + +- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. + +- *<logfile>* is the location and name of the log file. + +- *<keystring>* is the encryption key that was used to encrypt the migration store. + +- *<filename>* is the location and name of the text file that contains the encryption key. + +### To extract all files from a compressed migration store + +To extract everything from a compressed migration store to a file on the C:\\ drive, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore +``` + +### To extract specific file types from an encrypted compressed migration store + +To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt +``` + +In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. + +### To extract all but one, or more, file types from an encrypted compressed migration store + +To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt +``` + +### To extract file types using the include pattern and the exclude pattern + +To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o +``` + +In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. + +## Related topics + + +[UsmtUtils Syntax](usmt-utilities.md) + +[Return Codes](usmt-return-codes.md) + +[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md index 49092e9f6f..ff083650c6 100644 --- a/windows/deployment/usmt/usmt-faq.md +++ b/windows/deployment/usmt/usmt-faq.md @@ -1,137 +1,138 @@ ---- -title: Frequently Asked Questions (Windows 10) -description: Frequently Asked Questions -ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Frequently Asked Questions - - -The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. - -## General - - -### How much space is needed on the destination computer? - -The destination computer needs enough available space for the following: - -- Operating system - -- Applications - -- Uncompressed store - -### Can I store the files and settings directly on the destination computer or do I need a server? - -You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: - -1. Create and share the directory C:\\store on the destination computer. - -2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store - -3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. - -### Can I migrate data between operating systems with different languages? - -No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. - -### Can I change the location of the temporary directory on the destination computer? - -Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. - -### How do I install USMT? - -Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. - -### How do I uninstall USMT? - -If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. - -## Files and Settings - - -### How can I exclude a folder or a certain type of file from the migration? - -You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). - -### What happens to files that were located on a drive that does not exist on the destination computer? - -USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. - -## USMT .xml Files - - -### Where can I get examples of USMT .xml files? - -The following topics include examples of USMT .xml files: - -- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -- [Include Files and Settings](usmt-include-files-and-settings.md) - -- [Custom XML Examples](usmt-custom-xml-examples.md) - -### Can I use custom .xml files that were written for USMT 5.0? - -Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. - -### How can I validate the .xml files? - -You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. - -### Why must I list the .xml files with both the ScanState and LoadState commands? - -The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. - -If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -### Which files can I modify and specify on the command line? - -You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. - -### What happens if I do not specify the .xml files on the command line? - -- **ScanState** - - If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. - -- **LoadState** - - If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -## Conflicts and Precedence - - -### What happens when there are conflicting XML rules or conflicting objects on the destination computer? - -For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - +--- +title: Frequently Asked Questions (Windows 10) +description: Frequently Asked Questions +ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Frequently Asked Questions + + +The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. + +## General + + +### How much space is needed on the destination computer? + +The destination computer needs enough available space for the following: + +- Operating system + +- Applications + +- Uncompressed store + +### Can I store the files and settings directly on the destination computer or do I need a server? + +You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: + +1. Create and share the directory C:\\store on the destination computer. + +2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store + +3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. + +### Can I migrate data between operating systems with different languages? + +No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. + +### Can I change the location of the temporary directory on the destination computer? + +Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. + +### How do I install USMT? + +Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. + +### How do I uninstall USMT? + +If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. + +## Files and Settings + + +### How can I exclude a folder or a certain type of file from the migration? + +You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). + +### What happens to files that were located on a drive that does not exist on the destination computer? + +USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. + +## USMT .xml Files + + +### Where can I get examples of USMT .xml files? + +The following topics include examples of USMT .xml files: + +- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) + +- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) + +- [Include Files and Settings](usmt-include-files-and-settings.md) + +- [Custom XML Examples](usmt-custom-xml-examples.md) + +### Can I use custom .xml files that were written for USMT 5.0? + +Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. + +### How can I validate the .xml files? + +You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. + +### Why must I list the .xml files with both the ScanState and LoadState commands? + +The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. + +If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + +### Which files can I modify and specify on the command line? + +You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. + +### What happens if I do not specify the .xml files on the command line? + +- **ScanState** + + If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. + +- **LoadState** + + If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + +## Conflicts and Precedence + + +### What happens when there are conflicting XML rules or conflicting objects on the destination computer? + +For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) + +[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 3439d25d7a..419b5652f7 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -1,106 +1,107 @@ ---- -title: General Conventions (Windows 10) -description: General Conventions -ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# General Conventions - - -This topic describes the XML helper functions. - -## In This Topic - - -[General XML Guidelines](#bkmk-general) - -[Helper Functions](#bkmk-helperfunctions) - -## General XML Guidelines - - -Before you modify the .xml files, become familiar with the following guidelines: - -- **XML schema** - - You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. - -- **Conflits** - - In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -- **Required elements** - - The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. - -- **Required child elements** - - - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. - - - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. - -- **File names with brackets** - - If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. - -- **Using quotation marks** - - When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. - -## Helper Functions - - -You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: - -- **All of the parameters are strings** - -- **You can leave NULL parameters blank** - - As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: - - ``` syntax - SomeFunction("My String argument",NULL,NULL) - ``` - - is equivalent to: - - ``` syntax - SomeFunction("My String argument") - ``` - -- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** - - It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. - - For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. - - The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. - -- **You specify a location pattern in a way that is similar to how you specify an actual location** - - The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. - - For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: General Conventions (Windows 10) +description: General Conventions +ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# General Conventions + + +This topic describes the XML helper functions. + +## In This Topic + + +[General XML Guidelines](#bkmk-general) + +[Helper Functions](#bkmk-helperfunctions) + +## General XML Guidelines + + +Before you modify the .xml files, become familiar with the following guidelines: + +- **XML schema** + + You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. + +- **Conflits** + + In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + +- **Required elements** + + The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. + +- **Required child elements** + + - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. + + - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. + +- **File names with brackets** + + If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. + +- **Using quotation marks** + + When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. + +## Helper Functions + + +You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: + +- **All of the parameters are strings** + +- **You can leave NULL parameters blank** + + As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: + + ``` syntax + SomeFunction("My String argument",NULL,NULL) + ``` + + is equivalent to: + + ``` syntax + SomeFunction("My String argument") + ``` + +- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** + + It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. + + For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. + + The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. + +- **You specify a location pattern in a way that is similar to how you specify an actual location** + + The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. + + For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 5c8bbb6d9b..03499dcd72 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -1,150 +1,151 @@ ---- -title: How USMT Works (Windows 10) -description: How USMT Works -ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# How USMT Works - - -USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. - -- [ScanState Process](#bkmk-ssprocess) - -- [LoadState Process](#bkmk-lsprocess) - - **Note**   - For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - - -## The ScanState Process - - -When you run the ScanState tool on the source computer, it goes through the following process: - -1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. - - There are three types of components: - - - Components that migrate the operating system settings - - - Components that migrate application settings - - - Components that migrate users’ files - - The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. - - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. - -3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. - -4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: - - 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - - **Note**   - From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. - - - - 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. - - 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. - - 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. - - **Note**   - ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. - - - -5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. - -6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. - - **Note**   - ScanState does not modify the source computer in any way. - - - -## The LoadState Process - - -The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. - -1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. LoadState collects information about the migration components that need to be migrated. - - LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. - - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. - -3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. - - - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. - - - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. - - - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). - -4. In the "Scanning" phase, LoadState does the following for each user profile: - - 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - - **Note** - From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. - - - - 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). - - **Note** - LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. - - - - 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. - - 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. - - **Important** - It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. - - - -5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - - - - - - - - - +--- +title: How USMT Works (Windows 10) +description: How USMT Works +ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# How USMT Works + + +USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. + +- [ScanState Process](#bkmk-ssprocess) + +- [LoadState Process](#bkmk-lsprocess) + + **Note**   + For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + + +## The ScanState Process + + +When you run the ScanState tool on the source computer, it goes through the following process: + +1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. + +2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. + + There are three types of components: + + - Components that migrate the operating system settings + + - Components that migrate application settings + + - Components that migrate users’ files + + The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. + + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + +3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. + +4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: + + 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + + **Note**   + From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. + + + + 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. + + 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. + + 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + + 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. + + **Note**   + ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. + + + +5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. + +6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. + + **Note**   + ScanState does not modify the source computer in any way. + + + +## The LoadState Process + + +The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. + +1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. + +2. LoadState collects information about the migration components that need to be migrated. + + LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. + + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + +3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. + + - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. + + - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. + + - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). + +4. In the "Scanning" phase, LoadState does the following for each user profile: + + 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + + **Note** + From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. + + + + 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). + + **Note** + LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. + + + + 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + + 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. + + 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. + + **Important** + It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. + + + +5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index 9fdba24603..76b904d0d7 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -1,35 +1,36 @@ ---- -title: User State Migration Tool (USMT) How-to topics (Windows 10) -description: User State Migration Tool (USMT) How-to topics -ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) How-to topics -The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. - -## In This Section - -|Topic |Description| -|------|-----------| -|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| -|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| -|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| -|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| -|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| -|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| -|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| -|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| - -## Related topics -- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +--- +title: User State Migration Tool (USMT) How-to topics (Windows 10) +description: User State Migration Tool (USMT) How-to topics +ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) How-to topics +The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. + +## In This Section + +|Topic |Description| +|------|-----------| +|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| +|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| +|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| +|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| +|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| +|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| +|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| +|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| + +## Related topics +- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) +- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 45cd2a17a7..d19e2d5a66 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -1,51 +1,52 @@ ---- -title: Identify File Types, Files, and Folders (Windows 10) -description: Identify File Types, Files, and Folders -ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify File Types, Files, and Folders - - -When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: - -- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. - -- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). - -- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. - -Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. - -**To find the registered file types on a computer running Windows 7 or Windows 8** - -1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. - -2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. - -3. On this screen, the registered file types are displayed. - -For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  - - - - - +--- +title: Identify File Types, Files, and Folders (Windows 10) +description: Identify File Types, Files, and Folders +ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify File Types, Files, and Folders + + +When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: + +- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. + +- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). + +- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. + +Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. + +**To find the registered file types on a computer running Windows 7 or Windows 8** + +1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. + +2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. + +3. On this screen, the registered file types are displayed. + +For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 706f2c6a6e..7b4c6e95c6 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -1,55 +1,56 @@ ---- -title: Migrate EFS Files and Certificates (Windows 10) -description: Migrate EFS Files and Certificates -ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate EFS Files and Certificates - - -This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## To Migrate EFS Files and Certificates - - -Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. - -**Note**   -The **/efs** options are not used with the LoadState command. - - - -Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. - -You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: - -``` syntax -Cipher /D /S: -``` - -Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. - -## Related topics - - -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) - - - - - - - - - +--- +title: Migrate EFS Files and Certificates (Windows 10) +description: Migrate EFS Files and Certificates +ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate EFS Files and Certificates + + +This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). + +## To Migrate EFS Files and Certificates + + +Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. + +**Note**   +The **/efs** options are not used with the LoadState command. + + + +Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. + +You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: + +``` syntax +Cipher /D /S: +``` + +Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. + +## Related topics + + +[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + +[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 663964c7eb..c697169088 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -1,96 +1,97 @@ ---- -title: Migrate User Accounts (Windows 10) -description: Migrate User Accounts -ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate User Accounts - - -By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. - -## In this Topic - - -- [To migrate all user accounts and user settings](#bkmk-migrateall) - -- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) - -- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) - -## To migrate all user accounts and user settings -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: - - `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Do one of the following: - - - If you are migrating domain accounts, specify: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` - - - If you are migrating local accounts along with domain accounts, specify: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` - - **Note**   - You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. - - - -## To migrate two domain accounts (User1 and User2) -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and specify: - - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` - -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and type the following at the command-line prompt: - - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` - -## Related topics - - -[Identify Users](usmt-identify-users.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - - - - - - +--- +title: Migrate User Accounts (Windows 10) +description: Migrate User Accounts +ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate User Accounts + + +By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. + +## In this Topic + + +- [To migrate all user accounts and user settings](#bkmk-migrateall) + +- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) + +- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) + +## To migrate all user accounts and user settings +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: + + `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Do one of the following: + + - If you are migrating domain accounts, specify: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` + + - If you are migrating local accounts along with domain accounts, specify: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` + + **Note**   + You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. + + + +## To migrate two domain accounts (User1 and User2) +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and specify: + + `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Specify the following: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` + +## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and type the following at the command-line prompt: + + `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Specify the following: + + `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` + +## Related topics + + +[Identify Users](usmt-identify-users.md) + +[ScanState Syntax](usmt-scanstate-syntax.md) + +[LoadState Syntax](usmt-loadstate-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 6d80871901..4dfd12bcc1 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -1,60 +1,61 @@ ---- -title: User State Migration Tool (USMT) Overview (Windows 10) -description: User State Migration Tool (USMT) Overview -ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 10/16/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Overview -You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). - -USMT enables you to do the following: - -- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - -- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). - -- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). - -## Benefits -USMT provides the following benefits to businesses that are deploying Windows operating systems: - -- Safely migrates user accounts, operating system and application settings. - -- Lowers the cost of deploying Windows by preserving user state. - -- Reduces end-user downtime required to customize desktops and find missing files. - -- Reduces help-desk calls. - -- Reduces the time needed for the user to become familiar with the new operating system. - -- Increases employee satisfaction with the migration experience. - -## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. - -There are some scenarios in which the use of USMT is not recommended. These include: - -- Migrations that require end-user interaction. - -- Migrations that require customization on a machine-by-machine basis. - -## Related topics -- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) - - -  - - - - - +--- +title: User State Migration Tool (USMT) Overview (Windows 10) +description: User State Migration Tool (USMT) Overview +ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 10/16/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Overview +You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). + +USMT enables you to do the following: + +- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). + +- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). + +- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). + +## Benefits +USMT provides the following benefits to businesses that are deploying Windows operating systems: + +- Safely migrates user accounts, operating system and application settings. + +- Lowers the cost of deploying Windows by preserving user state. + +- Reduces end-user downtime required to customize desktops and find missing files. + +- Reduces help-desk calls. + +- Reduces the time needed for the user to become familiar with the new operating system. + +- Increases employee satisfaction with the migration experience. + +## Limitations +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. + +There are some scenarios in which the use of USMT is not recommended. These include: + +- Migrations that require end-user interaction. + +- Migrations that require customization on a machine-by-machine basis. + +## Related topics +- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) + + +  + + + + + diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 1fa60664bd..0371e15cdc 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -1,71 +1,72 @@ ---- -title: Plan Your Migration (Windows 10) -description: Plan Your Migration -ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Plan Your Migration - - -Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. - -In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. - -One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - -

Common Migration Scenarios

Determine whether you will perform a refresh migration or a replace migration.

What Does USMT Migrate?

Learn which applications, user data, and operating system components USMT migrates.

Choose a Migration Store Type

Choose an uncompressed, compressed, or hard-link migration store.

Determine What to Migrate

Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

Test Your Migration

Test your migration before you deploy Windows to all users.

- - - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: Plan Your Migration (Windows 10) +description: Plan Your Migration +ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Plan Your Migration + + +Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. + +In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. + +One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + +

Common Migration Scenarios

Determine whether you will perform a refresh migration or a replace migration.

What Does USMT Migrate?

Learn which applications, user data, and operating system components USMT migrates.

Choose a Migration Store Type

Choose an uncompressed, compressed, or hard-link migration store.

Determine What to Migrate

Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

Test Your Migration

Test your migration before you deploy Windows to all users.

+ + + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index d2862feb9a..0b9ce17b6e 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -1,470 +1,471 @@ ---- -title: Recognized Environment Variables (Windows 10) -description: Recognized Environment Variables -ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Recognized Environment Variables - - -When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. - -## In This Topic - - -- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) - -- [Variables that are recognized only in the user context](#bkmk-2) - -## Variables that are processed for the operating system and in the context of each user - - -You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VariableExplanation

ALLUSERSAPPDATA

Same as CSIDL_COMMON_APPDATA.

ALLUSERSPROFILE

Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.

COMMONPROGRAMFILES

Same as CSIDL_PROGRAM_FILES_COMMON.

COMMONPROGRAMFILES(X86)

Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.

CSIDL_COMMON_ADMINTOOLS

Version 10.0. The file-system directory that contains administrative tools for all users of the computer.

CSIDL_COMMON_ALTSTARTUP

The file-system directory that corresponds to the non-localized Startup program group for all users.

CSIDL_COMMON_APPDATA

The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.

CSIDL_COMMON_DESKTOPDIRECTORY

The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.

CSIDL_COMMON_DOCUMENTS

The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.

CSIDL_COMMON_FAVORITES

The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.

CSIDL_COMMON_MUSIC

The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.

CSIDL_COMMON_PICTURES

The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.

CSIDL_COMMON_PROGRAMS

The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.

CSIDL_COMMON_STARTMENU

The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.

CSIDL_COMMON_STARTUP

The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

CSIDL_COMMON_TEMPLATES

The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.

CSIDL_COMMON_VIDEO

The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.

CSIDL_DEFAULT_APPDATA

Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_LOCAL_APPDATA

Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_COOKIES

Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_CONTACTS

Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_DESKTOP

Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_DOWNLOADS

Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_FAVORITES

Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_HISTORY

Refers to the History folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_INTERNET_CACHE

Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_PERSONAL

Refers to the Personal folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYDOCUMENTS

Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYPICTURES

Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYMUSIC

Refers to the My Music folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYVIDEO

Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_RECENT

Refers to the Recent folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_SENDTO

Refers to the Send To folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_STARTMENU

Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_PROGRAMS

Refers to the Programs folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_STARTUP

Refers to the Startup folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_TEMPLATES

Refers to the Templates folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_QUICKLAUNCH

Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.

CSIDL_FONTS

A virtual folder containing fonts. A typical path is C:\Windows\Fonts.

CSIDL_PROGRAM_FILESX86

The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).

CSIDL_PROGRAM_FILES_COMMONX86

A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.

CSIDL_PROGRAM_FILES

The Program Files folder. A typical path is C:\Program Files.

CSIDL_PROGRAM_FILES_COMMON

A folder for components that are shared across applications. A typical path is C:\Program Files\Common.

CSIDL_RESOURCES

The file-system directory that contains resource data. A typical path is C:\Windows\Resources.

CSIDL_SYSTEM

The Windows System folder. A typical path is C:\Windows\System32.

CSIDL_WINDOWS

The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.

DEFAULTUSERPROFILE

Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].

PROFILESFOLDER

Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].

PROGRAMFILES

Same as CSIDL_PROGRAM_FILES.

PROGRAMFILES(X86)

Refers to the C:\Program Files (x86) folder on 64-bit systems.

SYSTEM

Refers to %WINDIR%\system32.

SYSTEM16

Refers to %WINDIR%\system.

SYSTEM32

Refers to %WINDIR%\system32.

SYSTEMPROFILE

Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].

SYSTEMROOT

Refers to the root of the system drive.

WINDIR

Refers to the Windows folder located on the system drive.

- -  - -## Variables that are recognized only in the user context - - -You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VariableExplanation

APPDATA

Same as CSIDL_APPDATA.

CSIDL_ADMINTOOLS

The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.

CSIDL_ALTSTARTUP

The file-system directory that corresponds to the user's non-localized Startup program group.

CSIDL_APPDATA

The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.

CSIDL_BITBUCKET

The virtual folder that contains the objects in the user's Recycle Bin.

CSIDL_CDBURN_AREA

The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.

CSIDL_CONNECTIONS

The virtual folder representing Network Connections that contains network and dial-up connections.

CSIDL_CONTACTS

This refers to the Contacts folder in %CSIDL_PROFILE%.

CSIDL_CONTROLS

The virtual folder that contains icons for the Control Panel items.

CSIDL_COOKIES

The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.

CSIDL_DESKTOP

The virtual folder representing the Windows desktop.

CSIDL_DESKTOPDIRECTORY

The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.

CSIDL_DRIVES

The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.

CSIDL_FAVORITES

The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.

CSIDL_HISTORY

The file-system directory that serves as a common repository for Internet history items.

CSIDL_INTERNET

A virtual folder for Internet Explorer.

CSIDL_INTERNET_CACHE

The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files

CSIDL_LOCAL_APPDATA

The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.

CSIDL_MYDOCUMENTS

The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.

CSIDL_MYMUSIC

The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.

CSIDL_MYPICTURES

The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.

CSIDL_MYVIDEO

The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.

CSIDL_NETHOOD

A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.

CSIDL_NETWORK

A virtual folder representing My Network Places, the root of the network namespace hierarchy.

CSIDL_PERSONAL

The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.

-

A typical path is C:\Documents and Settings\username\My Documents.

CSIDL_PLAYLISTS

The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.

CSIDL_PRINTERS

The virtual folder that contains installed printers.

CSIDL_PRINTHOOD

The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.

CSIDL_PROFILE

The user's profile folder. A typical path is C:\Users\Username.

CSIDL_PROGRAMS

The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

CSIDL_RECENT

The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.

CSIDL_SENDTO

The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.

CSIDL_STARTMENU

The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.

CSIDL_STARTUP

The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

CSIDL_TEMPLATES

The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.

HOMEPATH

Same as the standard environment variable.

TEMP

The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

TMP

The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

USERPROFILE

Same as CSIDL_PROFILE.

USERSID

Represents the current user-account security identifier (SID). For example,

-

S-1-5-21-1714567821-1326601894-715345443-1026.

- -  - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - -  - -  - - - - - +--- +title: Recognized Environment Variables (Windows 10) +description: Recognized Environment Variables +ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Recognized Environment Variables + + +When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. + +## In This Topic + + +- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) + +- [Variables that are recognized only in the user context](#bkmk-2) + +## Variables that are processed for the operating system and in the context of each user + + +You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
VariableExplanation

ALLUSERSAPPDATA

Same as CSIDL_COMMON_APPDATA.

ALLUSERSPROFILE

Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.

COMMONPROGRAMFILES

Same as CSIDL_PROGRAM_FILES_COMMON.

COMMONPROGRAMFILES(X86)

Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.

CSIDL_COMMON_ADMINTOOLS

Version 10.0. The file-system directory that contains administrative tools for all users of the computer.

CSIDL_COMMON_ALTSTARTUP

The file-system directory that corresponds to the non-localized Startup program group for all users.

CSIDL_COMMON_APPDATA

The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.

CSIDL_COMMON_DESKTOPDIRECTORY

The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.

CSIDL_COMMON_DOCUMENTS

The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.

CSIDL_COMMON_FAVORITES

The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.

CSIDL_COMMON_MUSIC

The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.

CSIDL_COMMON_PICTURES

The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.

CSIDL_COMMON_PROGRAMS

The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.

CSIDL_COMMON_STARTMENU

The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.

CSIDL_COMMON_STARTUP

The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

CSIDL_COMMON_TEMPLATES

The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.

CSIDL_COMMON_VIDEO

The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.

CSIDL_DEFAULT_APPDATA

Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_LOCAL_APPDATA

Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_COOKIES

Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_CONTACTS

Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_DESKTOP

Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_DOWNLOADS

Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_FAVORITES

Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_HISTORY

Refers to the History folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_INTERNET_CACHE

Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_PERSONAL

Refers to the Personal folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYDOCUMENTS

Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYPICTURES

Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYMUSIC

Refers to the My Music folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_MYVIDEO

Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_RECENT

Refers to the Recent folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_SENDTO

Refers to the Send To folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_STARTMENU

Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_PROGRAMS

Refers to the Programs folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_STARTUP

Refers to the Startup folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_TEMPLATES

Refers to the Templates folder inside %DEFAULTUSERPROFILE%.

CSIDL_DEFAULT_QUICKLAUNCH

Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.

CSIDL_FONTS

A virtual folder containing fonts. A typical path is C:\Windows\Fonts.

CSIDL_PROGRAM_FILESX86

The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).

CSIDL_PROGRAM_FILES_COMMONX86

A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.

CSIDL_PROGRAM_FILES

The Program Files folder. A typical path is C:\Program Files.

CSIDL_PROGRAM_FILES_COMMON

A folder for components that are shared across applications. A typical path is C:\Program Files\Common.

CSIDL_RESOURCES

The file-system directory that contains resource data. A typical path is C:\Windows\Resources.

CSIDL_SYSTEM

The Windows System folder. A typical path is C:\Windows\System32.

CSIDL_WINDOWS

The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.

DEFAULTUSERPROFILE

Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].

PROFILESFOLDER

Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].

PROGRAMFILES

Same as CSIDL_PROGRAM_FILES.

PROGRAMFILES(X86)

Refers to the C:\Program Files (x86) folder on 64-bit systems.

SYSTEM

Refers to %WINDIR%\system32.

SYSTEM16

Refers to %WINDIR%\system.

SYSTEM32

Refers to %WINDIR%\system32.

SYSTEMPROFILE

Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].

SYSTEMROOT

Refers to the root of the system drive.

WINDIR

Refers to the Windows folder located on the system drive.

+ +  + +## Variables that are recognized only in the user context + + +You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
VariableExplanation

APPDATA

Same as CSIDL_APPDATA.

CSIDL_ADMINTOOLS

The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.

CSIDL_ALTSTARTUP

The file-system directory that corresponds to the user's non-localized Startup program group.

CSIDL_APPDATA

The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.

CSIDL_BITBUCKET

The virtual folder that contains the objects in the user's Recycle Bin.

CSIDL_CDBURN_AREA

The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.

CSIDL_CONNECTIONS

The virtual folder representing Network Connections that contains network and dial-up connections.

CSIDL_CONTACTS

This refers to the Contacts folder in %CSIDL_PROFILE%.

CSIDL_CONTROLS

The virtual folder that contains icons for the Control Panel items.

CSIDL_COOKIES

The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.

CSIDL_DESKTOP

The virtual folder representing the Windows desktop.

CSIDL_DESKTOPDIRECTORY

The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.

CSIDL_DRIVES

The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.

CSIDL_FAVORITES

The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.

CSIDL_HISTORY

The file-system directory that serves as a common repository for Internet history items.

CSIDL_INTERNET

A virtual folder for Internet Explorer.

CSIDL_INTERNET_CACHE

The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files

CSIDL_LOCAL_APPDATA

The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.

CSIDL_MYDOCUMENTS

The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.

CSIDL_MYMUSIC

The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.

CSIDL_MYPICTURES

The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.

CSIDL_MYVIDEO

The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.

CSIDL_NETHOOD

A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.

CSIDL_NETWORK

A virtual folder representing My Network Places, the root of the network namespace hierarchy.

CSIDL_PERSONAL

The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.

+

A typical path is C:\Documents and Settings\username\My Documents.

CSIDL_PLAYLISTS

The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.

CSIDL_PRINTERS

The virtual folder that contains installed printers.

CSIDL_PRINTHOOD

The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.

CSIDL_PROFILE

The user's profile folder. A typical path is C:\Users\Username.

CSIDL_PROGRAMS

The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

CSIDL_RECENT

The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.

CSIDL_SENDTO

The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.

CSIDL_STARTMENU

The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.

CSIDL_STARTUP

The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

CSIDL_TEMPLATES

The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.

HOMEPATH

Same as the standard environment variable.

TEMP

The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

TMP

The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

USERPROFILE

Same as CSIDL_PROFILE.

USERSID

Represents the current user-account security identifier (SID). For example,

+

S-1-5-21-1714567821-1326601894-715345443-1026.

+ +  + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index c5bcd4193c..a95bb1e788 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -1,77 +1,78 @@ ---- -title: User State Migration Toolkit (USMT) Reference (Windows 10) -description: User State Migration Toolkit (USMT) Reference -ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Toolkit (USMT) Reference - - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

USMT Requirements

Describes operating system, hardware, and software requirements, and user prerequisites.

USMT Best Practices

Discusses general and security-related best practices when using USMT.

How USMT Works

Learn about the processes behind the ScanState and LoadState tools.

Plan Your Migration

Choose what to migrate and the best migration scenario for your enterprise.

User State Migration Tool (USMT) Command-line Syntax

Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

USMT XML Reference

Learn about customizing a migration with XML files.

Offline Migration Reference

Find requirements, best practices, and other considerations for performing a migration offline.

- - - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - - - - - - - - - +--- +title: User State Migration Toolkit (USMT) Reference (Windows 10) +description: User State Migration Toolkit (USMT) Reference +ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Toolkit (USMT) Reference + + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

USMT Requirements

Describes operating system, hardware, and software requirements, and user prerequisites.

USMT Best Practices

Discusses general and security-related best practices when using USMT.

How USMT Works

Learn about the processes behind the ScanState and LoadState tools.

Plan Your Migration

Choose what to migrate and the best migration scenario for your enterprise.

User State Migration Tool (USMT) Command-line Syntax

Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

USMT XML Reference

Learn about customizing a migration with XML files.

Offline Migration Reference

Find requirements, best practices, and other considerations for performing a migration offline.

+ + + +## Related topics + + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index eaaa49a5d4..2925570b27 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -1,50 +1,51 @@ ---- -title: USMT Resources (Windows 10) -description: USMT Resources -ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# USMT Resources - - -## USMT Online Resources - - -- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx) - -- Microsoft Visual Studio - - - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. - - For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. - -- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) - -- Forums: - - - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) - - - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -  - -  - - - - - +--- +title: USMT Resources (Windows 10) +description: USMT Resources +ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# USMT Resources + + +## USMT Online Resources + + +- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx) + +- Microsoft Visual Studio + + - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. + + For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. + +- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) + +- Forums: + + - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) + + - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) + +## Related topics + + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md index c137197a5c..b019994baa 100644 --- a/windows/deployment/usmt/usmt-return-codes.md +++ b/windows/deployment/usmt/usmt-return-codes.md @@ -1,786 +1,787 @@ ---- -title: Return Codes (Windows 10) -description: Return Codes -ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Return Codes - - -This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. - -Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). - -## In This Topic - - -[USMT Return Codes](#bkmk-returncodes) - -[USMT Error Messages](#bkmk-errormessages) - -[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) - -## USMT Return Codes - - -If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. - -Return codes are grouped into the following broad categories that describe their area of error reporting: - -Success or User Cancel - -Invalid Command Lines - -Setup and Initialization - -Non-fatal Errors - -Fatal Errors - -As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. - -## USMT Error Messages - - -Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. - -You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060). - -## Troubleshooting Return Codes and Error Messages - - -The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Return code valueReturn codeError messageTroubleshooting, mitigation, workaroundsCategory

0

USMT_SUCCESS

Successful run

Not applicable

Success or Cancel

1

USMT_DISPLAY_HELP

Command line help requested

Not applicable

Success or Cancel

2

USMT_STATUS_CANCELED

Gather was aborted because of an EFS file

Not applicable

User chose to cancel (such as pressing CTRL+C)

Not applicable

Success or Cancel

3

USMT_WOULD_HAVE_FAILED

At least one error was skipped as a result of /c

Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.

11

USMT_INVALID_PARAMETERS

/all conflicts with /ui, /ue or /uel

Review ScanState log or LoadState log for details about command-line errors.

/auto expects an optional parameter for the script folder

Review ScanState log or LoadState log for details about command-line errors.

/encrypt can't be used with /nocompress

Review ScanState log or LoadState log for details about command-line errors.

/encrypt requires /key or /keyfile

Review ScanState log or LoadState log for details about command-line errors.

/genconfig can't be used with most other options

Review ScanState log or LoadState log for details about command-line errors.

/genmigxml can't be used with most other options

Review ScanState log or LoadState log for details about command-line errors.

/hardlink requires /nocompress

Review ScanState log or LoadState log for details about command-line errors.

/key and /keyfile both specified

Review ScanState log or LoadState log for details about command-line errors.

/key or /keyfile used without enabling encryption

Review ScanState log or LoadState log for details about command-line errors.

/lae is only used with /lac

Review ScanState log or LoadState log for details about command-line errors.

/listfiles cannot be used with /p

Review ScanState log or LoadState log for details about command-line errors.

/offline requires a valid path to an XML file describing offline paths

Review ScanState log or LoadState log for details about command-line errors.

/offlinewindir requires a valid path to offline windows folder

Review ScanState log or LoadState log for details about command-line errors.

/offlinewinold requires a valid path to offline windows folder

Review ScanState log or LoadState log for details about command-line errors.

A command was already specified

Verify that the command-line syntax is correct and that there are no duplicate commands.

An option argument is missing

Review ScanState log or LoadState log for details about command-line errors.

An option is specified more than once and is ambiguous

Review ScanState log or LoadState log for details about command-line errors.

By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.

Review ScanState log or LoadState log for details about command-line errors.

Command line arguments are required. Specify /? for options.

Review ScanState log or LoadState log for details about command-line errors.

Command line option is not valid

Review ScanState log or LoadState log for details about command-line errors.

EFS parameter specified is not valid for /efs

Review ScanState log or LoadState log for details about command-line errors.

File argument is invalid for /genconfig

Review ScanState log or LoadState log for details about command-line errors.

File argument is invalid for /genmigxml

Review ScanState log or LoadState log for details about command-line errors.

Invalid space estimate path. Check the parameters and/or file system permissions

Review ScanState log or LoadState log for details about command-line errors.

List file path argument is invalid for /listfiles

Review ScanState log or LoadState log for details about command-line errors.

Retry argument must be an integer

Review ScanState log or LoadState log for details about command-line errors.

Settings store argument specified is invalid

Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

Specified encryption algorithm is not supported

Review ScanState log or LoadState log for details about command-line errors.

The /efs:hardlink requires /hardlink

Review ScanState log or LoadState log for details about command-line errors.

The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7

Review ScanState log or LoadState log for details about command-line errors.

The store parameter is required but not specified

Review ScanState log or LoadState log for details about command-line errors.

The source-to-target domain mapping is invalid for /md

Review ScanState log or LoadState log for details about command-line errors.

The source-to-target user account mapping is invalid for /mu

Review ScanState log or LoadState log for details about command-line errors.

Undefined or incomplete command line option

Review ScanState log or LoadState log for details about command-line errors.

Invalid Command Lines

Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate

Review ScanState log or LoadState log for details about command-line errors.

User exclusion argument is invalid

Review ScanState log or LoadState log for details about command-line errors.

Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)

Review ScanState log or LoadState log for details about command-line errors.

Volume shadow copy feature is not supported with a hardlink store

Review ScanState log or LoadState log for details about command-line errors.

Wait delay argument must be an integer

Review ScanState log or LoadState log for details about command-line errors.

12

USMT_ERROR_OPTION_PARAM_TOO_LARGE

Command line arguments cannot exceed 256 characters

Review ScanState log or LoadState log for details about command-line errors.

Invalid Command Lines

Specified settings store path exceeds the maximum allowed length of 256 characters

Review ScanState log or LoadState log for details about command-line errors.

13

USMT_INIT_LOGFILE_FAILED

Log path argument is invalid for /l

When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.

Invalid Command Lines

14

USMT_ERROR_USE_LAC

Unable to create a local account because /lac was not specified

When creating local accounts, the command-line options /lac and /lae should be used.

Invalid Command Lines

26

USMT_INIT_ERROR

Multiple Windows installations found

Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

Setup and Initialization

Software malfunction or unknown exception

Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.

Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries

Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.

27

USMT_INVALID_STORE_LOCATION

A store path can't be used because an existing store exists; specify /o to overwrite

Specify /o to overwrite an existing intermediate or migration store.

Setup and Initialization

A store path is missing or has incomplete data

Make sure that the store path is accessible and that the proper permission levels are set.

An error occurred during store creation

Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

An inappropriate device such as a floppy disk was specified for the store

Make sure that the store path is accessible and that the proper permission levels are set.

Invalid store path; check the store parameter and/or file system permissions

Invalid store path; check the store parameter and/or file system permissions

The file layout and/or file content is not recognized as a valid store

Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

The store path holds a store incompatible with the current USMT version

Make sure that the store path is accessible and that the proper permission levels are set.

The store save location is read-only or does not support a requested storage option

Make sure that the store path is accessible and that the proper permission levels are set.

28

USMT_UNABLE_GET_SCRIPTFILES

Script file is invalid for /i

Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

Setup and Initialization

Unable to find a script file specified by /i

Verify the location of your script files, and ensure that the command-line options are correct.

29

USMT_FAILED_MIGSTARTUP

A minimum of 250 MB of free space is required for temporary files

Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.

Setup and Initialization

Another process is preventing migration; only one migration tool can run at a time

Check the ScanState log file for migration .xml file errors.

Failed to start main processing, look in log for system errors or check the installation

Check the ScanState log file for migration .xml file errors.

Migration failed because of an XML error; look in the log for specific details

Check the ScanState log file for migration .xml file errors.

Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table

Check the ScanState log file for migration .xml file errors.

31

USMT_UNABLE_FINDMIGUNITS

An error occurred during the discover phase; the log should have more specific information

Check the ScanState log file for migration .xml file errors.

Setup and Initialization

32

USMT_FAILED_SETMIGRATIONTYPE

An error occurred processing the migration system

Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

Setup and Initialization

33

USMT_UNABLE_READKEY

Error accessing the file specified by the /keyfile parameter

Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

Setup and Initialization

The encryption key must have at least one character

Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

34

USMT_ERROR_INSUFFICIENT_RIGHTS

Directory removal requires elevated privileges

Log on as Administrator, and run with elevated privileges.

Setup and Initialization

No rights to create user profiles; log in as Administrator; run with elevated privileges

Log on as Administrator, and run with elevated privileges.

No rights to read or delete user profiles; log in as Administrator, run with elevated privileges

Log on as Administrator, and run with elevated privileges.

35

USMT_UNABLE_DELETE_STORE

A reboot is required to remove the store

Reboot to delete any files that could not be deleted when the command was executed.

Setup and Initialization

A store path can't be used because it contains data that could not be overwritten

A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

There was an error removing the store

Review ScanState log or LoadState log for details about command-line errors.

36

USMT_ERROR_UNSUPPORTED_PLATFORM

Compliance check failure; please check the logs for details

Investigate whether there is an active temporary profile on the system.

Setup and Initialization

Use of /offline is not supported during apply

The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).

Use /offline to run gather on this platform

The /offline command was not used while running in WinPE.

37

USMT_ERROR_NO_INVALID_KEY

The store holds encrypted data but the correct encryption key was not provided

Verify that you have included the correct encryption /key or /keyfile.

Setup and Initialization

38

USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE

An error occurred during store access

Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

Setup and Initialization

39

USMT_UNABLE_TO_READ_CONFIG_FILE

Error reading Config.xml

Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

Setup and Initialization

File argument is invalid for /config

Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.

40

USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG

Error writing to the progress log

The Progress log could not be created. Verify that the location is valid and that you have write access.

Setup and Initialization

Progress log argument is invalid for /progress

The Progress log could not be created. Verify that the location is valid and that you have write access.

41

USMT_PREFLIGHT_FILE_CREATION_FAILED

Can't overwrite existing file

The Progress log could not be created. Verify that the location is valid and that you have write access.

Setup and Initialization

Invalid space estimate path. Check the parameters and/or file system permissions

Review ScanState log or LoadState log for details about command-line errors.

42

USMT_ERROR_CORRUPTED_STORE

The store contains one or more corrupted files

Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

61

USMT_MIGRATION_STOPPED_NONFATAL

Processing stopped due to an I/O error

USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.

Non-fatal Errors

71

USMT_INIT_OPERATING_ENVIRONMENT_FAILED

A Windows Win32 API error occurred

Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

Fatal Errors

An error occurred when attempting to initialize the diagnostic mechanisms such as the log

Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

Failed to record diagnostic information

Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

Unable to start. Make sure you are running USMT with elevated privileges

Exit USMT and log in again with elevated privileges.

72

USMT_UNABLE_DOMIGRATION

An error occurred closing the store

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

Fatal Errors

An error occurred in the apply process

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

An error occurred in the gather process

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

Out of disk space while writing the store

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

Out of temporary disk space on the local system

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

- - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Return Codes (Windows 10) +description: Return Codes +ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Return Codes + + +This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. + +Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). + +## In This Topic + + +[USMT Return Codes](#bkmk-returncodes) + +[USMT Error Messages](#bkmk-errormessages) + +[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) + +## USMT Return Codes + + +If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. + +Return codes are grouped into the following broad categories that describe their area of error reporting: + +Success or User Cancel + +Invalid Command Lines + +Setup and Initialization + +Non-fatal Errors + +Fatal Errors + +As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. + +## USMT Error Messages + + +Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. + +You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060). + +## Troubleshooting Return Codes and Error Messages + + +The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Return code valueReturn codeError messageTroubleshooting, mitigation, workaroundsCategory

0

USMT_SUCCESS

Successful run

Not applicable

Success or Cancel

1

USMT_DISPLAY_HELP

Command line help requested

Not applicable

Success or Cancel

2

USMT_STATUS_CANCELED

Gather was aborted because of an EFS file

Not applicable

User chose to cancel (such as pressing CTRL+C)

Not applicable

Success or Cancel

3

USMT_WOULD_HAVE_FAILED

At least one error was skipped as a result of /c

Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.

11

USMT_INVALID_PARAMETERS

/all conflicts with /ui, /ue or /uel

Review ScanState log or LoadState log for details about command-line errors.

/auto expects an optional parameter for the script folder

Review ScanState log or LoadState log for details about command-line errors.

/encrypt can't be used with /nocompress

Review ScanState log or LoadState log for details about command-line errors.

/encrypt requires /key or /keyfile

Review ScanState log or LoadState log for details about command-line errors.

/genconfig can't be used with most other options

Review ScanState log or LoadState log for details about command-line errors.

/genmigxml can't be used with most other options

Review ScanState log or LoadState log for details about command-line errors.

/hardlink requires /nocompress

Review ScanState log or LoadState log for details about command-line errors.

/key and /keyfile both specified

Review ScanState log or LoadState log for details about command-line errors.

/key or /keyfile used without enabling encryption

Review ScanState log or LoadState log for details about command-line errors.

/lae is only used with /lac

Review ScanState log or LoadState log for details about command-line errors.

/listfiles cannot be used with /p

Review ScanState log or LoadState log for details about command-line errors.

/offline requires a valid path to an XML file describing offline paths

Review ScanState log or LoadState log for details about command-line errors.

/offlinewindir requires a valid path to offline windows folder

Review ScanState log or LoadState log for details about command-line errors.

/offlinewinold requires a valid path to offline windows folder

Review ScanState log or LoadState log for details about command-line errors.

A command was already specified

Verify that the command-line syntax is correct and that there are no duplicate commands.

An option argument is missing

Review ScanState log or LoadState log for details about command-line errors.

An option is specified more than once and is ambiguous

Review ScanState log or LoadState log for details about command-line errors.

By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.

Review ScanState log or LoadState log for details about command-line errors.

Command line arguments are required. Specify /? for options.

Review ScanState log or LoadState log for details about command-line errors.

Command line option is not valid

Review ScanState log or LoadState log for details about command-line errors.

EFS parameter specified is not valid for /efs

Review ScanState log or LoadState log for details about command-line errors.

File argument is invalid for /genconfig

Review ScanState log or LoadState log for details about command-line errors.

File argument is invalid for /genmigxml

Review ScanState log or LoadState log for details about command-line errors.

Invalid space estimate path. Check the parameters and/or file system permissions

Review ScanState log or LoadState log for details about command-line errors.

List file path argument is invalid for /listfiles

Review ScanState log or LoadState log for details about command-line errors.

Retry argument must be an integer

Review ScanState log or LoadState log for details about command-line errors.

Settings store argument specified is invalid

Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

Specified encryption algorithm is not supported

Review ScanState log or LoadState log for details about command-line errors.

The /efs:hardlink requires /hardlink

Review ScanState log or LoadState log for details about command-line errors.

The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7

Review ScanState log or LoadState log for details about command-line errors.

The store parameter is required but not specified

Review ScanState log or LoadState log for details about command-line errors.

The source-to-target domain mapping is invalid for /md

Review ScanState log or LoadState log for details about command-line errors.

The source-to-target user account mapping is invalid for /mu

Review ScanState log or LoadState log for details about command-line errors.

Undefined or incomplete command line option

Review ScanState log or LoadState log for details about command-line errors.

Invalid Command Lines

Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate

Review ScanState log or LoadState log for details about command-line errors.

User exclusion argument is invalid

Review ScanState log or LoadState log for details about command-line errors.

Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)

Review ScanState log or LoadState log for details about command-line errors.

Volume shadow copy feature is not supported with a hardlink store

Review ScanState log or LoadState log for details about command-line errors.

Wait delay argument must be an integer

Review ScanState log or LoadState log for details about command-line errors.

12

USMT_ERROR_OPTION_PARAM_TOO_LARGE

Command line arguments cannot exceed 256 characters

Review ScanState log or LoadState log for details about command-line errors.

Invalid Command Lines

Specified settings store path exceeds the maximum allowed length of 256 characters

Review ScanState log or LoadState log for details about command-line errors.

13

USMT_INIT_LOGFILE_FAILED

Log path argument is invalid for /l

When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.

Invalid Command Lines

14

USMT_ERROR_USE_LAC

Unable to create a local account because /lac was not specified

When creating local accounts, the command-line options /lac and /lae should be used.

Invalid Command Lines

26

USMT_INIT_ERROR

Multiple Windows installations found

Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

Setup and Initialization

Software malfunction or unknown exception

Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.

Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries

Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.

27

USMT_INVALID_STORE_LOCATION

A store path can't be used because an existing store exists; specify /o to overwrite

Specify /o to overwrite an existing intermediate or migration store.

Setup and Initialization

A store path is missing or has incomplete data

Make sure that the store path is accessible and that the proper permission levels are set.

An error occurred during store creation

Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

An inappropriate device such as a floppy disk was specified for the store

Make sure that the store path is accessible and that the proper permission levels are set.

Invalid store path; check the store parameter and/or file system permissions

Invalid store path; check the store parameter and/or file system permissions

The file layout and/or file content is not recognized as a valid store

Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

The store path holds a store incompatible with the current USMT version

Make sure that the store path is accessible and that the proper permission levels are set.

The store save location is read-only or does not support a requested storage option

Make sure that the store path is accessible and that the proper permission levels are set.

28

USMT_UNABLE_GET_SCRIPTFILES

Script file is invalid for /i

Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

Setup and Initialization

Unable to find a script file specified by /i

Verify the location of your script files, and ensure that the command-line options are correct.

29

USMT_FAILED_MIGSTARTUP

A minimum of 250 MB of free space is required for temporary files

Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.

Setup and Initialization

Another process is preventing migration; only one migration tool can run at a time

Check the ScanState log file for migration .xml file errors.

Failed to start main processing, look in log for system errors or check the installation

Check the ScanState log file for migration .xml file errors.

Migration failed because of an XML error; look in the log for specific details

Check the ScanState log file for migration .xml file errors.

Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table

Check the ScanState log file for migration .xml file errors.

31

USMT_UNABLE_FINDMIGUNITS

An error occurred during the discover phase; the log should have more specific information

Check the ScanState log file for migration .xml file errors.

Setup and Initialization

32

USMT_FAILED_SETMIGRATIONTYPE

An error occurred processing the migration system

Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

Setup and Initialization

33

USMT_UNABLE_READKEY

Error accessing the file specified by the /keyfile parameter

Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

Setup and Initialization

The encryption key must have at least one character

Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

34

USMT_ERROR_INSUFFICIENT_RIGHTS

Directory removal requires elevated privileges

Log on as Administrator, and run with elevated privileges.

Setup and Initialization

No rights to create user profiles; log in as Administrator; run with elevated privileges

Log on as Administrator, and run with elevated privileges.

No rights to read or delete user profiles; log in as Administrator, run with elevated privileges

Log on as Administrator, and run with elevated privileges.

35

USMT_UNABLE_DELETE_STORE

A reboot is required to remove the store

Reboot to delete any files that could not be deleted when the command was executed.

Setup and Initialization

A store path can't be used because it contains data that could not be overwritten

A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

There was an error removing the store

Review ScanState log or LoadState log for details about command-line errors.

36

USMT_ERROR_UNSUPPORTED_PLATFORM

Compliance check failure; please check the logs for details

Investigate whether there is an active temporary profile on the system.

Setup and Initialization

Use of /offline is not supported during apply

The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).

Use /offline to run gather on this platform

The /offline command was not used while running in WinPE.

37

USMT_ERROR_NO_INVALID_KEY

The store holds encrypted data but the correct encryption key was not provided

Verify that you have included the correct encryption /key or /keyfile.

Setup and Initialization

38

USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE

An error occurred during store access

Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

Setup and Initialization

39

USMT_UNABLE_TO_READ_CONFIG_FILE

Error reading Config.xml

Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

Setup and Initialization

File argument is invalid for /config

Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.

40

USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG

Error writing to the progress log

The Progress log could not be created. Verify that the location is valid and that you have write access.

Setup and Initialization

Progress log argument is invalid for /progress

The Progress log could not be created. Verify that the location is valid and that you have write access.

41

USMT_PREFLIGHT_FILE_CREATION_FAILED

Can't overwrite existing file

The Progress log could not be created. Verify that the location is valid and that you have write access.

Setup and Initialization

Invalid space estimate path. Check the parameters and/or file system permissions

Review ScanState log or LoadState log for details about command-line errors.

42

USMT_ERROR_CORRUPTED_STORE

The store contains one or more corrupted files

Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

61

USMT_MIGRATION_STOPPED_NONFATAL

Processing stopped due to an I/O error

USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.

Non-fatal Errors

71

USMT_INIT_OPERATING_ENVIRONMENT_FAILED

A Windows Win32 API error occurred

Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

Fatal Errors

An error occurred when attempting to initialize the diagnostic mechanisms such as the log

Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

Failed to record diagnostic information

Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

Unable to start. Make sure you are running USMT with elevated privileges

Exit USMT and log in again with elevated privileges.

72

USMT_UNABLE_DOMIGRATION

An error occurred closing the store

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

Fatal Errors

An error occurred in the apply process

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

An error occurred in the gather process

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

Out of disk space while writing the store

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

Out of temporary disk space on the local system

Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

+ + + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 83afe8628b..7214707bfe 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -1,873 +1,874 @@ ---- -title: ScanState Syntax (Windows 10) -description: ScanState Syntax -ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# ScanState Syntax - - -The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. - -## In This Topic - - -[Before You Begin](#bkmk-beforeyoubegin) - -[Syntax](#bkmk-syntax) - -[Storage Options](#bkmk-storageoptions) - -[Migration Rule Options](#bkmk-migrationruleoptions) - -[Monitoring Options](#bkmk-monitoringoptions) - -[User Options](#bkmk-useroptions) - -[Encrypted File Options](#bkmk-efs) - -[Incompatible Command-Line Options](#bkmk-iclo) - -## Before You Begin - - -Before you run the **ScanState** command, note the following: - -- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. - -- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. - -- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). - -- Unless otherwise noted, you can use each option only once when running a tool on the command line. - -- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. - -- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. - -- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. - -## Syntax - - -This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. - -The **ScanState** command's syntax is: - -scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] - -For example: - -To create a Config.xml file in the current directory, use: - -`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` - -To create an encrypted store using the Config.xml file and the default migration .xml files, use: - -`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` - -## Storage Options - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-Line OptionDescription

StorePath

Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

/apps

Scans the image for apps and includes them and their associated registry settings.

/ppkg [<FileName>]

Exports to a specific file location.

/o

Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

/vsc

This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.

-

This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.

/hardlink

Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.

/encrypt [{/key:<KeyString> | /keyfile:<file>]}

Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

-
    -

  • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

    • -

  • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

    • -
-

We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

-
-Important

You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

-
-
- -
-

The following example shows the ScanState command and the /key option:

-

scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

/encrypt:<EncryptionStrength>

The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

/nocompress

Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

-

The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

-

For example:

-

scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

- - - -## Run the ScanState Command on an Offline Windows System - - -You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. - -There are several benefits to running the **ScanState** command on an offline Windows image, including: - -- **Improved Performance.** - - Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. - -- **Simplified end to end deployment process.** - - Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. - -- **Improved success of migration.** - - The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. - -- **Ability to recover an unbootable computer.** - - It might be possible to recover and migrate data from an unbootable computer. - -## Offline Migration Options - - - ---- - - - - - - - - - - - - - - - - - - - - -
Command-Line OptionDefinition

/offline:"path to an offline.xml file"

This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.

/offlinewindir:"path to a Windows directory"

This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.

/offlinewinold:"Windows.old directory"

This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.

- - - -## Migration Rule Options - - -USMT provides the following options to specify what files you want to migrate. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-Line OptionDescription

/i:[Path]FileName

(include)

-

Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

/genconfig:[Path]FileName

(Generate Config.xml)

-

Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

-

After you create this file, you will need to make use of it with the ScanState command using the /config option.

-

The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

-

Examples:

-
    -

  • The following example creates a Config.xml file in the current directory:

    -

    scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13

    • -

/config:[Path</em>]FileName

Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

-

The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

-

scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

-

The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

-

loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

/auto:path to script files

This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

/genmigxml:path to a file

This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

/targetwindows8

Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

-
    -

  • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

    • -

  • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

    • -

/targetwindows7

Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

-
    -

  • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

    • -

  • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

    • -

/localonly

Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

-

Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

-

The /localonly command-line option includes or excludes data in the migration as identified in the following table:

- ---- - - - - - - - - - - - - - - - - - - - - -
Drive typeBehavior with /localonly

Removable drives such as a USB flash drive

Excluded

Network drives

Excluded

Fixed drives

Included

-

- - - -## Monitoring Options - - -USMT provides several options that you can use to analyze problems that occur during migration. - -**Note** -The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. - - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-Line OptionDescription

/listfiles:<FileName>

You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

/l:[Path]FileName

Specifies the location and name of the ScanState log.

-

You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

-

If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

/v:<VerbosityLevel>

(Verbosity)

-

Enables verbose output in the ScanState log file. The default value is 0.

-

You can set the VerbosityLevel to one of the following levels:

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LevelExplanation

0

Only the default errors and warnings are enabled.

1

Enables verbose output.

4

Enables error and status output.

5

Enables verbose and status output.

8

Enables error output to a debugger.

9

Enables verbose output to a debugger.

12

Enables error and status output to a debugger.

13

Enables verbose, status, and debugger output.

-

-

For example:

-

scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

-

/progress:[Path</em>]FileName

Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

-

For example:

-

scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

/c

When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.

-

You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

/r:<TimesToRetry>

(Retry)

-

Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

-

While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

/w:<SecondsBeforeRetry>

(Wait)

-

Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

/p:<pathToFile>

When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

-

Scanstate.exe C:\MigrationLocation [additional parameters]

-

/p:"C:\MigrationStoreSize.xml"

-

For more information, see Estimate Migration Store Size.

-

To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

/? or /help

Displays Help at the command line.

- - - -## User Options - - -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Command-Line OptionDescription

/all

Migrates all of the users on the computer.

-

USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

/ui:<DomainName>\<UserName>

-

or

-

/ui:<ComputerName>\<LocalUserName>

(User include)

-

Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

-
-Note

If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

-
-
- -
-

For example:

-
    -

    To include only User2 from the Fabrikam domain, type:

    -

    /ue:*\* /ui:fabrikam\user2

    -

    To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

    -

    /uel:30 /ui:fabrikam\*

    -

    In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

    -
-

For more examples, see the descriptions of the /ue and /ui options in this table.

/uel:<NumberOfDays>

-

or

-

/uel:<YYYY/MM/DD>

-

or

-

/uel:0

(User exclude based on last logon)

-

Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

-

You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

-
-Note

The /uel option is not valid in offline migrations.

-
-
- -
-
    -

  • /uel:0 migrates any users who are currently logged on.

    • -

  • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

    • -

  • /uel:1 migrates users whose account has been modified within the last 24 hours.

    • -

  • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

    • -
-

For example:

-

scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

/ue:<DomainName>\<UserName>

-

-or-

-

-

/ue:<ComputerName>\<LocalUserName>

(User exclude)

-

Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

-

For example:

-

scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

- - - -## How to Use /ui and /ue - - -The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
BehaviorCommand

Exclude the user named User One in the Fabrikam domain.

/ue:"fabrikam\user one"

Exclude the user named User1 in the Fabrikam domain.

/ue:fabrikam\user1

Exclude the local user named User1.

/ue:%computername%\user1

Exclude all domain users.

/ue:Domain\*

Exclude all local users.

/ue:%computername%\*

Exclude users in all domains named User1, User2, and so on.

/ue:*\user*

- - - -## Using the Options Together - - -You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. - -The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. - -The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
BehaviorCommand

Include only User2 from the Fabrikam domain and exclude all other users.

/ue:*\* /ui:fabrikam\user2

Include only the local user named User1 and exclude all other users.

/ue:*\* /ui:user1

Include only the domain users from Contoso, except Contoso\User1.

This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

-
    -

  • On the ScanState command line, type: /ue:*\* /ui:contoso\*

    • -

  • On the LoadState command line, type: /ue:contoso\user1

    • -

Include only local (non-domain) users.

/ue:*\* /ui:%computername%\*

- - - -## Encrypted File Options - - -You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. - -For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). - -**Note** -EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files - - - -**Caution** -Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. - - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-Line OptionExplanation

/efs:hardlink

Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.

/efs:abort

Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.

/efs:skip

Causes the ScanState command to ignore EFS files.

/efs:decryptcopy

Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.

/efs:copyraw

Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

-

For example:

-

ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

-
-Important

All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

-
-
- -
- - - -## Incompatible Command-Line Options - - -The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-Line Option/keyfile/nocompress/genconfig/all

/i

/o

/v

/nocompress

X

N/A

/localonly

X

/key

X

X

/encrypt

Required*

X

X

/keyfile

N/A

X

/l

/progress

X

/r

X

/w

X

/c

X

/p

X

N/A

/all

X

/ui

X

X

/ue

X

X

/uel

X

X

/efs:<option>

X

/genconfig

N/A

/config

X

<StorePath>

X

- - - -**Note** -You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. - - - -## Related topics - - -[XML Elements Library](usmt-xml-elements-library.md) - - - - - - - - - +--- +title: ScanState Syntax (Windows 10) +description: ScanState Syntax +ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# ScanState Syntax + + +The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. + +## In This Topic + + +[Before You Begin](#bkmk-beforeyoubegin) + +[Syntax](#bkmk-syntax) + +[Storage Options](#bkmk-storageoptions) + +[Migration Rule Options](#bkmk-migrationruleoptions) + +[Monitoring Options](#bkmk-monitoringoptions) + +[User Options](#bkmk-useroptions) + +[Encrypted File Options](#bkmk-efs) + +[Incompatible Command-Line Options](#bkmk-iclo) + +## Before You Begin + + +Before you run the **ScanState** command, note the following: + +- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. + +- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. + +- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). + +- Unless otherwise noted, you can use each option only once when running a tool on the command line. + +- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. + +- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. + +- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. + +## Syntax + + +This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. + +The **ScanState** command's syntax is: + +scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] + +For example: + +To create a Config.xml file in the current directory, use: + +`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` + +To create an encrypted store using the Config.xml file and the default migration .xml files, use: + +`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` + +## Storage Options + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-Line OptionDescription

StorePath

Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

/apps

Scans the image for apps and includes them and their associated registry settings.

/ppkg [<FileName>]

Exports to a specific file location.

/o

Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

/vsc

This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.

+

This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.

/hardlink

Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.

/encrypt [{/key:<KeyString> | /keyfile:<file>]}

Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

+
    +

  • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

    • +

  • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

    • +
+

We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

+
+Important

You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

+
+
+ +
+

The following example shows the ScanState command and the /key option:

+

scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

/encrypt:<EncryptionStrength>

The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

/nocompress

Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

+

The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

+

For example:

+

scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

+ + + +## Run the ScanState Command on an Offline Windows System + + +You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. + +There are several benefits to running the **ScanState** command on an offline Windows image, including: + +- **Improved Performance.** + + Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. + +- **Simplified end to end deployment process.** + + Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. + +- **Improved success of migration.** + + The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. + +- **Ability to recover an unbootable computer.** + + It might be possible to recover and migrate data from an unbootable computer. + +## Offline Migration Options + + + ++++ + + + + + + + + + + + + + + + + + + + + +
Command-Line OptionDefinition

/offline:"path to an offline.xml file"

This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.

/offlinewindir:"path to a Windows directory"

This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.

/offlinewinold:"Windows.old directory"

This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.

+ + + +## Migration Rule Options + + +USMT provides the following options to specify what files you want to migrate. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-Line OptionDescription

/i:[Path]FileName

(include)

+

Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

/genconfig:[Path]FileName

(Generate Config.xml)

+

Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

+

After you create this file, you will need to make use of it with the ScanState command using the /config option.

+

The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

+

Examples:

+
    +

  • The following example creates a Config.xml file in the current directory:

    +

    scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13

    • +

/config:[Path</em>]FileName

Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

+

The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

+

scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

+

The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

+

loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

/auto:path to script files

This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

/genmigxml:path to a file

This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

/targetwindows8

Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

+
    +

  • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

    • +

  • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

    • +

/targetwindows7

Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

+
    +

  • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

    • +

  • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

    • +

/localonly

Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

+

Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

+

The /localonly command-line option includes or excludes data in the migration as identified in the following table:

+ ++++ + + + + + + + + + + + + + + + + + + + + +
Drive typeBehavior with /localonly

Removable drives such as a USB flash drive

Excluded

Network drives

Excluded

Fixed drives

Included

+

+ + + +## Monitoring Options + + +USMT provides several options that you can use to analyze problems that occur during migration. + +**Note** +The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. + + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-Line OptionDescription

/listfiles:<FileName>

You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

/l:[Path]FileName

Specifies the location and name of the ScanState log.

+

You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

+

If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

/v:<VerbosityLevel>

(Verbosity)

+

Enables verbose output in the ScanState log file. The default value is 0.

+

You can set the VerbosityLevel to one of the following levels:

+ ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LevelExplanation

0

Only the default errors and warnings are enabled.

1

Enables verbose output.

4

Enables error and status output.

5

Enables verbose and status output.

8

Enables error output to a debugger.

9

Enables verbose output to a debugger.

12

Enables error and status output to a debugger.

13

Enables verbose, status, and debugger output.

+

+

For example:

+

scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

+

/progress:[Path</em>]FileName

Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

+

For example:

+

scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

/c

When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.

+

You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

/r:<TimesToRetry>

(Retry)

+

Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

+

While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

/w:<SecondsBeforeRetry>

(Wait)

+

Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

/p:<pathToFile>

When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

+

Scanstate.exe C:\MigrationLocation [additional parameters]

+

/p:"C:\MigrationStoreSize.xml"

+

For more information, see Estimate Migration Store Size.

+

To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

/? or /help

Displays Help at the command line.

+ + + +## User Options + + +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Command-Line OptionDescription

/all

Migrates all of the users on the computer.

+

USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

/ui:<DomainName>\<UserName>

+

or

+

/ui:<ComputerName>\<LocalUserName>

(User include)

+

Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

+
+Note

If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

+
+
+ +
+

For example:

+
    +

    To include only User2 from the Fabrikam domain, type:

    +

    /ue:*\* /ui:fabrikam\user2

    +

    To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

    +

    /uel:30 /ui:fabrikam\*

    +

    In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

    +
+

For more examples, see the descriptions of the /ue and /ui options in this table.

/uel:<NumberOfDays>

+

or

+

/uel:<YYYY/MM/DD>

+

or

+

/uel:0

(User exclude based on last logon)

+

Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

+

You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

+
+Note

The /uel option is not valid in offline migrations.

+
+
+ +
+
    +

  • /uel:0 migrates any users who are currently logged on.

    • +

  • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

    • +

  • /uel:1 migrates users whose account has been modified within the last 24 hours.

    • +

  • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

    • +
+

For example:

+

scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

/ue:<DomainName>\<UserName>

+

-or-

+

+

/ue:<ComputerName>\<LocalUserName>

(User exclude)

+

Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

+

For example:

+

scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

+ + + +## How to Use /ui and /ue + + +The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
BehaviorCommand

Exclude the user named User One in the Fabrikam domain.

/ue:"fabrikam\user one"

Exclude the user named User1 in the Fabrikam domain.

/ue:fabrikam\user1

Exclude the local user named User1.

/ue:%computername%\user1

Exclude all domain users.

/ue:Domain\*

Exclude all local users.

/ue:%computername%\*

Exclude users in all domains named User1, User2, and so on.

/ue:*\user*

+ + + +## Using the Options Together + + +You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. + +The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. + +The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
BehaviorCommand

Include only User2 from the Fabrikam domain and exclude all other users.

/ue:*\* /ui:fabrikam\user2

Include only the local user named User1 and exclude all other users.

/ue:*\* /ui:user1

Include only the domain users from Contoso, except Contoso\User1.

This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

+
    +

  • On the ScanState command line, type: /ue:*\* /ui:contoso\*

    • +

  • On the LoadState command line, type: /ue:contoso\user1

    • +

Include only local (non-domain) users.

/ue:*\* /ui:%computername%\*

+ + + +## Encrypted File Options + + +You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. + +For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). + +**Note** +EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files + + + +**Caution** +Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. + + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-Line OptionExplanation

/efs:hardlink

Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.

/efs:abort

Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.

/efs:skip

Causes the ScanState command to ignore EFS files.

/efs:decryptcopy

Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.

/efs:copyraw

Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

+

For example:

+

ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

+
+Important

All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

+
+
+ +
+ + + +## Incompatible Command-Line Options + + +The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-Line Option/keyfile/nocompress/genconfig/all

/i

/o

/v

/nocompress

X

N/A

/localonly

X

/key

X

X

/encrypt

Required*

X

X

/keyfile

N/A

X

/l

/progress

X

/r

X

/w

X

/c

X

/p

X

N/A

/all

X

/ui

X

X

/ue

X

X

/uel

X

X

/efs:<option>

X

/genconfig

N/A

/config

X

<StorePath>

X

+ + + +**Note** +You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. + + + +## Related topics + + +[XML Elements Library](usmt-xml-elements-library.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 69321a476c..c237c8528c 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -1,30 +1,31 @@ ---- -title: User State Migration Tool (USMT) Overview Topics (Windows 10) -description: User State Migration Tool (USMT) Overview Topics -ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Overview Topics -The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. - -## In This Section - -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| -|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| -|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| - -## Related topics -- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +--- +title: User State Migration Tool (USMT) Overview Topics (Windows 10) +description: User State Migration Tool (USMT) Overview Topics +ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Overview Topics +The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. + +## In This Section + +|Topic |Description| +|------|-----------| +|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| +|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| +|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| + +## Related topics +- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) +- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 4e9269a29d..6973daa26a 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -1,351 +1,352 @@ ---- -title: UsmtUtils Syntax (Windows 10) -description: UsmtUtils Syntax -ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# UsmtUtils Syntax - - -This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: - -- Improve your ability to determine cryptographic options for your migration. - -- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. - -- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. - -- Extract files from the compressed migration store when you migrate files and settings to the destination computer. - -## In This Topic - - -[Usmtutils.exe](#bkmk-usmtutils-exe) - -[Verify Options](#bkmk-verifyoptions) - -[Extract Options](#bkmk-extractoptions) - -## Usmtutils.exe - - -The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. - -The syntax for UsmtUtils.exe is: - -usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-line OptionDescription

/ec

Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.

/rd<storeDir>

Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

-

For example:

-

usmtutils /rd D:\MyHardLinkStore

/y

Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.

/verify

Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

-

See Verify Options for syntax and options to use with /verify.

/extract

Recovers files from a compressed USMT migration store.

-

See Extract Options for syntax and options to use with /extract.

- - - -## Verify Options - - -Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -The syntax for **/verify** is: - -usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Command-line OptionDescription

<reportType>

Specifies whether to report on all files, corrupted files only, or the status of the catalog.

-
    -

  • Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.

    • -

  • all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.

    • -

  • failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.

    • -

  • Catalog. Returns only the status of the catalog file.

    • -
/l: -

<logfilePath>

Specifies the location and name of the log file.

/v:<VerbosityLevel>

(Verbosity)

-

Enables verbose output in the UsmtUtils log file. The default value is 0.

-

You can set the VerbosityLevel to one of the following levels:

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LevelExplanation

0

Only the default errors and warnings are enabled.

1

Enables verbose output.

4

Enables error and status output.

5

Enables verbose and status output.

8

Enables error output to a debugger.

9

Enables verbose output to a debugger.

12

Enables error and status output to a debugger.

13

Enables verbose, status, and debugger output.

-

 

/decrypt<AlgID>/:<KeyString>

-

or

-

/decrypt<AlgID>/:<“Key String”>

-

or

-

/decrypt:<AlgID>/keyfile:<FileName>

Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:

-
    -

  • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

    -

    <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

    • -

  • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

    • -

  • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

    • -
-

For more information about supported encryption algorithms, see Migration Store Encryption

- - - -Some examples of **/verify** commands: - -- `usmtutils /verify D:\MyMigrationStore\store.mig` - -- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` - -- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` - -- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` - -## Extract Options - - -Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -The syntax for **/extract** is: - -/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Command-line OptionDescription

<filePath>

Path to the USMT migration store.

-

For example:

-

D:\MyMigrationStore\USMT\store.mig

<destinationPath>

Path to the folder where the tool puts the individual files.

/i:<includePattern>

Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

/e:<excludePattern>

Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

/l:<logfilePath>

Specifies the location and name of the log file.

/v:<VerbosityLevel>

(Verbosity)

-

Enables verbose output in the UsmtUtils log file. The default value is 0.

-

You can set the VerbosityLevel to one of the following levels:

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LevelExplanation

0

Only the default errors and warnings are enabled.

1

Enables verbose output.

4

Enables error and status output.

5

Enables verbose and status output.

8

Enables error output to a debugger.

9

Enables verbose output to a debugger.

12

Enables error and status output to a debugger.

13

Enables verbose, status, and debugger output.

-

 

/decrypt<AlgID>/key:<KeyString>

-

or

-

/decrypt<AlgID>/:<“Key String”>

-

or

-

/decrypt:<AlgID>/keyfile:<FileName>

Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:

-
    -

  • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

    -

    <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

    • -

  • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

    • -

  • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

    • -
-

For more information about supported encryption algorithms, see Migration Store Encryption.

/o

Overwrites existing output files.

- - - -Some examples of **/extract** commands: - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[Return Codes](usmt-return-codes.md) - - - - - - - - - +--- +title: UsmtUtils Syntax (Windows 10) +description: UsmtUtils Syntax +ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# UsmtUtils Syntax + + +This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: + +- Improve your ability to determine cryptographic options for your migration. + +- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. + +- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. + +- Extract files from the compressed migration store when you migrate files and settings to the destination computer. + +## In This Topic + + +[Usmtutils.exe](#bkmk-usmtutils-exe) + +[Verify Options](#bkmk-verifyoptions) + +[Extract Options](#bkmk-extractoptions) + +## Usmtutils.exe + + +The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. + +The syntax for UsmtUtils.exe is: + +usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-line OptionDescription

/ec

Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.

/rd<storeDir>

Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

+

For example:

+

usmtutils /rd D:\MyHardLinkStore

/y

Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.

/verify

Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

+

See Verify Options for syntax and options to use with /verify.

/extract

Recovers files from a compressed USMT migration store.

+

See Extract Options for syntax and options to use with /extract.

+ + + +## Verify Options + + +Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). + +The syntax for **/verify** is: + +usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Command-line OptionDescription

<reportType>

Specifies whether to report on all files, corrupted files only, or the status of the catalog.

+
    +

  • Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.

    • +

  • all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.

    • +

  • failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.

    • +

  • Catalog. Returns only the status of the catalog file.

    • +
/l: +

<logfilePath>

Specifies the location and name of the log file.

/v:<VerbosityLevel>

(Verbosity)

+

Enables verbose output in the UsmtUtils log file. The default value is 0.

+

You can set the VerbosityLevel to one of the following levels:

+ ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LevelExplanation

0

Only the default errors and warnings are enabled.

1

Enables verbose output.

4

Enables error and status output.

5

Enables verbose and status output.

8

Enables error output to a debugger.

9

Enables verbose output to a debugger.

12

Enables error and status output to a debugger.

13

Enables verbose, status, and debugger output.

+

 

/decrypt<AlgID>/:<KeyString>

+

or

+

/decrypt<AlgID>/:<“Key String”>

+

or

+

/decrypt:<AlgID>/keyfile:<FileName>

Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:

+
    +

  • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

    +

    <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

    • +

  • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

    • +

  • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

    • +
+

For more information about supported encryption algorithms, see Migration Store Encryption

+ + + +Some examples of **/verify** commands: + +- `usmtutils /verify D:\MyMigrationStore\store.mig` + +- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` + +- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` + +- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` + +## Extract Options + + +Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +The syntax for **/extract** is: + +/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Command-line OptionDescription

<filePath>

Path to the USMT migration store.

+

For example:

+

D:\MyMigrationStore\USMT\store.mig

<destinationPath>

Path to the folder where the tool puts the individual files.

/i:<includePattern>

Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

/e:<excludePattern>

Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

/l:<logfilePath>

Specifies the location and name of the log file.

/v:<VerbosityLevel>

(Verbosity)

+

Enables verbose output in the UsmtUtils log file. The default value is 0.

+

You can set the VerbosityLevel to one of the following levels:

+ ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LevelExplanation

0

Only the default errors and warnings are enabled.

1

Enables verbose output.

4

Enables error and status output.

5

Enables verbose and status output.

8

Enables error output to a debugger.

9

Enables verbose output to a debugger.

12

Enables error and status output to a debugger.

13

Enables verbose, status, and debugger output.

+

 

/decrypt<AlgID>/key:<KeyString>

+

or

+

/decrypt<AlgID>/:<“Key String”>

+

or

+

/decrypt:<AlgID>/keyfile:<FileName>

Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:

+
    +

  • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

    +

    <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

    • +

  • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

    • +

  • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

    • +
+

For more information about supported encryption algorithms, see Migration Store Encryption.

/o

Overwrites existing output files.

+ + + +Some examples of **/extract** commands: + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + +[Return Codes](usmt-return-codes.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 4fc36c33bc..b3e8cae84e 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,429 +1,430 @@ ---- -title: What does USMT migrate (Windows 10) -description: What does USMT migrate -ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 09/12/2017 -ms.topic: article ---- - -# What does USMT migrate? - - -## In this topic - - -- [Default migration scripts](#bkmk-defaultmigscripts) - -- [User Data](#bkmk-3) - -- [Operating-system components](#bkmk-4) - -- [Supported applications](#bkmk-2) - -- [What USMT does not migrate](#no) - -## Default migration scripts - - -The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: - -- **MigApp.XML.** Rules to migrate application settings. - -- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. - -- **MigUser.XML.** Rules to migrate user profiles and user data. - - MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. - - The following data does not migrate with MigUser.xml: - - - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. - - - Access control lists (ACLs) for folders outside the user profile. - -## User data - - -This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. - -- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: - - My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. - - >[!IMPORTANT] - >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). - -- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: - - - Shared Documents - - - Shared Video - - - Shared Music - - - Shared desktop files - - - Shared Pictures - - - Shared Start menu - - - Shared Favorites - -- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions: - - **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** - - **Note**   - The asterisk (\*) stands for zero or more characters. - - - -- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. - -**Important**   -To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. - - - -## Operating-system components - - -USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 - -The following components are migrated by default using the manifest files: - -- Accessibility settings - -- Address book - -- Command-prompt settings - -- \*Desktop wallpaper - -- EFS files - -- Favorites - -- Folder options - -- Fonts - -- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. - -- \*Windows Internet Explorer® settings - -- Microsoft® Open Database Connectivity (ODBC) settings - -- Mouse and keyboard settings - -- Network drive mapping - -- \*Network printer mapping - -- \*Offline files - -- \*Phone and modem options - -- RAS connection and phone book (.pbk) files - -- \*Regional settings - -- Remote Access - -- \*Taskbar settings - -- User personal certificates (all) - -- Windows Mail. - -- \*Windows Media Player - -- Windows Rights Management - -\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). - -**Important**   -This list may not be complete. There may be additional components that are migrated. - - - -**Note**   -Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. - - - -## Supported applications - - -Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. - -**Note**   -The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. - - - -**Note**   -USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. - - - -When you specify the MigApp.xml file, USMT migrates the settings for the following applications: - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ProductVersion

Adobe Acrobat Reader

9

AOL Instant Messenger

6.8

Adobe Creative Suite

2

Adobe Photoshop CS

8, 9

Adobe ImageReady CS

Apple iTunes

6, 7, 8

Apple QuickTime Player

5, 6, 7

Apple Safari

3.1.2

Google Chrome

beta

Google Picasa

3

Google Talk

beta

IBM Lotus 1-2-3

9

IBM Lotus Notes

6,7, 8

IBM Lotus Organizer

5

IBM Lotus WordPro

9.9

Intuit Quicken Deluxe

2009

Money Plus Business

2008

Money Plus Home

2008

Mozilla Firefox

3

Microsoft Office

2003, 2007, 2010

Microsoft Office Access®

2003, 2007, 2010

Microsoft Office Excel®

2003, 2007, 2010

Microsoft Office FrontPage®

2003, 2007, 2010

Microsoft Office OneNote®

2003, 2007, 2010

Microsoft Office Outlook®

2003, 2007, 2010

Microsoft Office PowerPoint®

2003, 2007, 2010

Microsoft Office Publisher

2003, 2007, 2010

Microsoft Office Word

2003, 2007, 2010

Opera Software Opera

9.5

Microsoft Outlook Express

(only mailbox file)

Microsoft Project

2003, 2007

Microsoft Office Visio®

2003, 2007

RealPlayer Basic

11

Sage Peachtree

2009

Skype

3.8

Windows Live Mail

12, 14

Windows Live Messenger

8.5, 14

Windows Live MovieMaker

14

Windows Live Photo Gallery

12, 14

Windows Live Writer

12, 14

Windows Mail

(Windows 7 and 8)

Microsoft Works

9

Yahoo Messenger

9

Microsoft Zune™ Software

3

- - - -## What USMT does not migrate - - -The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). - -### Application settings - -USMT does not migrate the following application settings: - -- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. - -- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. - -- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. - -- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when: - - - You change the default installation location on 32-bit destination computers. - - - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. - -### Operating-System settings - -USMT does not migrate the following operating-system settings. - -- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. - -- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. - -- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. - -- Customized icons for shortcuts may not migrate. - -- Taskbar settings, when the source computer is running Windows XP. - -You should also note the following: - -- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**. - -- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -### Start menu layout - -Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). - -## Related topics - - -[Plan your migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: What does USMT migrate (Windows 10) +description: What does USMT migrate +ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 09/12/2017 +ms.topic: article +--- + +# What does USMT migrate? + + +## In this topic + + +- [Default migration scripts](#bkmk-defaultmigscripts) + +- [User Data](#bkmk-3) + +- [Operating-system components](#bkmk-4) + +- [Supported applications](#bkmk-2) + +- [What USMT does not migrate](#no) + +## Default migration scripts + + +The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: + +- **MigApp.XML.** Rules to migrate application settings. + +- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. + +- **MigUser.XML.** Rules to migrate user profiles and user data. + + MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. + + The following data does not migrate with MigUser.xml: + + - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. + + - Access control lists (ACLs) for folders outside the user profile. + +## User data + + +This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. + +- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: + + My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. + + >[!IMPORTANT] + >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + +- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: + + - Shared Documents + + - Shared Video + + - Shared Music + + - Shared desktop files + + - Shared Pictures + + - Shared Start menu + + - Shared Favorites + +- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions: + + **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** + + **Note**   + The asterisk (\*) stands for zero or more characters. + + + +- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. + +**Important**   +To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. + + + +## Operating-system components + + +USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 + +The following components are migrated by default using the manifest files: + +- Accessibility settings + +- Address book + +- Command-prompt settings + +- \*Desktop wallpaper + +- EFS files + +- Favorites + +- Folder options + +- Fonts + +- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. + +- \*Windows Internet Explorer® settings + +- Microsoft® Open Database Connectivity (ODBC) settings + +- Mouse and keyboard settings + +- Network drive mapping + +- \*Network printer mapping + +- \*Offline files + +- \*Phone and modem options + +- RAS connection and phone book (.pbk) files + +- \*Regional settings + +- Remote Access + +- \*Taskbar settings + +- User personal certificates (all) + +- Windows Mail. + +- \*Windows Media Player + +- Windows Rights Management + +\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). + +**Important**   +This list may not be complete. There may be additional components that are migrated. + + + +**Note**   +Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. + + + +## Supported applications + + +Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. + +**Note**   +The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. + + + +**Note**   +USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. + + + +When you specify the MigApp.xml file, USMT migrates the settings for the following applications: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ProductVersion

Adobe Acrobat Reader

9

AOL Instant Messenger

6.8

Adobe Creative Suite

2

Adobe Photoshop CS

8, 9

Adobe ImageReady CS

Apple iTunes

6, 7, 8

Apple QuickTime Player

5, 6, 7

Apple Safari

3.1.2

Google Chrome

beta

Google Picasa

3

Google Talk

beta

IBM Lotus 1-2-3

9

IBM Lotus Notes

6,7, 8

IBM Lotus Organizer

5

IBM Lotus WordPro

9.9

Intuit Quicken Deluxe

2009

Money Plus Business

2008

Money Plus Home

2008

Mozilla Firefox

3

Microsoft Office

2003, 2007, 2010

Microsoft Office Access®

2003, 2007, 2010

Microsoft Office Excel®

2003, 2007, 2010

Microsoft Office FrontPage®

2003, 2007, 2010

Microsoft Office OneNote®

2003, 2007, 2010

Microsoft Office Outlook®

2003, 2007, 2010

Microsoft Office PowerPoint®

2003, 2007, 2010

Microsoft Office Publisher

2003, 2007, 2010

Microsoft Office Word

2003, 2007, 2010

Opera Software Opera

9.5

Microsoft Outlook Express

(only mailbox file)

Microsoft Project

2003, 2007

Microsoft Office Visio®

2003, 2007

RealPlayer Basic

11

Sage Peachtree

2009

Skype

3.8

Windows Live Mail

12, 14

Windows Live Messenger

8.5, 14

Windows Live MovieMaker

14

Windows Live Photo Gallery

12, 14

Windows Live Writer

12, 14

Windows Mail

(Windows 7 and 8)

Microsoft Works

9

Yahoo Messenger

9

Microsoft Zune™ Software

3

+ + + +## What USMT does not migrate + + +The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). + +### Application settings + +USMT does not migrate the following application settings: + +- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. + +- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. + +- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. + +- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when: + + - You change the default installation location on 32-bit destination computers. + + - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. + +### Operating-System settings + +USMT does not migrate the following operating-system settings. + +- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. + +- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. + +- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. + +- Customized icons for shortcuts may not migrate. + +- Taskbar settings, when the source computer is running Windows XP. + +You should also note the following: + +- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**. + +- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). + +### Start menu layout + +Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + +## Related topics + + +[Plan your migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index fb7c4cdf96..b13ffc7af8 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -3,6 +3,7 @@ title: Configure VDA for Windows 10 Subscription Activation ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA keywords: upgrade, update, task sequence, deploy diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index 06362064ff..b55db69a98 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -1,50 +1,51 @@ ---- -title: Activate an Active Directory Forest Online (Windows 10) -description: Activate an Active Directory Forest Online -ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Activate an Active Directory Forest Online - -You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. - -**Important**   -ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. - -## Requirements - -Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a host computer that has Internet access. -- VAMT has administrative permissions to the Active Directory domain. -- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. - -**To perform an online Active Directory forest activation** - -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. -5. If required, enter a new Active Directory-Based Activation Object name - - **Important**   - If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. - -6. Click **Install Key**. -7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. - -The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. - -## Related topics - -- [Scenario 1: Online Activation](scenario-online-activation-vamt.md) -- [Add and Remove Computers](add-remove-computers-vamt.md) +--- +title: Activate an Active Directory Forest Online (Windows 10) +description: Activate an Active Directory Forest Online +ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Activate an Active Directory Forest Online + +You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. + +**Important**   +ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. + +## Requirements + +Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: +- VAMT is installed on a host computer that has Internet access. +- VAMT has administrative permissions to the Active Directory domain. +- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. + +**To perform an online Active Directory forest activation** + +1. Open VAMT. +2. In the left-side pane, click the **Active Directory-Based Activation** node. +3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. +5. If required, enter a new Active Directory-Based Activation Object name + + **Important**   + If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. + +6. Click **Install Key**. +7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. + +The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. + +## Related topics + +- [Scenario 1: Online Activation](scenario-online-activation-vamt.md) +- [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 0664a272c5..b88d65def4 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -1,127 +1,128 @@ ---- -title: Activate clients running Windows 10 (Windows 10) -description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. -ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Activate clients running Windows 10 - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. -Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. -If activation or reactivation is required, the following sequence occurs: -1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. -2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. -3. The computer tries to activate against Microsoft servers if it is configured with a MAK. - -If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. - -## How Key Management Service works - -KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. - -### Key Management Service activation thresholds - -You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. - -A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. -When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. - -In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. - -### Activation count cache - -To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. -However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. -The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. - -### Key Management Service connectivity - -KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. - -### Key Management Service activation renewal - -KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. - -### Publication of the Key Management Service - -The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. - -### Client discovery of the Key Management Service - -By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. -Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. -If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. -By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. - -### Domain Name System server configuration - -The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. -The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. - -### Activating the first Key Management Service host - -KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. - -### Activating subsequent Key Management Service hosts - -Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. - -## How Multiple Activation Key works - -A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. - -You can activate computers by using a MAK in two ways: -- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - - ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) - - **Figure 16**. MAK independent activation -- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - - ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) - - **Figure 17**. MAK proxy activation with the VAMT - -A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. - -You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. - -### Multiple Activation Key architecture and activation - -MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. -In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. - -## Activating as a standard user - -Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” - -## See also - -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Activate clients running Windows 10 (Windows 10) +description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. +ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Activate clients running Windows 10 + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. +Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. +If activation or reactivation is required, the following sequence occurs: +1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. +2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. +3. The computer tries to activate against Microsoft servers if it is configured with a MAK. + +If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. + +## How Key Management Service works + +KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. + +### Key Management Service activation thresholds + +You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. + +A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. +When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. + +In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. + +### Activation count cache + +To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. +However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. +The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. + +### Key Management Service connectivity + +KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. + +### Key Management Service activation renewal + +KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. + +### Publication of the Key Management Service + +The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. + +### Client discovery of the Key Management Service + +By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. +Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. +If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. +By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. + +### Domain Name System server configuration + +The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. +The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. + +### Activating the first Key Management Service host + +KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. + +### Activating subsequent Key Management Service hosts + +Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. + +## How Multiple Activation Key works + +A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. + +You can activate computers by using a MAK in two ways: +- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. + + ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) + + **Figure 16**. MAK independent activation +- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. + + ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) + + **Figure 17**. MAK proxy activation with the VAMT + +A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. + +You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. + +### Multiple Activation Key architecture and activation + +MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. +In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. + +## Activating as a standard user + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” + +## See also + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index fc7b9b051d..51152d7b78 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -1,39 +1,40 @@ ---- -title: Add and Remove a Product Key (Windows 10) -description: Add and Remove a Product Key -ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Remove a Product Key - -Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. - -## To Add a Product Key - -1. Open VAMT. -2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. -3. Click **Add product keys** to open the **Add Product Keys** dialog box. -4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. - - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. - - **Note**   - If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. - -## Remove a Product Key - -- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. - -## Related topics - -- [Manage Product Keys](manage-product-keys-vamt.md) +--- +title: Add and Remove a Product Key (Windows 10) +description: Add and Remove a Product Key +ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Remove a Product Key + +Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. + +## To Add a Product Key + +1. Open VAMT. +2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. +3. Click **Add product keys** to open the **Add Product Keys** dialog box. +4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: + - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. + - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. + + **Note**   + If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + +## Remove a Product Key + +- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. + +## Related topics + +- [Manage Product Keys](manage-product-keys-vamt.md) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index d56ff58a30..19d405b786 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -1,71 +1,72 @@ ---- -title: Appendix Information sent to Microsoft during activation (Windows 10) -ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Appendix: Information sent to Microsoft during activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -When you activate a computer running Windows 10, the following information is sent to Microsoft: - -- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) -- A channel ID or site code that identifies how the Windows product was originally obtained - - For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. - -- The date of installation and whether the installation was successful -- Information that helps confirm that your Windows product key has not been altered -- Computer make and model -- Version information for the operating system and software -- Region and language settings -- A unique number called a *globally unique identifier*, which is assigned to your computer -- Product key (hashed) and product ID -- BIOS name, revision number, and revision date -- Volume serial number (hashed) of the hard disk drive -- The result of the activation check - - This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - - - The activation exploit’s identifier - - The activation exploit’s current state, such as cleaned or quarantined - - Computer manufacturer’s identification - - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit -- The name and a hash of the contents of your computer’s startup instructions file -- If your Windows license is on a subscription basis, information about how your subscription works - -Standard computer information is also sent, but your computer’s IP address is only retained temporarily. - -## Use of information - -Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. -For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). - -## See also - -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Appendix Information sent to Microsoft during activation (Windows 10) +ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Appendix: Information sent to Microsoft during activation +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +When you activate a computer running Windows 10, the following information is sent to Microsoft: + +- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) +- A channel ID or site code that identifies how the Windows product was originally obtained + + For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. + +- The date of installation and whether the installation was successful +- Information that helps confirm that your Windows product key has not been altered +- Computer make and model +- Version information for the operating system and software +- Region and language settings +- A unique number called a *globally unique identifier*, which is assigned to your computer +- Product key (hashed) and product ID +- BIOS name, revision number, and revision date +- Volume serial number (hashed) of the hard disk drive +- The result of the activation check + + This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: + + - The activation exploit’s identifier + - The activation exploit’s current state, such as cleaned or quarantined + - Computer manufacturer’s identification + - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit +- The name and a hash of the contents of your computer’s startup instructions file +- If your Windows license is on a subscription basis, information about how your subscription works + +Standard computer information is also sent, but your computer’s IP address is only retained temporarily. + +## Use of information + +Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. +For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). + +## See also + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 5b77d96564..d0b685c936 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,51 +1,52 @@ ---- -title: Import and Export VAMT Data (Windows 10) -description: Import and Export VAMT Data -ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Import and Export VAMT Data - -You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. -You can import data or export data during the following scenarios: -- Import and merge data from previous versions of VAMT. -- Export data to use to perform proxy activations. - -**Warning**   -Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. - -## Import VAMT Data - -**To import data into VAMT** -1. Open VAMT. -2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. -3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. -4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. - -## Export VAMT Data - -Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: -1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. -2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. -3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. -4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. -5. Under **Export options**, select one of the following data-type options: - - Export products and product keys - - Export products only - - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. -6. If you have selected products to export, select the **Export selected product rows only** check box. -7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. - -## Related topics - -- [Perform Proxy Activation](proxy-activation-vamt.md) +--- +title: Import and Export VAMT Data (Windows 10) +description: Import and Export VAMT Data +ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Import and Export VAMT Data + +You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. +You can import data or export data during the following scenarios: +- Import and merge data from previous versions of VAMT. +- Export data to use to perform proxy activations. + +**Warning**   +Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. + +## Import VAMT Data + +**To import data into VAMT** +1. Open VAMT. +2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. +3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. +4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. + +## Export VAMT Data + +Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: +1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. +2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. +3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. +4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. +5. Under **Export options**, select one of the following data-type options: + - Export products and product keys + - Export products only + - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. +6. If you have selected products to export, select the **Export selected product rows only** check box. +7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. + +## Related topics + +- [Perform Proxy Activation](proxy-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index dc1c9eaa35..5524910ada 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -1,34 +1,35 @@ ---- -title: Install and Configure VAMT (Windows 10) -description: Install and Configure VAMT -ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install and Configure VAMT - -This section describes how to install and configure the Volume Activation Management Tool (VAMT). - -## In this Section - -|Topic |Description | -|------|------------| -|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | -|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | -|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | - -## Related topics - -- [Introduction to VAMT](introduction-vamt.md) -  -  +--- +title: Install and Configure VAMT (Windows 10) +description: Install and Configure VAMT +ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install and Configure VAMT + +This section describes how to install and configure the Volume Activation Management Tool (VAMT). + +## In this Section + +|Topic |Description | +|------|------------| +|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | +|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | +|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | + +## Related topics + +- [Introduction to VAMT](introduction-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index 3fe43074c1..31d97d082e 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -1,43 +1,44 @@ ---- -title: Install a KMS Client Key (Windows 10) -description: Install a KMS Client Key -ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install a KMS Client Key - -You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. - -**Note**   -By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. - -**To install a KMS Client key** -1. Open VAMT. -2. In the left-side pane click **Products** to open the product list view in the center pane. -3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -7. The **Install Product Key** dialog box displays the keys that are available to be installed. -8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. - - VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - -## Related topics - -- [Perform KMS Activation](kms-activation-vamt.md) +--- +title: Install a KMS Client Key (Windows 10) +description: Install a KMS Client Key +ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install a KMS Client Key + +You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. + +**Note**   +By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. + +**To install a KMS Client key** +1. Open VAMT. +2. In the left-side pane click **Products** to open the product list view in the center pane. +3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +7. The **Install Product Key** dialog box displays the keys that are available to be installed. +8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. + + VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the product list view in the center pane. + +## Related topics + +- [Perform KMS Activation](kms-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index 96908f97d1..4726fc4429 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -1,45 +1,46 @@ ---- -title: Install a Product Key (Windows 10) -description: Install a Product Key -ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install a Product Key - -You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). - -**To install a Product key** -1. Open VAMT. -2. In the left-side pane, click the product that you want to install keys onto. -3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. -6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. -9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - - **Note**   - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right - Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382). - -## Related topics - -- [Manage Product Keys](manage-product-keys-vamt.md) - - +--- +title: Install a Product Key (Windows 10) +description: Install a Product Key +ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install a Product Key + +You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). + +**To install a Product key** +1. Open VAMT. +2. In the left-side pane, click the product that you want to install keys onto. +3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. +6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. +9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the product list view in the center pane. + + **Note**   + Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right + Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382). + +## Related topics + +- [Manage Product Keys](manage-product-keys-vamt.md) + + diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 791d49e497..f03b9eea97 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -1,66 +1,67 @@ ---- -title: Introduction to VAMT (Windows 10) -description: Introduction to VAMT -ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Introduction to VAMT - -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. - -**Note**   -VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. - -## In this Topic -- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#bkmk-userinterface) - -## Managing Multiple Activation Key (MAK) and Retail Activation - -You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: -- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. - -## Managing Key Management Service (KMS) Activation - -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. -VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. - -## Enterprise Environment - -VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. - -![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) - -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. -The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. - -## VAMT User Interface - -The following screenshot shows the VAMT graphical user interface. - -![VAMT user interface](images/vamtuserinterfaceupdated.jpg) - -VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: -- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. -- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - - +--- +title: Introduction to VAMT (Windows 10) +description: Introduction to VAMT +ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Introduction to VAMT + +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. + +**Note**   +VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. + +## In this Topic +- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) +- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) +- [Enterprise Environment](#bkmk-enterpriseenvironment) +- [VAMT User Interface](#bkmk-userinterface) + +## Managing Multiple Activation Key (MAK) and Retail Activation + +You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: +- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. +- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. + +## Managing Key Management Service (KMS) Activation + +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. +VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. + +## Enterprise Environment + +VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. + +![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) + +In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. +The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. + +## VAMT User Interface + +The following screenshot shows the VAMT graphical user interface. + +![VAMT user interface](images/vamtuserinterfaceupdated.jpg) + +VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: +- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. +- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. +- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. +- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. +- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) + + diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 318cd0cb65..1f0fba1201 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -1,33 +1,34 @@ ---- -title: Manage Activations (Windows 10) -description: Manage Activations -ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage Activations - -This section describes how to activate a client computer, by using a variety of activation methods. - -## In this Section - -|Topic |Description | -|------|------------| -|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | -|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | -|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | -|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | -|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | -|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | - - - +--- +title: Manage Activations (Windows 10) +description: Manage Activations +ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage Activations + +This section describes how to activate a client computer, by using a variety of activation methods. + +## In this Section + +|Topic |Description | +|------|------------| +|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | +|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | +|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | +|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | +|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | +|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | + + + diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index bedd50af8f..f127b566ab 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -1,29 +1,30 @@ ---- -title: Manage Product Keys (Windows 10) -description: Manage Product Keys -ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage Product Keys - -This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. -## In this Section - -|Topic |Description | -|------|------------| -|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | -|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | -|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | - - - +--- +title: Manage Product Keys (Windows 10) +description: Manage Product Keys +ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage Product Keys + +This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. +## In this Section + +|Topic |Description | +|------|------------| +|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | +|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | +|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | + + + diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index 7d068975cd..aeb0f2ba2f 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -1,25 +1,26 @@ ---- -title: Manage VAMT Data (Windows 10) -description: Manage VAMT Data -ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage VAMT Data - -This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). - -## In this Section -|Topic |Description | -|------|------------| -|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | -|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | +--- +title: Manage VAMT Data (Windows 10) +description: Manage VAMT Data +ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage VAMT Data + +This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). + +## In this Section +|Topic |Description | +|------|------------| +|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | +|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index ea131b996d..143855e843 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -1,44 +1,45 @@ ---- -title: Monitor activation (Windows 10) -ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Monitor activation - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: -- Using the Volume Licensing Service Center website to track use of MAK keys. -- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) -- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) -- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). -- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. -- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). -- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. - -## See also - -[Volume Activation for Windows 10](volume-activation-windows-10.md) +--- +title: Monitor activation (Windows 10) +ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Monitor activation + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: +- Using the Volume Licensing Service Center website to track use of MAK keys. +- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) +- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) +- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). +- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. +- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). +- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. + +## See also + +[Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index 45f237024f..20a2b3b6c8 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -1,55 +1,56 @@ ---- -title: Perform Online Activation (Windows 10) -description: Perform Online Activation -ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Online Activation - -You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. - -## Requirements - -Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a central computer that has network access to all client computers. -- Both the VAMT host and client computers have Internet access. -- The products that you want to activate are added to VAMT. -- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking -**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. - -## To Perform an Online Activation - -**To perform an online activation** -1. Open VAMT. -2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. -7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - - **Note**   - Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. - - **Note** - You can use online activation to select products that have different key types and activate the products at the same time. - -## Related topics -- [Manage Activations](manage-activations-vamt.md) +--- +title: Perform Online Activation (Windows 10) +description: Perform Online Activation +ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Online Activation + +You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. + +## Requirements + +Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: +- VAMT is installed on a central computer that has network access to all client computers. +- Both the VAMT host and client computers have Internet access. +- The products that you want to activate are added to VAMT. +- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking +**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +## To Perform an Online Activation + +**To perform an online activation** +1. Open VAMT. +2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. +7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the products list view in the center pane. + + **Note**   + Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. + + **Note** + You can use online activation to select products that have different key types and activate the products at the same time. + +## Related topics +- [Manage Activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index 65dd923d7e..52fa995e65 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -1,35 +1,36 @@ ---- -title: Remove Products (Windows 10) -description: Remove Products -ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Remove Products - -To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. - -**To delete one or more products** -1. Click a product node in the left-side pane. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products you want to delete. -6. Click **Delete** in the **Selected Items** menu in the right-side pane. -7. On the **Confirm Delete Selected Products** dialog box, click **OK**. - -## Related topics -- [Add and Manage Products](add-manage-products-vamt.md) -  -  +--- +title: Remove Products (Windows 10) +description: Remove Products +ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Remove Products + +To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. + +**To delete one or more products** +1. Click a product node in the left-side pane. +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. Select the products you want to delete. +6. Click **Delete** in the **Selected Items** menu in the right-side pane. +7. On the **Confirm Delete Selected Products** dialog box, click **OK**. + +## Related topics +- [Add and Manage Products](add-manage-products-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 34263037b3..2130befc33 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -1,48 +1,49 @@ ---- -title: Scenario 3 KMS Client Activation (Windows 10) -description: Scenario 3 KMS Client Activation -ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Scenario 3: KMS Client Activation - -In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). - -The procedure that is described below assumes the following: -- The KMS Service is enabled and available to all KMS clients. -- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. - -## Activate KMS Clients - -1. Open VAMT. -2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: - - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. - - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. - - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. -4. In the left-side pane, in the **Products** node, click the product that you want to activate. -5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. Select the products that you want to activate. -9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - -The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  +--- +title: Scenario 3 KMS Client Activation (Windows 10) +description: Scenario 3 KMS Client Activation +ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Scenario 3: KMS Client Activation + +In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). + +The procedure that is described below assumes the following: +- The KMS Service is enabled and available to all KMS clients. +- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. + +## Activate KMS Clients + +1. Open VAMT. +2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. +3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: + - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. + - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. + - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. +4. In the left-side pane, in the **Products** node, click the product that you want to activate. +5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +7. Click **Filter**. VAMT displays the filtered list in the center pane. +8. Select the products that you want to activate. +9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + +The same status is shown under the **Status of Last Action** column in the products list view in the center pane. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) +  +  diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 038839adb4..b223b876bd 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -1,38 +1,39 @@ ---- -title: Update Product Status (Windows 10) -description: Update Product Status -ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Update Product Status - -After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. -To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -**Note**   -The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. - -## Update the license status of a product - -1. Open VAMT. -2. In the **Products** list, select one or more products that need to have their status updated. -3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. -4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. - - VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. - - **Note**   - If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. - -## Related topics -- [Add and Manage Products](add-manage-products-vamt.md) +--- +title: Update Product Status (Windows 10) +description: Update Product Status +ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Update Product Status + +After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. +To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +**Note**   +The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. + +## Update the license status of a product + +1. Open VAMT. +2. In the **Products** list, select one or more products that need to have their status updated. +3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. +4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. + + VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. + + **Note**   + If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. + +## Related topics +- [Add and Manage Products](add-manage-products-vamt.md) diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index e9c0da934f..3b555d3b7f 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -1,46 +1,47 @@ ---- -title: VAMT Requirements (Windows 10) -description: VAMT Requirements -ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Requirements - -This topic includes info about the product key and system requirements for VAMT. - -## Product Key Requirements - -The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. - -|Product key type |Where to obtain | -|-----------------|----------------| -|
  • Multiple Activation Key (MAK)
  • Key Management Service (KMS) host key (CSVLK)
  • KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | -|Retail product keys |Obtained at time of product purchase. | - -## System Requirements - -The following table lists the system requirements for the VAMT host computer. - -| Item | Minimum system requirement | -| ---- | ---------------------------| -| Computer and Processor | 1 GHz x86 or x64 processor | -| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 | -| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 | -| External Drive | Removable media (Optional) | -| Display | 1024x768 or higher resolution monitor | -| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS | -| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. | -| Additional Requirements |
  • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
  • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
  • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
| - -## Related topics -- [Install and Configure VAMT](install-configure-vamt.md) +--- +title: VAMT Requirements (Windows 10) +description: VAMT Requirements +ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Requirements + +This topic includes info about the product key and system requirements for VAMT. + +## Product Key Requirements + +The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. + +|Product key type |Where to obtain | +|-----------------|----------------| +|
  • Multiple Activation Key (MAK)
  • Key Management Service (KMS) host key (CSVLK)
  • KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | +|Retail product keys |Obtained at time of product purchase. | + +## System Requirements + +The following table lists the system requirements for the VAMT host computer. + +| Item | Minimum system requirement | +| ---- | ---------------------------| +| Computer and Processor | 1 GHz x86 or x64 processor | +| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 | +| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 | +| External Drive | Removable media (Optional) | +| Display | 1024x768 or higher resolution monitor | +| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS | +| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. | +| Additional Requirements |
  • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
  • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
  • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
| + +## Related topics +- [Install and Configure VAMT](install-configure-vamt.md) diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index ae1576bb5f..a2e5f633c5 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -1,32 +1,33 @@ ---- -title: VAMT Step-by-Step Scenarios (Windows 10) -description: VAMT Step-by-Step Scenarios -ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Step-by-Step Scenarios - -This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. - -## In this Section - -|Topic |Description | -|------|------------| -|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | -|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | -|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | - -## Related topics -- [Introduction to VAMT](introduction-vamt.md) -  -  +--- +title: VAMT Step-by-Step Scenarios (Windows 10) +description: VAMT Step-by-Step Scenarios +ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Step-by-Step Scenarios + +This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. + +## In this Section + +|Topic |Description | +|------|------------| +|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | +|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | +|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | + +## Related topics +- [Introduction to VAMT](introduction-vamt.md) +  +  diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 8f4d8855b6..61d5af710d 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay keywords: upgrade, in-place, configuration, deploy ms.prod: w10 diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md index 9e00150048..3b2e91c7cd 100644 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ b/windows/deployment/windows-10-deployment-tools-reference.md @@ -5,6 +5,7 @@ ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +15,7 @@ ms.date: 07/12/2017 ms.topic: article --- -# Windows 10 deployment tools +# Windows 10 deployment tools reference Learn about the tools available to deploy Windows 10. diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index 7127572543..33f7b49f5e 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -5,6 +5,7 @@ ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index dd3d6bdf93..38a56db227 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -9,6 +9,7 @@ ms.date: 10/20/2017 ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay ms.sitesec: library audience: itpro diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index f27287fbe6..c10e477cff 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -11,6 +11,7 @@ ms.date: 10/11/2017 ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay audience: itpro ms.topic: article diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 30be17e250..67a95f1168 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -10,6 +10,7 @@ ms.localizationpriority: medium ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay audience: itpro ms.topic: article diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index ba60b6e31d..f4ab49b62a 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -3,6 +3,7 @@ title: Configure a test lab to deploy Windows 10 ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. ms.prod: w10 diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 8c13ed1a1f..91aaa460e8 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -5,6 +5,7 @@ ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877 ms.reviewer: manager: laurawi ms.audience: itpro +ms.author: greglin author: greg-lindsay keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS ms.prod: w10 diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 01990ccba5..5c4ad7c28d 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -71,7 +71,6 @@ The following methodology was used to derive these network endpoints: |||HTTPS|*licensing.mp.microsoft.com| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| ||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2|*maps.windows.com| -|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 300a074c68..01f18214de 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -98,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801C03F0 | ​There is no key registered for the user. | | 0x801C03F1 | ​There is no UPN in the token. | | ​0x801C044C | There is no core window for the current thread. | +| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. | ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 440ab1ea70..d7355b0c32 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -74,9 +74,12 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory +> [!NOTE] +> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#policy-conflicts-from-multiple-policy-sources) + #### Enable Windows Hello for Business -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 3d0fdc211e..19df534358 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -62,8 +62,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro - Eap - Eap + Eap diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index b3f555bb13..c1f81c4974 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -214,6 +214,8 @@ Path Publisher Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name. +Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines + ### Import a list of apps This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. @@ -461,10 +463,10 @@ contoso.sharepoint.com|contoso.visualstudio.com Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. -Separate multiple domains with the "," delimiter. +Separate multiple domains with the "|" delimiter. ```code -exchange.contoso.com,contoso.com,region.contoso.com +exchange.contoso.com|contoso.com|region.contoso.com ``` ### Network domains diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 6a30c6da4d..24e94ee4c1 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -49,7 +49,7 @@ ### [Attack surface reduction]() #### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) -#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md) +#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md) #### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) #### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md) @@ -57,6 +57,7 @@ ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) ##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md) +##### [View attack surface reduction events](microsoft-defender-atp/event-views.md) #### [Hardware-based isolation]() ##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) @@ -82,12 +83,14 @@ #### [Exploit protection]() ##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md) ##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md) +##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) +##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) #### [Network protection]() ##### [Protect your network](microsoft-defender-atp/network-protection.md) -##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md) -##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md) +##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md) +##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md) #### [Web protection]() ##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) @@ -99,7 +102,9 @@ #### [Controlled folder access]() ##### [Protect folders](microsoft-defender-atp/controlled-folders.md) -##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md) +##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md) +##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md) +##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md) @@ -338,8 +343,9 @@ #### [Custom detections]() -##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) -##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) +##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md) +##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md) +##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md) ### [Behavioral blocking and containment]() #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) @@ -456,7 +462,7 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) - +### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference ### [Management and APIs]() diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index cf8e0d63b8..b310cd06ca 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -146,6 +146,7 @@ This event generates when a logon session is created (on destination machine). I | Logon Type | Logon Title | Description | |:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `0` | `System` | Used only by the System account, for example at system startup. | | `2` | `Interactive` | A user logged on to this computer. | | `3` | `Network` | A user or computer logged on to this computer from the network. | | `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | @@ -155,6 +156,8 @@ This event generates when a logon session is created (on destination machine). I | `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | | `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | | `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | +| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | +| `13` | `CachedUnlock` | Workstation logon. | - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index bddb29f760..2bc61ffce1 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -2,7 +2,6 @@ title: Plan and deploy advanced security audit policies (Windows 10) description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 - ms.reviewer: ms.author: dansimp ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index 07dc2431b4..dd65e257fb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Use the command line to manage Microsoft Defender Antivirus description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index e03a127100..8a479654ed 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Enable Block at First Sight to detect malware in seconds description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. keywords: scan, BAFS, malware, first seen, first sight, cloud, defender search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index a9eec223d6..e7d0bb0417 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Set up exclusions for Microsoft Defender AV scans description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell. keywords: search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index a5aa25898c..d9e2707453 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Configure and validate exclusions based on extension, name, or location description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 9280ff0f2b..c2f2824510 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 55ad69c7e3..f996b8c772 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: detect ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index c103a08e37..dbd8db2df4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Enable cloud-delivered protection in Microsoft Defender Antivirus description: Enable cloud-delivered protection to benefit from fast and advanced protection features. keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index a4ea00ac81..f6fcbbbeda 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Evaluate Microsoft Defender Antivirus description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 020b4fc5b2..75c974ae9b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index 207ec6c5dd..6bc4a4a744 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Microsoft Defender AV event IDs and error codes description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 82871ab8d7..58572c3d52 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with Group Policy description: Configure Microsoft Defender Antivirus settings with Group Policy keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index 9ae508bf57..9eb816975e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index db9a721fca..91d3f43edb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -3,7 +3,6 @@ title: "Why you should use Microsoft Defender Antivirus together with Microsoft description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 94c74051a1..59a850ea64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -57,3 +57,4 @@ Table and column names are also listed within the Microsoft Defender Security Ce - [Advanced hunting overview](advanced-hunting-overview.md) - [Work with query results](advanced-hunting-query-results.md) - [Learn the query language](advanced-hunting-query-language.md) +- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914) diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index 89a9fb3e06..093a2013f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -1,6 +1,6 @@ --- -title: Test how Microsoft Defender ATP features work -description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled +title: Test how Microsoft Defender ATP features work in audit mode +description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled. keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,28 +11,27 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 04/02/2019 ms.reviewer: manager: dansimp --- -# Use audit mode +# Test how Microsoft Defender ATP features work in audit mode **Applies to:** * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. +You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature. -You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. +You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time. -While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. +The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled. To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. +This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode. diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index f0292e125f..fa431dbc93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -21,16 +21,16 @@ ms.topic: conceptual > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh] -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually. +Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities. -The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated. +Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated. > [!TIP] > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. >[!NOTE] >Currently, automated investigation only supports the following OS versions: @@ -41,7 +41,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t ## Details of an automated investigation -During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. +During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. |Tab |Description | |--|--| @@ -50,7 +50,7 @@ During and after an automated investigation, you can view details about the inve |**Evidence** |Shows the entities that were found to be malicious during the investigation.| |**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | |**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| -|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. | +|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. | > [!IMPORTANT] > Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. @@ -59,28 +59,32 @@ During and after an automated investigation, you can view details about the inve While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation. -If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. +If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab. ## How threats are remediated -Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats. +Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats. + +> [!NOTE] +> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). You can configure the following levels of automation: |Automation level | Description| |---|---| -|No automated response | Devices do not get any automated investigations run on them. | -|Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. | -|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.| -|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed.| -|Full - remediate threats automatically | All remediation actions will be performed automatically.| +|**Full - remediate threats automatically** | All remediation actions are performed automatically.

*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*| +|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders are automatically remediated, if needed.| +|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).| +|**Semi - require approval for any remediation** | An approval is needed for any remediation action.

*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*| +|**No automated response** | Devices do not get any automated investigations run on them.

*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* | -> [!TIP] -> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md). +### A few points to keep in mind -The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed. +- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). -When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. +- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed. + +- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). ## Next steps diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 223e5b4295..6021933e52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,7 +1,7 @@ --- -title: Create and manage custom detection rules in Microsoft Defender ATP +title: Create custom detection rules in Microsoft Defender ATP ms.reviewer: -description: Learn how to create and manage custom detection rules based on advanced hunting queries +description: Learn how to create custom detection rules based on advanced hunting queries keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,26 +18,27 @@ ms.collection: M365-security-compliance ms.topic: article --- - -# Create and manage custom detection rules +# Create custom detection rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. +Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. -> [!NOTE] -> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. +Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). -## Create a custom detection rule -### 1. Prepare the query. +## 1. Check required permissions -In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. +To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. + +## 2. Prepare the query + +In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results. >[!IMPORTANT] >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. -#### Required columns in the query results +### Required columns in the query results To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. @@ -52,83 +53,60 @@ DeviceEvents | where count_ > 5 ``` -### 2. Create new rule and provide alert details. +## 3. Create new rule and provide alert details With the query in the query editor, select **Create detection rule** and specify the following alert details: -- **Detection name** — name of the detection rule -- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency) -- **Alert title** — title displayed with alerts triggered by the rule -- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) -- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) -- **Description** — more information about the component or activity identified by the rule -- **Recommended actions** — additional actions that responders might take in response to an alert +- **Detection name**—name of the detection rule +- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency) +- **Alert title**—title displayed with alerts triggered by the rule +- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) +- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) +- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software +- **Description**—more information about the component or activity identified by the rule +- **Recommended actions**—additional actions that responders might take in response to an alert For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). -#### Rule frequency +### Rule frequency When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: -- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days -- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours -- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours -- **Every hour** — runs hourly, checking data from the past 2 hours +- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days +- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours +- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours +- **Every hour**—runs hourly, checking data from the past 2 hours Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -### 3. Specify actions on files or devices. +## 4. Specify actions on files or devices Your custom detection rule can automatically take actions on files or devices that are returned by the query. -#### Actions on devices +### Actions on devices These actions are applied to devices in the `DeviceId` column of the query results: -- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) -- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) -- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device -- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device +- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) +- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) +- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device +- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device -#### Actions on files +### Actions on files These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: -- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. -- **Quarantine file** — deletes the file from its current location and places a copy in quarantine +- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. +- **Quarantine file**—deletes the file from its current location and places a copy in quarantine -### 4. Click **Create** to save and turn on the rule. -After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. +## 5. Set the rule scope +Set the scope to specify which devices are covered by the rule: -## Manage existing custom detection rules -In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. +- All devices +- Specific device groups -### View existing rules +Only data from devices in scope will be queried. Also, actions will be taken only on those devices. -To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information: +## 6. Review and turn on the rule +After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. -- **Last run** — when a rule was last run to check for query matches and generate alerts -- **Last run status** — whether a rule ran successfully -- **Next run** — the next scheduled run -- **Status** — whether a rule has been turned on or off -### View rule details, modify rule, and run rule - -To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information: - -- General information about the rule, including the details of the alert, run status, and scope -- List of triggered alerts -- List of triggered actions - -![Custom detection rule page](images/atp-custom-detection-rule-details.png)
-*Custom detection rule page* - -You can also take the following actions on the rule from this page: - -- **Run** — run the rule immediately. This also resets the interval for the next run. -- **Edit** — modify the rule without changing the query -- **Modify query** — edit the query in advanced hunting -- **Turn on** / **Turn off** — enable the rule or stop it from running -- **Delete** — turn off the rule and remove it - ->[!TIP] ->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table. - -## Related topic +## Related topics +- [View and manage detection rules](custom-detections-manage.md) - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the advanced hunting query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md new file mode 100644 index 0000000000..bae067bcec --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -0,0 +1,67 @@ +--- +title: View and manage custom detection rules in Microsoft Defender ATP +ms.reviewer: +description: Learn how to view and manage custom detection rules +keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + + +# View and manage custom detection rules +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. + +## Required permissions + +To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. + +## View existing rules + +To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information: + +- **Last run**—when a rule was last run to check for query matches and generate alerts +- **Last run status**—whether a rule ran successfully +- **Next run**—the next scheduled run +- **Status**—whether a rule has been turned on or off + +## View rule details, modify rule, and run rule + +To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information: + +- General information about the rule, including the details of the alert, run status, and scope +- List of triggered alerts +- List of triggered actions + +![Custom detection rule page](images/atp-custom-detection-rule-details.png)
+*Custom detection rule page* + +You can also take the following actions on the rule from this page: + +- **Run**—run the rule immediately. This action also resets the interval for the next run. +- **Edit**—modify the rule without changing the query +- **Modify query**—edit the query in advanced hunting +- **Turn on** / **Turn off**—enable the rule or stop it from running +- **Delete**—turn off the rule and remove it + +>[!TIP] +>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table. + +## Related topics +- [Custom detections overview](overview-custom-detections.md) +- [Create detection rules](custom-detection-rules.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [View and organize alerts](alerts-queue.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index af8bd90091..8a8bf44962 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -1,9 +1,8 @@ --- -title: Configure how attack surface reduction rules work to fine-tune protection in your network -description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR +title: Customize attack surface reduction rules +description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -34,21 +32,21 @@ You can set attack surface reduction rules for devices running any of the follow - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. +You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. +You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior. > [!WARNING] > This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule. +An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md). +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md). Rule description | GUID -|-|- @@ -72,20 +70,20 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail ### Use Group Policy to exclude files and folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. > [!WARNING] > Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. ### Use PowerShell to exclude files and folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -103,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 304c656193..0659908d5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,9 +1,8 @@ --- -title: Add additional folders and apps to be protected -description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files. +title: Customize controlled folder access +description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 ms.reviewer: manager: dansimp --- @@ -22,9 +20,9 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. -This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): +This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). * [Add additional folders to be protected](#protect-additional-folders) * [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) @@ -36,11 +34,9 @@ This topic describes how to customize the following settings of the controlled f ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. +Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list. -You can add additional folders to be protected, but you cannot remove the default folders in the default list. - -Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. +Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults. You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). @@ -48,27 +44,27 @@ You can use the Windows Security app or Group Policy to add and remove additiona ### Use the Windows Security app to protect additional folders -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. -3. Under the **Controlled folder access** section, click **Protected folders** +3. Under the **Controlled folder access** section, select **Protected folders**. -4. Click **Add a protected folder** and follow the prompts to add apps. +4. Select **Add a protected folder** and follow the prompts to add apps. ### Use Group Policy to protect additional folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. -4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. +4. Double-click **Configured protected folders** and set the option to **Enabled**. Select **Show** and enter each folder. ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -88,41 +84,41 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m ## Allow specific apps to make changes to controlled folders -You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. +You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature. > [!IMPORTANT] > By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. > You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. -When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. +When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access. -An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +An allowed application or service only has write access to a controlled folder after it starts. For example, an update service will continue to trigger events after it's allowed until it is stopped and restarted. ### Use the Windows Defender Security app to allow specific apps -1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. -3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access** +3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access** -4. Click **Add an allowed app** and follow the prompts to add apps. +4. Select **Add an allowed app** and follow the prompts to add apps. ![Screenshot of how to add an allowed app button](../images/cfa-allow-app.png) ### Use Group Policy to allow specific apps -1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. -4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. +4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app. ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -148,7 +144,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications] ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 147860f476..55552af86b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -1,9 +1,8 @@ --- -title: Enable or disable specific mitigations used by Exploit protection +title: Customize exploit protection keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr -description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. +description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 03/26/2019 ms.reviewer: manager: dansimp --- @@ -24,11 +22,11 @@ manager: dansimp Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. -You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. +Configure these settings using the Windows Security app on an individual device. Then, export the configuration as an XML file so you can deploy to other devices. Use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. -This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. +This article lists each of the mitigations available in exploit protection. It indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. -It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). +It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating, exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). > [!WARNING] > Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network. @@ -37,20 +35,20 @@ It also describes how to enable or configure the mitigations using Windows Secur All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level. -You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table. +You can set each of the mitigations on, off, or to their default value. Some mitigations have additional options that are indicated in the description in the table. Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults. -For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. +For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article. Mitigation | Description | Can be applied to | Audit mode available -|-|-|- Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] @@ -60,14 +58,14 @@ Block untrusted fonts | Prevents loading any GDI-based fonts not installed in th Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -106,9 +104,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi ### Configure system-level mitigations with the Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section @@ -124,14 +122,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 5. Go to the **Program settings** section and choose the app you want to apply mitigations to: - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + 1. If the app you want to configure is already listed, select it and then select **Edit** + 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app: * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. -6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. +6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat these steps for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. @@ -203,7 +201,7 @@ Where: You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. - For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command: + For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: ```PowerShell Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode @@ -249,9 +247,9 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). -## Related topics +## See also * [Protect devices from exploits](exploit-protection.md) * [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md deleted file mode 100644 index 825f4d94d1..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md +++ /dev/null @@ -1,86 +0,0 @@ ---- -title: Compare the features in Exploit protection with EMET -keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert -description: Exploit protection in Microsoft Defender ATP is our successor to Enhanced Mitigation Experience Toolkit (EMET) and provides stronger protection, more customization, an easier user interface, and better configuration and management options. -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -author: levinec -ms.author: ellevin -ms.date: 08/08/2018 -ms.reviewer: -manager: dansimp ---- - -# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender - -**Applies to:** - -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -> [!IMPORTANT] -> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. -> -> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. - -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP. - -Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. - -EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. - -After July 31, 2018, it will not be supported. - -For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - -* [Protect devices from exploits](exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - -## Mitigation comparison - -The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md). - -The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection. - -Mitigation | Available in Windows Defender | Available in EMET --|-|- -Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check" -Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check" -Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] -Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)] -Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] - -> [!NOTE] -> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process. -> -> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. - -## Related topics - -* [Protect devices from exploits with Windows Defender](exploit-protection.md) -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Enable exploit protection](enable-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 1a434b7441..a2eb19043d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Enable attack surface reduction rules individually to protect your organization +title: Enable attack surface reduction rules description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh @@ -11,7 +11,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 06/04/2020 ms.reviewer: manager: dansimp --- @@ -68,11 +67,11 @@ The following procedures for enabling ASR rules include instructions for how to 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows: +3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows: `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path` -4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. +4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. ## MDM @@ -103,32 +102,32 @@ Example: ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. +3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**. -4. Choose which rules will block or audit actions and click **Next**. +4. Choose which rules will block or audit actions and select **Next**. -5. Review the settings and click **Next** to create the policy. +5. Review the settings and select **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, **Close**. ## Group Policy > [!WARNING] > If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section. - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows: - Disable = 0 - Block (enable ASR rule) = 1 @@ -136,7 +135,7 @@ Example: ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) -5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. > [!WARNING] > Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. @@ -146,7 +145,7 @@ Example: > [!WARNING] > If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 899fb8234a..8c811f809d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -1,5 +1,5 @@ --- -title: Turn on the protected folders feature in Windows 10 +title: Enable controlled folder access keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use description: Learn how to protect your important files by enabling Controlled folder access search.product: eADQiWindows 10XVcnh @@ -11,7 +11,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 ms.reviewer: manager: dansimp --- @@ -28,7 +27,7 @@ You can enable controlled folder access by using any of these methods: * [Windows Security app](#windows-security-app) * [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) +* [Mobile Device Management (MDM)](#mobile-device-management-mdm) * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy) * [PowerShell](#powershell) @@ -44,71 +43,70 @@ For more information about disabling local list merging, see [Prevent or allow u ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. 3. Set the switch for **Controlled folder access** to **On**. > [!NOTE] > If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. > If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. - > If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -2. Click **Device configuration** > **Profiles** > **Create profile**. +2. Go to **Device configuration** > **Profiles** > **Create profile**. 3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**. +4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**. -5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
+5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**.
![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
> [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. -6. Click **OK** to save each open blade and click **Create**. +6. Select **OK** to save each open blade and **Create**. -7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**. -## MDM +## Mobile Device Management (MDM) Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Controlled folder access**, and click **Next**. +3. Enter a name and a description, select **Controlled folder access**, and select **Next**. -4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. +4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**. > [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. -5. Review the settings and click **Next** to create the policy. +5. Review the settings and select **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, **Close**. ## Group Policy -1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. -4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: - * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log. - * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. +4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options: + * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log. + * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders. + * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization. * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123. - * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded. + * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded. ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png) @@ -117,7 +115,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## PowerShell -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**. 2. Enter the following cmdlet: @@ -127,9 +125,9 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`. -Use `Disabled` to turn the feature off. +Use `Disabled` to turn off the feature. -## Related topics +## See also * [Protect important folders with controlled folder access](controlled-folders.md) * [Customize controlled folder access](customize-controlled-folders.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index c5e491ba4b..c611445181 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -3,7 +3,6 @@ title: Turn on exploit protection to help mitigate against attacks keywords: exploit, mitigation, attacks, vulnerability description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware. search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 01/08/2020 ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index ab755a39af..e737eb44d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -1,6 +1,6 @@ --- -title: Turn on network protection -description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs +title: Turning on network protection +description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -8,7 +8,6 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro author: levinec ms.author: ellevin ms.reviewer: @@ -21,12 +20,11 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. +[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. ## Check if network protection is enabled -You can see if network protection has been enabled on a local device by using Registry editor. +Check if network protection has been enabled on a local device by using Registry editor. 1. Select the **Start** button in the task bar and type **regedit** to open Registry editor 1. Choose **HKEY_LOCAL_MACHINE** from the side menu @@ -39,87 +37,101 @@ You can see if network protection has been enabled on a local device by using Re ## Enable network protection -You can enable network protection by using any of these methods: +Enable network protection by using any of these methods: * [PowerShell](#powershell) * [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) +* [Mobile Device Management (MDM)](#mobile-device-management-mmd) * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy) ### PowerShell -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell Set-MpPreference -EnableNetworkProtection Enabled ``` -You can enable the feature in audit mode using the following cmdlet: +3. Optional: Enable the feature in audit mode using the following cmdlet: -```PowerShell -Set-MpPreference -EnableNetworkProtection AuditMode -``` + ```PowerShell + Set-MpPreference -EnableNetworkProtection AuditMode + ``` -Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. + Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature. ### Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -1. Click **Device configuration** > **Profiles** > **Create profile**. -1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. - ![Enable network protection in Intune](../images/enable-np-intune.png) -1. Click **OK** to save each open blade and click **Create**. -1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -### MDM +2. Go to **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + + ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) + +4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. + + ![Enable network protection in Intune](../images/enable-np-intune.png) + +5. Select **OK** to save each open section and **Create**. + +6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**. + +### Mobile Device Management (MMD) Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Network protection**, and click **Next**. -1. Choose whether to block or audit access to suspicious domains and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. + +2. Then go to **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, select **Network protection**, and then **Next**. + +4. Choose whether to block or audit access to suspicious domains and select **Next**. + +5. Review the settings and select **Next** to create the policy. + +6. After the policy is created, **Close**. ### Group Policy -You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. +Use the following procedure to enable network protection on domain-joined computers or on a standalone computer. -1. On a standalone computer, click **Start**, type and then click **Edit group policy**. +1. On a standalone computer, go to **Start** and then type and select **Edit group policy**. *-Or-* - On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. -4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: - * **Block** - Users will not be able to access malicious IP addresses and domains - * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. +4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options: + * **Block** - Users can't access malicious IP addresses and domains + * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains + * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address. > [!IMPORTANT] > To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. -You can confirm network protection is enabled on a local computer by using Registry editor: +Confirm network protection is enabled on a local computer by using Registry editor: + +1. Select **Start** and type **regedit** to open **Registry Editor**. -1. Click **Start** and type **regedit** to open **Registry Editor**. 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -3. Click **EnableNetworkProtection** and confirm the value: + +3. Select **EnableNetworkProtection** and confirm the value: * 0=Off * 1=On * 2=Audit -## Related topics +## See also * [Network protection](network-protection.md) * [Evaluate network protection](evaluate-network-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md deleted file mode 100644 index 76c04110e7..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Enable Secure Score in Microsoft Defender ATP -description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. -keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Enable Secure Score security controls - -**Applies to:** - - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - - -Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. - - >[!NOTE] - >Changes might take up to a few hours to reflect on the dashboard. - -1. In the navigation pane, select **Settings** > **Secure Score**. - -2. Select the security control, then toggle the setting between **On** and **Off**. - -3. Click **Save preferences**. - -## Related topics -- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) -- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md) -- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Configure advanced features in Microsoft Defender ATP](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 5cfdade464..32432b5025 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -1,9 +1,8 @@ --- -title: Use a demo to see how ASR rules can help protect your devices -description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks +title: Evaluate attack surface reduction rules +description: See how attack surface reduction would block and prevent attacks with the custom demo tool. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -22,22 +20,21 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows: + - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization. +Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization. > [!TIP] -> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact -You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules. - -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. +Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use. To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet: @@ -48,13 +45,13 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode > [!TIP] > If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md). +You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article. ## Review attack surface reduction events in Windows Event Viewer To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events. - Event ID | Description +Event ID | Description -|- 5007 | Event when settings are changed 1121 | Event when an attack surface reduction rule fires in block mode @@ -64,9 +61,9 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature. -See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. +See [Customize attack surface reduction rules](customize-attack-surface-reduction.md) for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. -## Related topics +## See also * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) * [Use audit mode to evaluate Windows Defender](audit-windows-defender.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index c266301cb6..1df853c6ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -1,9 +1,8 @@ --- -title: See how controlled folder access can help protect files from being changed by malicious apps -description: Use a custom tool to see how Controlled folder access works in Windows 10. +title: Evaluate controlled folder access +description: See how controlled folder access can help protect files from being changed by malicious apps. keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 11/16/2018 ms.reviewer: manager: dansimp --- @@ -22,20 +20,18 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. -It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. +It is especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage. -This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. +This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. > [!TIP] -> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact -You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. - -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. +Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time. To enable audit mode, use the following PowerShell cmdlet: @@ -45,7 +41,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode > [!TIP] > If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). -You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). +You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer @@ -64,9 +60,9 @@ Event ID | Description During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. -See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. +See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs). -## Related topics +## See also * [Protect important folders with controlled folder access](controlled-folders.md) * [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md index de8a7c8384..1e08e42942 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md @@ -1,9 +1,8 @@ --- -title: Conduct a demo to see how network protection works -description: Quickly see how Network protection works by performing common scenarios that it protects against +title: Evaluate network protection +description: See how network protection works by testing common scenarios that it protects against. keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/10/2019 ms.reviewer: manager: dansimp --- @@ -24,18 +22,16 @@ manager: dansimp [Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. +This article helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. > [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work. ## Enable network protection in audit mode -You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled. +Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur. -You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur. - -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -62,7 +58,7 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev |1125 | Windows Defender (Operational) | Event when a network connection is audited | |1126 | Windows Defender (Operational) | Event when a network connection is blocked | -## Related topics +## See also * [Network protection](network-protection.md) * [Enable network protection](enable-network-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md index 403e42a63e..dc67d5ddd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md @@ -1,10 +1,8 @@ --- -ms.reviewer: -title: Import custom views to see attack surface reduction events -description: Use Windows Event Viewer to import individual views for each of the features. +title: View attack surface reduction events +description: Import custom views to see attack surface reduction events. keywords: event view, exploit guard, audit, review, events search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -12,7 +10,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 03/26/2019 +ms.reviewer: manager: dansimp --- @@ -129,7 +127,7 @@ You can also manually navigate to the event area that corresponds to the feature ## List of attack surface reduction events -All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. +All attack surface reduction events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. You can access these events in Windows Event viewer: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index 1f468cc2bf..e69619e1d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -43,7 +43,7 @@ Exclusion | Definition | Examples ---|---|--- File extension | All files with the extension, anywhere on the device | `.test` File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log` -Folder | All files under the specified folder | `/var/log/`
`/var/*/` +Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/` Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t` File, folder, and process exclusions support the following wildcards: @@ -124,3 +124,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te ``` You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. + +## Allow threats + +In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected. + +To add a threat name to the allowed list, execute the following command: + +```bash +mdatp threat allowed add --name [threat-name] +``` + +The threat name associated with a detection on your device can be obtained using the following command: + +```bash +mdatp threat list +``` + +For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command: + +```bash +mdatp threat allowed add --name "EICAR-Test-File (not a virus)" +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 38826becc2..5065d7b5be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -98,6 +98,9 @@ The following table lists commands for some of the most common scenarios. Run `m |Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` | |Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]`
`mdatp exclusion process [add|remove] --name [process-name]` | |Configuration |List all antivirus exclusions |`mdatp exclusion list` | +|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` | +|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` | +|Configuration |List all allowed threat names |`mdatp threat allowed list` | |Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` | |Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` | |Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index c0fe9490e6..4e97dc6960 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -43,7 +43,7 @@ Exclusion | Definition | Examples ---|---|--- File extension | All files with the extension, anywhere on the machine | `.test` File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log` -Folder | All files under the specified folder | `/var/log/`
`/var/*/` +Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/` Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t` File, folder, and process exclusions support the following wildcards: @@ -86,3 +86,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te ``` You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. + +## Allow threats + +In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected. + +To add a threat name to the allowed list, execute the following command: + +```bash +mdatp threat allowed add --name [threat-name] +``` + +The threat name associated with a detection on your device can be obtained using the following command: + +```bash +mdatp threat list +``` + +For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command: + +```bash +mdatp threat allowed add --name "EICAR-Test-File (not a virus)" +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index c63a41f6ab..7367f5ccb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -89,14 +89,17 @@ Important tasks, such as controlling product settings and triggering on-demand s |-------------|-------------------------------------------|-----------------------------------------------------------------------| |Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` | |Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` | |Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` | +|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` | +|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` | +|Configuration|List all allowed threat names |`mdatp threat allowed list` | |Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| |Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | |Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| |Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` | |Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | |Health |Check the product's health |`mdatp --health` | |Protection |Scan a path |`mdatp --scan --path [path]` | |Protection |Do a quick scan |`mdatp --scan --quick` | diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index fda5e2b14b..b2b4bdcfae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -65,7 +65,7 @@ If you experience any installation failures, refer to [Troubleshooting installat > [!CAUTION] > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. -- Disk space: 650 MB +- Disk space: 1GB - The solution currently provides real-time protection for the following file system types: - `btrfs` diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index ae6569fd45..62d68dcdee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -61,7 +61,7 @@ There are several methods and deployment tools that you can use to install and c The three most recent major releases of macOS are supported. - 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) -- Disk space: 650 MB +- Disk space: 1GB Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020. diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md deleted file mode 100644 index 20f305fbfb..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md +++ /dev/null @@ -1,528 +0,0 @@ -# [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md) - -## [Overview]() -### [Overview of Microsoft Defender ATP capabilities](overview.md) -### [Threat & Vulnerability Management]() -#### [Next-generation capabilities](next-gen-threat-and-vuln-mgt.md) -#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md) -#### [Exposure score](tvm-exposure-score.md) -#### [Configuration score](configuration-score.md) -#### [Security recommendation](tvm-security-recommendation.md) -#### [Remediation](tvm-remediation.md) -#### [Software inventory](tvm-software-inventory.md) -#### [Weaknesses](tvm-weaknesses.md) -#### [Scenarios](threat-and-vuln-mgt-scenarios.md) - - -### [Attack surface reduction]() -#### [Hardware-based isolation]() -##### [Hardware-based isolation in Windows 10](overview-hardware-based-isolation.md) - -##### [Application isolation]() -###### [Application guard overview](../windows-defender-application-guard/wd-app-guard-overview.md) -###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md) - -##### [System integrity](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) - -#### [Application control]() -##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md) - -#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) -#### [Network protection](../windows-defender-exploit-guard/network-protection.md) -#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md) -#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md) -#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) - - -### [Next-generation protection](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) - - -### [Endpoint detection and response]() -#### [Endpoint detection and response overview](overview-endpoint-detection-response.md) -#### [Security operations dashboard](security-operations-dashboard.md) - -#### [Incidents queue]() -##### [View and organize the Incidents queue](view-incidents-queue.md) -##### [Manage incidents](manage-incidents.md) -##### [Investigate incidents](investigate-incidents.md) - -#### [Alerts queue]() -##### [View and organize the Alerts queue](alerts-queue.md) -##### [Manage alerts](manage-alerts.md) -##### [Investigate alerts](investigate-alerts.md) -##### [Investigate files](investigate-files.md) -##### [Investigate machines](investigate-machines.md) -##### [Investigate an IP address](investigate-ip.md) -##### [Investigate a domain](investigate-domain.md) -##### [Investigate a user account](investigate-user.md) - -#### [Machines list]() -##### [View and organize the Machines list](machines-view-overview.md) - -##### [Investigate machines]() -###### [Machine details](investigate-machines.md#machine-details) -###### [Response actions](investigate-machines.md#response-actions) -###### [Cards](investigate-machines.md#cards) -###### [Tabs](investigate-machines.md#tabs) - -#### [Take response actions]() -##### [Take response actions on a machine]() -###### [Understand response actions](respond-machine-alerts.md) -###### [Manage tags](respond-machine-alerts.md#manage-tags) -###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation) -###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session) -###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run Microsoft Defender Antivirus scan on machines](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines) -###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution) -###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) -###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center) - -##### [Take response actions on a file]() -###### [Understand response actions](respond-file-alerts.md) -###### [Stop and quarantine files in your network](respond-file-alerts.md#stop-and-quarantine-files-in-your-network) -###### [Restore file from quarantine](respond-file-alerts.md#restore-file-from-quarantine) -###### [Add an indicator to block or allow a file](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) -###### [Deep analysis](respond-file-alerts.md#deep-analysis) - -##### [Live response]() -###### [Investigate entities on machines](live-response.md) -###### [Live response command examples](live-response-command-examples.md) - - -### [Automated investigation and remediation]() -#### [Understand Automated investigations](automated-investigations.md) -#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md) -#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md) - - -### [Threat analytics](threat-analytics.md) - - -### [Microsoft Threat Experts](microsoft-threat-experts.md) - - -### [Advanced hunting]() -#### [Advanced hunting overview](advanced-hunting-overview.md) - -#### [Query data using Advanced hunting]() -##### [Data querying basics](advanced-hunting-query-language.md) -##### [Advanced hunting reference](advanced-hunting-schema-reference.md) -##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md) - -#### [Custom detections]() -##### [Understand custom detection rules](overview-custom-detections.md) -##### [Create custom detections rules](custom-detection-rules.md) - -### [Management and APIs]() -#### [Overview of management and APIs](management-apis.md) -#### [Understand threat intelligence concepts](threat-indicator-concepts.md) -#### [Microsoft Defender ATP APIs](apis-intro.md) -#### [Managed security service provider support](mssp-support.md) - - -### [Integrations]() -#### [Microsoft Defender ATP integrations](threat-protection-integration.md) -#### [Conditional Access integration overview](conditional-access.md) -#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) - -#### [Information protection in Windows overview]() -##### [Windows integration](information-protection-in-windows-overview.md) -##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md) - - -### [Microsoft Threat Experts](microsoft-threat-experts.md) - - -### [Portal overview](portal-overview.md) - - - -## [Get started]() -### [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md) -### [Preview features](preview.md) -### [Evaluation lab](evaluation-lab.md) -### [Minimum requirements](minimum-requirements.md) -### [Validate licensing and complete setup](licensing.md) - -### [Data storage and privacy](data-storage-privacy.md) -### [Assign user access to the portal](assign-portal-access.md) - -### [Evaluate Microsoft Defender ATP capabilities]() -#### [Evaluate attack surface reduction]() - -##### [Evaluate attack surface reduction and next-generation capabilities](evaluate-atp.md) -###### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md) -###### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md) -###### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md) -###### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md) -###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md) -###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) -###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Evaluate next-generation protection](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md) - -### [Access the Microsoft Defender Security Center Community Center](community.md) - -## [Configure and manage capabilities]() - -### [Configure attack surface reduction](configure-attack-surface-reduction.md) - -### [Hardware-based isolation]() -#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) - -#### [Application isolation]() -##### [Install Windows Defender Application Guard](../windows-defender-application-guard/install-wd-app-guard.md) -##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) - -#### [Application control](../windows-defender-application-control/windows-defender-application-control.md) - -#### [Device control]() -##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) - -##### [Device Guard]() -###### [Code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - -###### [Memory integrity]() -####### [Understand memory integrity](../windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) - -#### [Exploit protection]() -##### [Enable exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) -##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) - -#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md) - -#### [Controlled folder access]() -##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md) -##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md) - -#### [Attack surface reduction controls]() -##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md) -##### [Customize attack surface reduction rules](../windows-defender-exploit-guard/customize-attack-surface-reduction.md) - -#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) - - -### [Configure next-generation protection]() -#### [Configure Microsoft Defender Antivirus features](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) -#### [Utilize Microsoft cloud-delivered protection]() -##### [Understand cloud-delivered protection](../microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) -##### [Enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) -##### [Specify the cloud-delivered protection level](../microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md) -##### [Configure and validate network connections](../microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md) -##### [Enable Block at first sight](../microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md) -##### [Configure the cloud block timeout period](../microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) - -#### [Configure behavioral, heuristic, and real-time protection]() -##### [Configuration overview](../microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md) -##### [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) -##### [Enable and configure always-on protection and monitoring](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) - -#### [Antivirus on Windows Server 2016](../microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) - -#### [Antivirus compatibility]() -##### [Compatibility charts](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) -##### [Use limited periodic antivirus scanning](../microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md) - -#### [Deploy, manage updates, and report on antivirus]() -##### [Using Microsoft Defender Antivirus](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) - -##### [Deploy and enable antivirus]() -###### [Preparing to deploy](../microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) -###### [Deployment guide for VDI environments](../microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) - -##### [Report on antivirus protection]() -###### [Review protection status and aqlerts](../microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) -###### [Troubleshoot antivirus reporting in Update Compliance](../microsoft-defender-antivirus/troubleshoot-reporting.md) - -##### [Manage updates and apply baselines]() -###### [Learn about the different kinds of updates](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) -###### [Manage protection and Security intelligence updates](../microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) -###### [Manage when protection updates should be downloaded and applied](../microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) -###### [Manage updates for endpoints that are out of date](../microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) -###### [Manage event-based forced updates](../microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) -###### [Manage updates for mobile devices and VMs](../microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - -#### [Customize, initiate, and review the results of scans and remediation]() -##### [Configuration overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - -##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -###### [Configure antivirus exclusions Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) - -##### [Configure antivirus scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) -##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) -##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) -##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) -##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) -##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md) - -#### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) - -#### [Manage antivirus in your business]() -##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) -##### [Use Group Policy settings to configure and manage antivirus](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) -##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) -##### [Use PowerShell cmdlets to configure and manage antivirus](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) -##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) - -#### [Manage scans and remediation]() -##### [Management overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - -##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -###### [Configure antivirus exclusions on Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) - -##### [Configure scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) -##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) -##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) -##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) -##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) -##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md) -##### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) - -#### [Manage next-generation protection in your business]() -##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) -##### [Use Microsoft Intune and System Center Configuration Manager to manage next-generation protection](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) -##### [Use Group Policy settings to manage next-generation protection](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) -##### [Use PowerShell cmdlets to manage next-generation protection](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) -##### [Use the mpcmdrun.exe command line tool to manage next-generation protection](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) - - - -### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) - - -### [Endpoint detection and response management and API support]() - -#### [Onboard machines]() -##### [Onboarding overview](onboard-configure.md) -##### [Onboard previous versions of Windows](onboard-downlevel.md) - -##### [Onboard Windows 10 machines]() -###### [Ways to onboard](configure-endpoints.md) -###### [Onboard machines using Group Policy](configure-endpoints-gp.md) -###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm.md) - -###### [Onboard machines using Mobile Device Management tools]() -####### [Overview](configure-endpoints-mdm.md) -####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune) -###### [Onboard machines using a local script](configure-endpoints-script.md) -###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) - -##### [Onboard servers](configure-server-endpoints.md) -##### [Onboard non-Windows machines](configure-endpoints-non-windows.md) -##### [Onboard machines without Internet access](onboard-offline-machines.md) -##### [Run a detection test on a newly onboarded machine](run-detection-test.md) -##### [Run simulated attacks on machines](attack-simulations.md) -##### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) - -##### [Troubleshoot onboarding issues]() -###### [Troubleshooting basics](troubleshoot-onboarding.md) -###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md) - -#### [Microsoft Defender ATP API]() -##### [Understand Microsoft Defender ATP APIs](use-apis.md) -##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md) - -##### [Get started]() -###### [Introduction](apis-intro.md) -###### [Hello World](api-hello-world.md) -###### [Get access with application context](exposed-apis-create-app-webapp.md) -###### [Get access with user context](exposed-apis-create-app-nativeapp.md) -###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md) - -##### [APIs]() -###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) -###### [Common REST API error codes](common-errors.md) -###### [Advanced Hunting](run-advanced-query-api.md) - -###### [Alert]() -####### [Methods, properties, and JSON representation](alerts.md) -####### [List alerts](get-alerts.md) -####### [Create alert](create-alert-by-reference.md) -####### [Update Alert](update-alert.md) -####### [Get alert information by ID](get-alert-info-by-id.md) -####### [Get alert related domains information](get-alert-related-domain-info.md) -####### [Get alert related file information](get-alert-related-files-info.md) -####### [Get alert related IPs information](get-alert-related-ip-info.md) -####### [Get alert related machine information](get-alert-related-machine-info.md) -####### [Get alert related user information](get-alert-related-user-info.md) - -###### [Machine]() -####### [Methods and properties](machine.md) -####### [List machines](get-machines.md) -####### [Get machine by ID](get-machine-by-id.md) -####### [Get machine log on users](get-machine-log-on-users.md) -####### [Get machine related alerts](get-machine-related-alerts.md) -####### [Add or Remove machine tags](add-or-remove-machine-tags.md) -####### [Find machines by IP](find-machines-by-ip.md) - -###### [Machine Action]() -####### [Methods and properties](machineaction.md) -####### [List Machine Actions](get-machineactions-collection.md) -####### [Get Machine Action](get-machineaction-object.md) -####### [Collect investigation package](collect-investigation-package.md) -####### [Get investigation package SAS URI](get-package-sas-uri.md) -####### [Isolate machine](isolate-machine.md) -####### [Release machine from isolation](unisolate-machine.md) -####### [Restrict app execution](restrict-code-execution.md) -####### [Remove app restriction](unrestrict-code-execution.md) -####### [Run antivirus scan](run-av-scan.md) -####### [Offboard machine](offboard-machine-api.md) -####### [Stop and quarantine file](stop-and-quarantine-file.md) - -###### [Automated Investigation]() -####### [Investigation methods and properties](microsoft-defender-atp/investigation.md) -####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md) -####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md) -####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md) - -###### [Indicators]() -####### [Methods and properties](ti-indicator.md) -####### [Submit Indicator](post-ti-indicator.md) -####### [List Indicators](get-ti-indicators-collection.md) -####### [Delete Indicator](delete-ti-indicator-by-id.md) - -###### [Domain]() -####### [Get domain related alerts](get-domain-related-alerts.md) -####### [Get domain related machines](get-domain-related-machines.md) -####### [Get domain statistics](get-domain-statistics.md) - -###### [File]() -####### [Methods and properties](files.md) -####### [Get file information](get-file-information.md) -####### [Get file related alerts](get-file-related-alerts.md) -####### [Get file related machines](get-file-related-machines.md) -####### [Get file statistics](get-file-statistics.md) - -###### [IP]() -####### [Get IP related alerts](get-ip-related-alerts.md) -####### [Get IP statistics](get-ip-statistics.md) - -###### [User]() -####### [Methods](user.md) -####### [Get user related alerts](get-user-related-alerts.md) -####### [Get user related machines](get-user-related-machines.md) - -##### [How to use APIs - Samples]() -###### [Microsoft Flow](api-microsoft-flow.md) -###### [Power BI](api-power-bi.md) -###### [Advanced Hunting using Python](run-advanced-query-sample-python.md) -###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -###### [Using OData Queries](exposed-apis-odata-samples.md) - -#### [API for custom alerts]() -##### [Enable the custom threat intelligence application](enable-custom-ti.md) -##### [Use the threat intelligence API to create custom alerts](use-custom-ti.md) -##### [Create custom threat intelligence alerts](custom-ti-api.md) -##### [PowerShell code examples](powershell-example-code.md) -##### [Python code examples](python-example-code.md) -##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) -##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) - -#### [Pull Detections to your SIEM tools]() -##### [Learn about different ways to pull Detections](configure-siem.md) -##### [Enable SIEM integration](enable-siem-integration.md) -##### [Configure Splunk to pull Detections](configure-splunk.md) -##### [Configure HP ArcSight to pull Detections](configure-arcsight.md) -##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md) -##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) - -#### [Reporting]() -##### [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -##### [Threat protection reports](threat-protection-reports.md) -##### [Machine health and compliance reports](machine-reports.md) - -#### [Interoperability]() -##### [Partner applications](partner-applications.md) - -#### [Manage machine configuration]() -##### [Ensure your machines are configured properly](configure-machines.md) -##### [Monitor and increase machine onboarding](configure-machines-onboarding.md) -##### [Increase compliance to the security baseline](configure-machines-security-baseline.md) -##### [Optimize ASR rule deployment and detections](configure-machines-asr.md) - -#### [Role-based access control]() - -##### [Manage portal access using RBAC]() -###### [Using RBAC](rbac.md) -###### [Create and manage roles](user-roles.md) - -###### [Create and manage machine groups]() -####### [Using machine groups](machine-groups.md) -####### [Create and manage machine tags](machine-tags.md) - -#### [Configure managed security service provider (MSSP) support](configure-mssp-support.md) - - -### [Configure Microsoft threat protection integration]() -#### [Configure Conditional Access](configure-conditional-access.md) -#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) -#### [Configure information protection in Windows](information-protection-in-windows-config.md) - - -### [Configure portal settings]() -#### [Set up preferences](preferences-setup.md) - -#### [General]() -##### [Update data retention settings](data-retention-settings.md) -##### [Configure alert notifications](configure-email-notifications.md) -##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md) -##### [Configure advanced features](advanced-features.md) - -#### [Permissions]() -##### [Use basic permissions to access the portal](basic-permissions.md) -##### [Manage portal access using RBAC](rbac.md) -###### [Create and manage roles](user-roles.md) -###### [Create and manage machine groups](machine-groups.md) -####### [Create and manage machine tags](machine-tags.md) - -#### [APIs]() -##### [Enable Threat intel](enable-custom-ti.md) -##### [Enable SIEM integration](enable-siem-integration.md) - -#### [Rules]() -##### [Manage suppression rules](manage-suppression-rules.md) -##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md) -##### [Manage indicators](manage-indicators.md) -##### [Manage automation file uploads](manage-automation-file-uploads.md) -##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md) - -#### [Machine management]() -##### [Onboarding machines](onboard-configure.md) -##### [Offboarding machines](offboard-machines.md) - -#### [Configure time zone settings](time-settings.md) - - - -## [Troubleshoot Microsoft Defender ATP]() - -### [Troubleshoot sensor state]() -#### [Check sensor state](check-sensor-status.md) -#### [Fix unhealthy sensors](fix-unhealthy-sensors.md) -#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines) -#### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines) -#### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md) - - -### [Troubleshoot service issues]() -#### [Troubleshooting issues](troubleshoot-mdatp.md) -#### [Check service health](service-status.md) - - -### [Troubleshoot attack surface reduction issues]() -#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md) -#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md) -#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md) - - -### [Troubleshoot next-generation protection issues](../microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index c98c0a6c38..fd8438a07e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -18,22 +18,19 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- - # Custom detections overview **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. +With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions. -Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. +Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Custom detections provide: - Alerts for rule-based detections built from advanced hunting queries - Automatic response actions that apply to files and devices ->[!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. - -## Related topic -- [Create and manage custom detection rules](custom-detection-rules.md) +## Related topics +- [Create detection rules](custom-detection-rules.md) +- [View and manage detection rules](custom-detections-manage.md) - [Advanced hunting overview](advanced-hunting-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index 83e5537bff..1ea368d48c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -35,6 +35,18 @@ Your score for devices is visible in the [threat and vulnerability management da Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations. +## Turn on the Microsoft Secure Score connector + +Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. + +Changes might take up to a few hours to reflect in the dashboard. + +1. In the navigation pane, go to **Settings** > **Advanced features** + +2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**. + +3. Select **Save preferences**. + ## How it works >[!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 3555d2490e..3b9cd84b1d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -28,13 +28,13 @@ ms.topic: conceptual Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. -Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. +Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. ## How it works Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. -- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. +- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. - **Breach likelihood** - Your organization's security posture and resilience against threats @@ -54,15 +54,15 @@ View related security recommendations in the following places: ### Navigation menu -Go to the threat and vulnerability management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization. +Go to the threat and vulnerability management navigation menu and select **Security recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization. ### Top security recommendations in the threat and vulnerability management dashboard -In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. +In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. ![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) -The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. +The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details. ## Security recommendations overview @@ -74,7 +74,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the ### Icons -Useful icons also quickly calls your attention to: +Useful icons also quickly call your attention to: - ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts - ![red bug](images/tvm_bug_icon.png) associated public exploits - ![light bulb](images/tvm_insight_icon.png) recommendation insights @@ -85,13 +85,13 @@ Select the security recommendation that you want to investigate or process. ![Example of a security recommendation flyout page.](images/secrec-flyouteolsw.png) -From the flyout, you can do any of the following: +From the flyout, you can choose any of the following options: -- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. +- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. - [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. +- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] >When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. @@ -137,7 +137,7 @@ There are many reasons why organizations create exceptions for a recommendation. When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. -1. Select a security recommendation you would like create an exception for, and then **Exception options**. +1. Select a security recommendation you would like to create an exception for, and then **Exception options**. ![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) 2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. @@ -171,30 +171,30 @@ You can report a false positive when you see any vague, inaccurate, incomplete, ## Find and remediate software or software versions which have reached end-of-support (EOS) -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. +End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. -It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. +It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. -To find software or software versions which have reached end-of-support: +To find software or software versions that are no longer supported: 1. From the threat and vulnerability management menu, navigate to **Security recommendations**. 2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) -3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. +3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) ### List of versions and dates -To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps: +To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps: -1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. +1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. ![Screenshot of version distribution link](images/eos-upcoming-eos.png) -2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. +2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. ![Screenshot of version distribution link](images/software-drilldown-eos.png) @@ -202,7 +202,7 @@ To view a list of version that have reached end of support, or end or support so ![Screenshot of version distribution link](images/version-eos-date.png) -After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. +Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index d0e00649f5..d157c8610f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -1,6 +1,6 @@ --- title: Software inventory in threat and vulnerability management -description: Microsoft Defender ATP threat and vulnerability management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software. +description: The software inventory page for Microsoft Defender ATP's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software. keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,26 +23,26 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -The software inventory in threat and vulnerability management is a list of all the software in your organization, including details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. +The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. ## How it works -In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). +In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). -Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. +Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. ## Navigate to the Software inventory page -You can access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). +Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). ## Software inventory overview -The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. +The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. ![Example of the landing page for software inventory.](images/software_inventory_filter.png) -Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. +Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. ![Flyout example page of "Visual Studio 2017" from the software inventory page.](images/tvm-software-inventory-flyout500.png) @@ -56,8 +56,8 @@ You can view software pages a few different ways: A full page will appear with all the details of a specific software and the following information: -- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score -- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices +- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices - Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities. ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) @@ -67,17 +67,17 @@ You can view software pages a few different ways: We now show evidence of where we detected a specific software on a device from the registry, disk or both. You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence." -From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. +From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. ![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information. +Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated. 1. Open the software flyout on the Software inventory page. 2. Select **Report inaccuracy**. -3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 381f126c5b..889e5059e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -39,7 +39,7 @@ Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software prod Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment -MacOS | Not supported (planned) +macOS | Not supported (planned) Linux | Not supported (planned) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index d82ae3d95c..37a974d932 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -27,7 +27,7 @@ ms.topic: conceptual Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. +The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: @@ -52,13 +52,13 @@ Go to the threat and vulnerability management navigation menu and select **Weakn 1. Go to the global search drop-down menu. 2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for. ![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png) -3. Select the CVE and a flyout panel opens up with more information, including the vulnerability description, details, threat insights, and exposed devices. +3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices. To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search. ## Weaknesses overview -If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you are not at risk. +Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk. ![Weaknesses landing page.](images/tvm-weaknesses-overview.png) @@ -69,10 +69,10 @@ View related breach and threat insights in the **Threat** column when the icons >[!NOTE] > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). -The breach insights icon is highlighted if there is a vulnerability found in your organization. +The breach insights icon is highlighted if there's a vulnerability found in your organization. ![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) -The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories. +The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories. ![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) @@ -88,11 +88,11 @@ The "OS Feature" category is shown in relevant scenarios. ### Top vulnerable software in the dashboard -1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. +1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time. ![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png) -2. Select the software you want to investigate to go to a drill down page. +2. Select the software you want to investigate to go to a drilldown page. 3. Select the **Discovered vulnerabilities** tab. 4. Select the vulnerability you want to investigate for more information on vulnerability details @@ -116,19 +116,19 @@ View related weaknesses information in the device page. #### CVE Detection logic -Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source. +Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source. -The "OS Feature" category is also shown in relevant scenarios. For example, a CVE affects devices that run a vulnerable OS, only if a specific OS component is enabled on these devices. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll attach this CVE only to the Windows Server 2019 devices with DNS capability enabled in their OS. +The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS. ![Detection Logic example which lists the software detected on the device and the KBs.](images/tvm-cve-detection-logic.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information. +Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated. 1. Open the CVE on the Weaknesses page. -2. Select **Report inaccuracy**. -3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +2. Select **Report inaccuracy** and a flyout pane will open. +3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 74fc51d25f..4209ff2f58 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -3,7 +3,6 @@ title: Firewall and network protection in the Windows Security app description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine. keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 3afda2997c..a3bf04355b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -3,7 +3,6 @@ title: The Windows Security app description: The Windows Security app brings together common Windows security features into one place keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index fa85062872..e7b8a53f7a 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -35,7 +35,7 @@ The following video provides an overview of Windows Sandbox. ## Prerequisites -- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*) +- Windows 10 Pro, Enterprise or Education build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*) - AMD64 architecture - Virtualization capabilities enabled in BIOS - At least 4 GB of RAM (8 GB recommended) @@ -48,7 +48,7 @@ The following video provides an overview of Windows Sandbox. 2. Enable virtualization on the machine. - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS. - - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set -VMProcessor -VMName \ -ExposeVirtualizationExtensions $true** + - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true** 1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.