This topic discusses general and security-related best practices when using Windows® User State Migration Tool (USMT) 4.0.
General Best Practices
- Install applications before running the
LoadState tool. Though it is not always essential, it is best
practice to install all applications on the destination computer
before restoring the user state. This helps ensure that migrated
settings are preserved.
- Do not use MigUser.xml and MigDocs.xml
together. If you use both .xml files, some migrated files may
be duplicated if conflicting instructions are given about target
locations. If your data set is unknown, for example, many
non-standard file locations are used, MigDocs.xml is a better
choice. You can Utilize the /genmigxml command-line option
to determine which files will be included in your migration, and to
determine if any modifications are necessary. For more information,
File Types, Files, and Folders.
- Close all applications before running
either the ScanState or LoadState tools. Although utilizing the
/vsc switch can allow the migration of many files that are
open with another application it is a best practice to close all
applications in order to ensure all files and settings migrate.
Without the /vsc or /c switch USMT will fail when it
cannot migrate a file or setting. When utilizing the /c
option USMT will ignore any files or settings that it cannot
migrate and log an error each time.
- Log off after you run the LoadState
tool. Some settings, such as fonts, wallpaper, and screensaver
settings, will not take effect until the next time the user logs
on. For this reason, you should log off after you run the LoadState
- Managed environment. To create a
managed environment, you can move all of the end user’s documents
into My Documents (%CSIDL_PERSONAL%). We recommend that you migrate
files into the smallest-possible number of folders on the
destination computer. This will help you to clean up files on the
destination computer, if the LoadState command fails to
- Chkdsk.exe. We recommend that you run
Chkdsk.exe before running the ScanState and LoadState tools.
Chkdsk.exe creates a status report for a hard disk drive and lists
and corrects common errors. For more information about the
Chkdsk.exe tool, see this Microsoft Web site.
- Migrate in groups. If you decide to
perform the migration while users are using the network, it is best
to migrate user accounts in groups. To minimize the impact on
network performance, determine the size of the groups based on the
size of each user account. Migrating in phases also allows you to
make sure each phase is successful before starting the next phase.
Using this method, you can make any necessary modifications to your
plan between groups.
Security Best Practices
As the authorized administrator, it is your responsibility to protect the privacy of the users and maintain security during and after the migration. In particular, you must consider the following issues:
- Encrypting File System (EFS). Take
extreme caution when migrating encrypted files, because the end
user does not need to be logged on to capture the user state. By
default, Windows® User State Migration Tool (USMT) 4.0 fails if an
encrypted file is found. For more information about EFS best
practices, see this article in the Microsoft Knowledge Base. For specific instructions
about EFS best practices, see Migrate EFS Files and
If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
- Encrypt the store. Consider using the
/encrypt option with the ScanState command and the
/decrypt option with the LoadState command. However, use
extreme caution with this set of options, because anyone who has
access to the ScanState command-line script also has access to the
- Virus scan. We recommend that you scan
both the source and destination computers for viruses before
running USMT. In addition, you should scan the destination computer
image. To help protect data from viruses, we strongly recommend
running an antivirus utility before migration.
- Maintain security of the file server and
the deployment server. We recommend that you manage the
security of the file and deployment servers. It is important to
make sure that the file server where you save the store is secure.
You must also secure the deployment server, to ensure that the user
data that is in the log files is not exposed. We also recommend
that you only transmit data over a secure Internet connection, such
as a virtual private network. For more information about network
security, see this Microsoft Web site.
- Password migration. To ensure the
privacy of the end users, USMT does not migrate passwords,
including those for applications such as Windows Live™ Mail,
Microsoft Internet Explorer®, as well as Remote Access Service
(RAS) connections and mapped network drives. It is important to
make sure that end users know their passwords.
- Local account creation. Before you
migrate local accounts, see the Migrating Local Accounts section in