In the Windows 10 Enterprise (including LTSB) and Windows 10 Education editions, you can enable the Unified Write Filter (UWF) feature to prevent changes to the hard drive. This is particular useful for kiosk-type scenarios, or classroom environments where you don't want enthusiastic students to install software etc. on to the machines 🙂
How UWF works
Unified Write Filter (UWF) prevents changes to the hard drive by redirecting all write operations to a virtual overlay, which is a virtual representation of the changes to the disk. Shorthand story is that the user thinks it writes to the disk, but when the machine is rebooted, nothing is being kept.
Enabling UWF
UWF can be enabled via the Windows 10 GUI (Turn Windows features on or off), via DISM, via Provisioning Packages, MDM Settings, WMI, or PowerShell. So of course you should use PowerShell 🙂
Here is the command:
Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" -All
Configuring UWF
Once enabled, and you rebooted the machine you can start configuring it. You can use either the native utility uwfmgr.exe or WMI (meaning PowerShell) to configuring the protection of your drives and a ton of other settings. At the very least you want to enable the filter and protect one of your volumes.
Note: There are no native PowerShell cmdlets to configure UWF, and the WMI methods in Windows 10 are not implemented very good (as an example, methods in the UWF_Volume class requires that uwfmgr.exe is used first anyway), so for the configuration you should simply use the uwfmgr.exe utility. Feel free to wrap it in PowerShell if it makes you feel better, but for now I've decided to stay away from the WMI methods. 🙂
Here are the commands needed to enable the overlay filter and then protect the C: drive.
uwfmgr filter enable
uwfmgr volume protect c:
Then restart the machine. From now on, everything that is being written to disk during a user session will be discarded when rebooting the machine.
Servicing UWF
Obviously, having all changes being discarded at every reboot makes it a bit challenge to service the machine. Like installing applications or Windows Updates. To make updates to the machine you put the machine in a servicing mode. Again using the uwfmgr.exe utility.
Note: In my testing of Windows 10 v1607, the volume protection have worked perfectly, but servicing has been quite unreliable (Will do some more research)
Anyway, to put a machine in servicing mode, you run the following command and then reboot the machine:
uwfmgr servicing enable
After doing your changes, to disable servicing mode again, you run the following command and then reboot the machine:
uwfmgr servicing disable
Real World Notes
When starting to play around with UWF you quickly learn that it makes sense to exclude certain files, folders and registry keys from the filter. For example if you don't want Windows Defender to re-download updates and definitions every single time you restart the computer, you want to excluded those. Here are the items you need to exclude for Windows Defender (from the MSDN documentation)
File Exclusions
- C:\Program Files\Windows Defender
- C:\ProgramData\Microsoft\Windows Defender
- C:\Windows\WindowsUpdate.log
- C:\Windows\Temp\MpCmdRun.log
Registry Exclusions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
Reference info
You find tons of more info about Unified Write Filter (UWF) and other Windows 10 customizations and device lockdown features on MSDN:
Customizations for enterprise desktop
http://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/enterprise/enterprise-custom-portal
Unified Write Filter (UWF) feature
http://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/enterprise/unified-write-filter
PowerShell examples for the UWF filter
http://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/enterprise/uwf-filter