Using the Unified Write Filter (UWF) feature in Windows 10

In the Windows 10 Enterprise (including LTSB) and Windows 10 Education editions, you can enable the Unified Write Filter (UWF) feature to prevent changes to the hard drive. This is particular useful for kiosk-type scenarios, or classroom environments where you don't want enthusiastic students to install software etc. on to the machines 🙂

How UWF works

Unified Write Filter (UWF) prevents changes to the hard drive by redirecting all write operations to a virtual overlay, which is a virtual representation of the changes to the disk. Shorthand story is that the user thinks it writes to the disk, but when the machine is rebooted, nothing is being kept.

Enabling UWF

UWF can be enabled via the Windows 10 GUI (Turn Windows features on or off), via DISM, via Provisioning Packages, MDM Settings, WMI, or PowerShell. So of course you should use PowerShell 🙂

Here is the command:

Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" -All

Configuring UWF

Once enabled, and you rebooted the machine you can start configuring it. You can use either the native utility uwfmgr.exe or WMI (meaning PowerShell) to configuring the protection of your drives and a ton of other settings. At the very least you want to enable the filter and protect one of your volumes.

Note: There are no native PowerShell cmdlets to configure UWF, and the WMI methods in Windows 10 are not implemented very good (as an example, methods in the UWF_Volume class requires that uwfmgr.exe is used first anyway), so for the configuration you should simply use the uwfmgr.exe utility. Feel free to wrap it in PowerShell if it makes you feel better, but for now I've decided to stay away from the WMI methods. 🙂

Here are the commands needed to enable the overlay filter and then protect the C: drive.

uwfmgr filter enable
uwfmgr volume protect c:

Then restart the machine. From now on, everything that is being written to disk during a user session will be discarded when rebooting the machine.

Servicing UWF

Obviously, having all changes being discarded at every reboot makes it a bit challenge to service the machine. Like installing applications or Windows Updates. To make updates to the machine you put the machine in a servicing mode. Again using the uwfmgr.exe utility.

Note: In my testing of Windows 10 v1607, the volume protection have worked perfectly, but servicing has been quite unreliable (Will do some more research)

Anyway, to put a machine in servicing mode, you run the following command and then reboot the machine:

uwfmgr servicing enable

After doing your changes, to disable servicing mode again, you run the following command and then reboot the machine:

uwfmgr servicing disable

Real World Notes

When starting to play around with UWF you quickly learn that it makes sense to exclude certain files, folders and registry keys from the filter. For example if you don't want Windows Defender to re-download updates and definitions every single time you restart the computer, you want to excluded those. Here are the items you need to exclude for Windows Defender (from the MSDN documentation)

File Exclusions

  • C:\Program Files\Windows Defender
  • C:\ProgramData\Microsoft\Windows Defender
  • C:\Windows\WindowsUpdate.log
  • C:\Windows\Temp\MpCmdRun.log

Registry Exclusions

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Reference info

You find tons of more info about Unified Write Filter (UWF) and other Windows 10 customizations and device lockdown features on MSDN:

Customizations for enterprise desktop
http://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/enterprise/enterprise-custom-portal

Unified Write Filter (UWF) feature
http://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/enterprise/unified-write-filter

PowerShell examples for the UWF filter
http://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/enterprise/uwf-filter

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>