Thursday, September 21, 2017

Windows 10 Overlay for Unified Write Filter (UWF)

Windows 10 Overlay for Unified Write Filter (UWF)


This entry is to document my experience with the Windows 10 feature Unified Write Filter (UWF); with the intention to replace DeepFreeze on shared computers.

"Unified Write Filter (UWF) protects the contents of a volume by redirecting all write operations on that volume to the overlay, which is a virtual representation of the changes to the volume. Conceptually, an overlay is similar to a transparency overlay on an overhead projector. Any change that is made to the transparency overlay affects the projected picture as it is seen by the viewer. However, if the transparency overlay is removed, the underlying picture remains unchanged.
In a UWF protected system, UWF creates a single overlay, which contains information about writes to all protected volumes on a system. The overlay supports up to 16 terabytes of protected volumes."
(extract from https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwfoverlay

How to install the UWF feature ?

The Windows 10 feature can be installed in several ways; the offline Wim file via DISM, PowerShell, Manually via Control Panel GUI, Provisioning package or WMI. All methods are detailed here.

PowerShell Method
Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" -All #NoRestart

SCCM and MDT Method
If you use the SCCM with the MDT this OS Feature can be enabled during the Task Sequence with the step "Install Roles and Features".



This can be taken further and applied to an MDT Database Role that is "Gathered" during the task sequence; far more dynamic and less steps/logic involved within the Task Sequence.

The ID for each Role and Feature can be found in the ServerManager.xml file located within the Microsoft Deployment Toolkit folder.
C:\Program Files\Microsoft Deployment Toolkit\Bin\ServerManager.xml)

Exactly like the PowerShell Feature name you will find the ID "Client-UnifiedWriteFilter" within this XML. This ID can be added to the MDT Database under the OS Roles> OSFeatures.  If you need to apply multiple Features simply separate the ID's with the use of commas. The end result will provision Windows 10 with the UWF feature installed.










NOTE: The UWF feature must be installed prior to the SCCM client being installed.
For Windows 10 computers that you plan to protect with Unified Write Filter (UWF), you must configure the device for UWF before you install the client. This enables Configuration Manager to install the client with a custom credential provider that locks out low-rights users from logging in to the device during maintenance mode.
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/best-practices-for-client-deployment


How to Enable the UWF feature ?

After the Feature is installed and the computer rebooted there will be a utility called "uwfmgr" within the System32 folder. To enable the feature on the command line, call this utility with the following commands.

uwfmgr filter enable
uwfmgr volume protect c:

Through trial and error we have established a list of file, folder, and Registry Exclusions that should be exempt from UWF to maintain GPO, logs, and SCCM activity.

uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center"
uwfmgr file add-exclusion "c:\windows\ccm"
uwfmgr file add-exclusion "c:\windows\ccm\UserAffinityStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\InventoryStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CcmStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\StateMessageStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CertEnrollmentStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\ServiceData"
uwfmgr file add-exclusion "c:\windows\ccmssetup"
uwfmgr file add-exclusion "c:\windows\ccmcache"
uwfmgr file add-exclusion "c:\_TaskSequence"
uwfmgr file add-exclusion "c:\windows\bootstat.dat"  This caused a Boot failure in Windows 1709
uwfmgr file add-exclusion "C:\Windows\wlansvc\Policies"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\Windows\dot2svc\Policies"
uwfmgr file add-exclusion "C:\Program Files\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramFiles(X86)\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr file add-exclusion "C:\Windows\WindowsUpdate.log"
uwfmgr file add-exclusion "C:\Windows\Temp\MpCmdRun.log"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender"
uwfmgr file add-exclusion "c:\Windows\System32\Microsoft\Protect"
uwfmgr file add-exclusion "c:\ProgramData\Microsoft\Crypto"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certificates"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Antimalware"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Network\Downloader"
uwfmgr file add-exclusion "c:\windows\System32\Winevt\Logs"


Source reference  for Exclusions
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/planning-for-client-deployment-to-windows-embedded-devices

https://deploymentresearch.com/Research/Post/632/Using-the-Unified-Write-Filter-UWF-feature-in-Windows-10

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-antimalware-support

How to Service UWF enabled Windows 10 computers?

SCCM is UWF aware and when Software Updates are deployed the SCCM client will reboot the system with UWF disabled, and lockout the system to non admins.  Once the Updates are installed the system will reboot again enabling UWF.


The "Write Filter handling for Windows Embedded devices" when enabled will trigger the Client notification to restart with UWF disabled.

Update: 13/03/2018

After a while Windows 10 was producing security notifications for 'Disk Scan Errors'  and 'Firewall disabled' toast notifications.  I was able to suppress these toast notifications with Group Policy by setting the Key Windows.SystemToast.SecurityAndMaintenance\Enable = 0

reg add "HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enable /t REG_DWORD /d 0 /f