Thursday, September 21, 2017

Windows 10 Overlay for Unified Write Filter (UWF)

Windows 10 Overlay for Unified Write Filter (UWF)


This entry is to document my experience with the Windows 10 feature Unified Write Filter (UWF); with the intention to replace DeepFreeze on shared computers.

"Unified Write Filter (UWF) protects the contents of a volume by redirecting all write operations on that volume to the overlay, which is a virtual representation of the changes to the volume. Conceptually, an overlay is similar to a transparency overlay on an overhead projector. Any change that is made to the transparency overlay affects the projected picture as it is seen by the viewer. However, if the transparency overlay is removed, the underlying picture remains unchanged.
In a UWF protected system, UWF creates a single overlay, which contains information about writes to all protected volumes on a system. The overlay supports up to 16 terabytes of protected volumes."
(extract from https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwfoverlay

 How to install the UWF feature ?

 The Windows 10 feature can be installed in several ways; the offline Wim file via DISM, PowerShell, Manually via Control Panel GUI, Provisioning package or WMI. All methods are detailed here.

PowerShell Method
Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" -All #NoRestart

SCCM and MDT Method
If you use the SCCM with the MDT this OS Feature can be enabled during the Task Sequence with the step "Install Roles and Features".



This can be taken further and applied to an MDT Database Role that is "Gathered" during the task sequence; far more dynamic and less steps/logic involved within the Task Sequence.

The ID for each Role and Feature can be found in the ServerManager.xml file located within the Microsoft Deployment Toolkit folder.
C:\Program Files\Microsoft Deployment Toolkit\Bin\ServerManager.xml)

 Exactly like the PowerShell Feature name you will find the ID "Client-UnifiedWriteFilter" within this XML. This ID can be added to the MDT Database under the OS Roles> OSFeatures.  If you need to apply multiple Features simply separate the ID's with the use of commas. The end result will provision Windows 10 with the UWF feature installed.





NOTE: The UWF feature must be installed prior to the SCCM client being installed.
For Windows 10 computers that you plan to protect with Unified Write Filter (UWF), you must configure the device for UWF before you install the client. This enables Configuration Manager to install the client with a custom credential provider that locks out low-rights users from logging in to the device during maintenance mode.
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/best-practices-for-client-deployment


How to Enable the UWF feature ?

 After the Feature is installed and the computer rebooted there will be a utility called "uwfmgr" within the System32 folder. To enable the feature on the command line, call this utility with the following commands.

uwfmgr filter enable
uwfmgr volume protect c:

Through trial and error we have established a list of file, folder, and Registry Exclusions that should be exempt from UWF to maintain GPO, logs, and SCCM activity.

uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center"
uwfmgr file add-exclusion "c:\windows\ccm"
uwfmgr file add-exclusion "c:\windows\ccm\UserAffinityStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\InventoryStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CcmStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\StateMessageStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CertEnrollmentStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\ServiceData"
uwfmgr file add-exclusion "c:\windows\ccmssetup"
uwfmgr file add-exclusion "c:\windows\ccmcache"
uwfmgr file add-exclusion "c:\_TaskSequence"
uwfmgr file add-exclusion "c:\windows\bootstat.dat"  This caused a Boot failure in Windows 1709
uwfmgr file add-exclusion "C:\Windows\wlansvc\Policies"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\Windows\dot2svc\Policies"
uwfmgr file add-exclusion "C:\Program Files\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramFiles(X86)\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr file add-exclusion "C:\Windows\WindowsUpdate.log"
uwfmgr file add-exclusion "C:\Windows\Temp\MpCmdRun.log"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender"
uwfmgr file add-exclusion "c:\Windows\System32\Microsoft\Protect"
uwfmgr file add-exclusion "c:\ProgramData\Microsoft\Crypto"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certificates"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Antimalware"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Network\Downloader"
uwfmgr file add-exclusion "c:\windows\System32\Winevt\Logs"
Source reference  for Exclusions
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/planning-for-client-deployment-to-windows-embedded-devices

 https://deploymentresearch.com/Research/Post/632/Using-the-Unified-Write-Filter-UWF-feature-in-Windows-10

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-antimalware-support

How to Service UWF enabled Windows 10 computers?

SCCM is UWF aware and when Software Updates are deployed the SCCM client will reboot the system with UWF disabled, and lockout the system to non admins.  Once the Updates are installed the system will reboot again enabling UWF.


The "Write Filter handling for Windows Embedded devices" when enabled will trigger the Client notification to restart with UWF disabled.

Update: 13/03/2018

After a while Windows 10 was producing security notifications for 'Disk Scan Errors'  and 'Firewall disabled' toast notifications.  I was able to suppress these toast notifications with Group Policy by setting the Key Windows.SystemToast.SecurityAndMaintenance\Enable = 0

reg add "HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enable /t REG_DWORD /d 0 /f





Posted by at
Labels: , , , , ,

22 comments:

  1. RobApril 27, 2018 at 12:43 PM

    How can I use the MDT Install Roles and Features task in a task sequence so that it will enable UWF before the client is installed? The Install Roles and Features task requires that the operating system be online, but the task, Setup Windows and ConfigMgr, that switches from WinPE to the deployed OS also installs the CM client.

    ReplyDelete
    Replies
    1. syswow64July 3, 2018 at 12:42 AM

      Hi Rob, From my experience your Task Sequence can install the OS, Drivers and SCCM client, then install the apps and then UWF via a "Install Roles and Features" step. Once the Task Sequence is complete the SCCM Client will initialize for the first time and install the additional UWF aware features/actions/components.

      Delete
  2. MichaelJune 19, 2018 at 5:34 AM

    Hey, how would you enable UWF before client install in SCCM CB?

    ReplyDelete
    Replies
    1. syswow64July 3, 2018 at 12:43 AM

      See comment above. The feature can be installed after the OS and SCCM client is installed. Once the Task Sequence is complete the SCCM Client will initialize for the first time and install the additional UWF aware features/actions/components

      Delete
  3. AdamJune 27, 2018 at 6:20 PM

    I just used the option to enable it in my WIM files offline, then updated content in SCCM. I'm not worried about having it installed on all of my systems since it doesn't do anything until you turn on protection on a volume.

    ReplyDelete
  4. syswow64July 3, 2018 at 12:46 AM

    Hi Adam, I am glad you found a solution for your environment. The process i was trying to promote was not just for the UWF feature. By integrating the MDT database you can set multiple OSFeatures dynamically in the database but you only need to have one step in the Task Sequence for all builds.

    ReplyDelete
  5. UnknownJuly 31, 2018 at 4:19 AM

    Does the version of SCCM matter when it comes to being aware of UWF? We use SCCM 2012 R2 CU3 in our environment.

    ReplyDelete
  6. SmithAugust 15, 2018 at 3:29 AM

    This covering contains little metal sections that mirror the suns bright beams from within or your home. Low "E" glass is amazingly compelling for taking out the blurring of sun blanched furniture, wood floors and covers. california 2020 solar home buyers

    ReplyDelete
  7. UnknownSeptember 18, 2018 at 1:04 AM

    Hi,
    How to write a script than can shows overlay get-consumption memory. Actually i have some thin-client which are configured with kiosk mode and in UWF enbale environment system must reboot in certain time when overlay cache memory get exhausted, while user using in kiosk mode so they can see the UWF icon to notice that overlay memory is exhausted. I am planning to integrate some script in the monitoring solution that can shows overlay consumption and its size, so from one interface we can see ok these clinet needs to be rebooted.

    ReplyDelete
  8. justinNovember 22, 2019 at 1:17 AM

    That appears to be certainly great. Most of these teeny specifics are designed having great deal of track record expertise. I'm keen on the item lots microsoft office 365 product key

    ReplyDelete
  9. adseo2June 9, 2020 at 9:14 AM

    Going to graduate school was a positive decision for me. I enjoyed the coursework, the presentations, the fellow students, and the professors. And since my company reimbursed 100% of the tuition, the only cost that I had to pay on my own was for books and supplies. Otherwise, I received a free master’s degree. All that I had to invest was my time. windows 10 bsod

    ReplyDelete
  10. Mubashir KhatriNovember 11, 2020 at 12:07 AM

    I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Multi-User CRM

    ReplyDelete
  11. UnknownJanuary 19, 2021 at 4:29 AM

    It's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act. Ramen deuren

    ReplyDelete
  12. thomas johnJanuary 19, 2021 at 9:33 PM

    I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. Ramen en deuren Leuven

    ReplyDelete
  13. Lisa JonesJanuary 21, 2021 at 10:33 PM

    you command get got an shakiness over that you wish be delivering the following. unwell unquestionably come more formerly again since exactly the same nearly a lot often inside case you shield this hike. price crash furniture uk

    ReplyDelete
  14. king levisterJanuary 22, 2021 at 4:37 AM

    I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... windows and doors

    ReplyDelete
  15. JosephineFebruary 7, 2021 at 6:00 AM

    The most popular or widely used Windows versions are Windows 7, Windows 8.1 and Windows 10. Windows 7 with codename Vienna or Blackcomb is part of the Windows NT family and was released back in July 22, 2009. windows 10 product key 64 bit

    ReplyDelete
  16. jobsApril 11, 2021 at 1:04 PM

    The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. https://itprospt.com/windows-10-headphones-not-showing-up-in-playback-devices/

    ReplyDelete
  17. UnknownMay 11, 2021 at 3:01 AM

    On this page, you'll see my profile, please read this information. https://oomnex.com/oomnex-vestami-6-in-1-cavitation-rf-slimming-machine

    ReplyDelete
  18. UnknownMay 21, 2021 at 8:29 PM

    Make the most of mainly premium substances - you will find him or her for: CSGO

    ReplyDelete
  19. jonJune 10, 2021 at 1:24 PM

    Great survey, I'm sure you're getting a great response. embroidery keychains

    ReplyDelete
  20. UnknownJuly 19, 2021 at 12:30 AM

    I havent any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. https://birthdaypartyplanner.co.in/

    ReplyDelete

Subscribe to: Post Comments (Atom)