Thursday, September 21, 2017

Windows 10 Overlay for Unified Write Filter (UWF)

Windows 10 Overlay for Unified Write Filter (UWF)


This entry is to document my experience with the Windows 10 feature Unified Write Filter (UWF); with the intention to replace DeepFreeze on shared computers.

"Unified Write Filter (UWF) protects the contents of a volume by redirecting all write operations on that volume to the overlay, which is a virtual representation of the changes to the volume. Conceptually, an overlay is similar to a transparency overlay on an overhead projector. Any change that is made to the transparency overlay affects the projected picture as it is seen by the viewer. However, if the transparency overlay is removed, the underlying picture remains unchanged.
In a UWF protected system, UWF creates a single overlay, which contains information about writes to all protected volumes on a system. The overlay supports up to 16 terabytes of protected volumes."
(extract from https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwfoverlay

 How to install the UWF feature ?

 The Windows 10 feature can be installed in several ways; the offline Wim file via DISM, PowerShell, Manually via Control Panel GUI, Provisioning package or WMI. All methods are detailed here.

PowerShell Method
Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" -All #NoRestart

SCCM and MDT Method
If you use the SCCM with the MDT this OS Feature can be enabled during the Task Sequence with the step "Install Roles and Features".



This can be taken further and applied to an MDT Database Role that is "Gathered" during the task sequence; far more dynamic and less steps/logic involved within the Task Sequence.

The ID for each Role and Feature can be found in the ServerManager.xml file located within the Microsoft Deployment Toolkit folder.
C:\Program Files\Microsoft Deployment Toolkit\Bin\ServerManager.xml)

 Exactly like the PowerShell Feature name you will find the ID "Client-UnifiedWriteFilter" within this XML. This ID can be added to the MDT Database under the OS Roles> OSFeatures.  If you need to apply multiple Features simply separate the ID's with the use of commas. The end result will provision Windows 10 with the UWF feature installed.





NOTE: The UWF feature must be installed prior to the SCCM client being installed.
For Windows 10 computers that you plan to protect with Unified Write Filter (UWF), you must configure the device for UWF before you install the client. This enables Configuration Manager to install the client with a custom credential provider that locks out low-rights users from logging in to the device during maintenance mode.
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/best-practices-for-client-deployment


How to Enable the UWF feature ?

 After the Feature is installed and the computer rebooted there will be a utility called "uwfmgr" within the System32 folder. To enable the feature on the command line, call this utility with the following commands.

uwfmgr filter enable
uwfmgr volume protect c:

Through trial and error we have established a list of file, folder, and Registry Exclusions that should be exempt from UWF to maintain GPO, logs, and SCCM activity.

uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center"
uwfmgr file add-exclusion "c:\windows\ccm"
uwfmgr file add-exclusion "c:\windows\ccm\UserAffinityStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\InventoryStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CcmStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\StateMessageStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CertEnrollmentStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\ServiceData"
uwfmgr file add-exclusion "c:\windows\ccmssetup"
uwfmgr file add-exclusion "c:\windows\ccmcache"
uwfmgr file add-exclusion "c:\_TaskSequence"
uwfmgr file add-exclusion "c:\windows\bootstat.dat"  This caused a Boot failure in Windows 1709
uwfmgr file add-exclusion "C:\Windows\wlansvc\Policies"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\Windows\dot2svc\Policies"
uwfmgr file add-exclusion "C:\Program Files\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramFiles(X86)\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr file add-exclusion "C:\Windows\WindowsUpdate.log"
uwfmgr file add-exclusion "C:\Windows\Temp\MpCmdRun.log"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender"
uwfmgr file add-exclusion "c:\Windows\System32\Microsoft\Protect"
uwfmgr file add-exclusion "c:\ProgramData\Microsoft\Crypto"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certificates"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Antimalware"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Network\Downloader"
uwfmgr file add-exclusion "c:\windows\System32\Winevt\Logs"
Source reference  for Exclusions
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/planning-for-client-deployment-to-windows-embedded-devices

 https://deploymentresearch.com/Research/Post/632/Using-the-Unified-Write-Filter-UWF-feature-in-Windows-10

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-antimalware-support

How to Service UWF enabled Windows 10 computers?

SCCM is UWF aware and when Software Updates are deployed the SCCM client will reboot the system with UWF disabled, and lockout the system to non admins.  Once the Updates are installed the system will reboot again enabling UWF.


The "Write Filter handling for Windows Embedded devices" when enabled will trigger the Client notification to restart with UWF disabled.

Update: 13/03/2018

After a while Windows 10 was producing security notifications for 'Disk Scan Errors'  and 'Firewall disabled' toast notifications.  I was able to suppress these toast notifications with Group Policy by setting the Key Windows.SystemToast.SecurityAndMaintenance\Enable = 0

reg add "HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enable /t REG_DWORD /d 0 /f





Posted by at
Reactions: 
Labels: , , , , ,

12 comments:

  1. RobApril 27, 2018 at 12:43 PM

    How can I use the MDT Install Roles and Features task in a task sequence so that it will enable UWF before the client is installed? The Install Roles and Features task requires that the operating system be online, but the task, Setup Windows and ConfigMgr, that switches from WinPE to the deployed OS also installs the CM client.

    ReplyDelete
    Replies
    1. syswow64July 3, 2018 at 12:42 AM

      Hi Rob, From my experience your Task Sequence can install the OS, Drivers and SCCM client, then install the apps and then UWF via a "Install Roles and Features" step. Once the Task Sequence is complete the SCCM Client will initialize for the first time and install the additional UWF aware features/actions/components.

      Delete
  2. MichaelJune 19, 2018 at 5:34 AM

    Hey, how would you enable UWF before client install in SCCM CB?

    ReplyDelete
    Replies
    1. syswow64July 3, 2018 at 12:43 AM

      See comment above. The feature can be installed after the OS and SCCM client is installed. Once the Task Sequence is complete the SCCM Client will initialize for the first time and install the additional UWF aware features/actions/components

      Delete
  3. AdamJune 27, 2018 at 6:20 PM

    I just used the option to enable it in my WIM files offline, then updated content in SCCM. I'm not worried about having it installed on all of my systems since it doesn't do anything until you turn on protection on a volume.

    ReplyDelete
  4. syswow64July 3, 2018 at 12:46 AM

    Hi Adam, I am glad you found a solution for your environment. The process i was trying to promote was not just for the UWF feature. By integrating the MDT database you can set multiple OSFeatures dynamically in the database but you only need to have one step in the Task Sequence for all builds.

    ReplyDelete
  5. UnknownJuly 31, 2018 at 4:19 AM

    Does the version of SCCM matter when it comes to being aware of UWF? We use SCCM 2012 R2 CU3 in our environment.

    ReplyDelete
  6. SmithAugust 15, 2018 at 3:29 AM

    This covering contains little metal sections that mirror the suns bright beams from within or your home. Low "E" glass is amazingly compelling for taking out the blurring of sun blanched furniture, wood floors and covers. california 2020 solar home buyers

    ReplyDelete
  7. UnknownSeptember 18, 2018 at 1:04 AM

    Hi,
    How to write a script than can shows overlay get-consumption memory. Actually i have some thin-client which are configured with kiosk mode and in UWF enbale environment system must reboot in certain time when overlay cache memory get exhausted, while user using in kiosk mode so they can see the UWF icon to notice that overlay memory is exhausted. I am planning to integrate some script in the monitoring solution that can shows overlay consumption and its size, so from one interface we can see ok these clinet needs to be rebooted.

    ReplyDelete
  8. justinNovember 22, 2019 at 1:17 AM

    That appears to be certainly great. Most of these teeny specifics are designed having great deal of track record expertise. I'm keen on the item lots microsoft office 365 product key

    ReplyDelete
  9. adseo2June 9, 2020 at 9:14 AM

    Going to graduate school was a positive decision for me. I enjoyed the coursework, the presentations, the fellow students, and the professors. And since my company reimbursed 100% of the tuition, the only cost that I had to pay on my own was for books and supplies. Otherwise, I received a free master’s degree. All that I had to invest was my time. windows 10 bsod

    ReplyDelete
  10. Mubashir KhatriNovember 11, 2020 at 12:07 AM

    I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Multi-User CRM

    ReplyDelete

Subscribe to: Post Comments (Atom)