Skip to main content

Windows 10 Overlay for Unified Write Filter (UWF)

Windows 10 Overlay for Unified Write Filter (UWF)


This entry is to document my experience with the Windows 10 feature Unified Write Filter (UWF); with the intention to replace DeepFreeze on shared computers.

"Unified Write Filter (UWF) protects the contents of a volume by redirecting all write operations on that volume to the overlay, which is a virtual representation of the changes to the volume. Conceptually, an overlay is similar to a transparency overlay on an overhead projector. Any change that is made to the transparency overlay affects the projected picture as it is seen by the viewer. However, if the transparency overlay is removed, the underlying picture remains unchanged.
In a UWF protected system, UWF creates a single overlay, which contains information about writes to all protected volumes on a system. The overlay supports up to 16 terabytes of protected volumes."
(extract from https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwfoverlay

How to install the UWF feature ?

The Windows 10 feature can be installed in several ways; the offline Wim file via DISM, PowerShell, Manually via Control Panel GUI, Provisioning package or WMI. All methods are detailed here.

PowerShell Method
Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" -All #NoRestart

SCCM and MDT Method
If you use the SCCM with the MDT this OS Feature can be enabled during the Task Sequence with the step "Install Roles and Features".



This can be taken further and applied to an MDT Database Role that is "Gathered" during the task sequence; far more dynamic and less steps/logic involved within the Task Sequence.

The ID for each Role and Feature can be found in the ServerManager.xml file located within the Microsoft Deployment Toolkit folder.
C:\Program Files\Microsoft Deployment Toolkit\Bin\ServerManager.xml)

Exactly like the PowerShell Feature name you will find the ID "Client-UnifiedWriteFilter" within this XML. This ID can be added to the MDT Database under the OS Roles> OSFeatures.  If you need to apply multiple Features simply separate the ID's with the use of commas. The end result will provision Windows 10 with the UWF feature installed.










NOTE: The UWF feature must be installed prior to the SCCM client being installed.
For Windows 10 computers that you plan to protect with Unified Write Filter (UWF), you must configure the device for UWF before you install the client. This enables Configuration Manager to install the client with a custom credential provider that locks out low-rights users from logging in to the device during maintenance mode.
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/best-practices-for-client-deployment


How to Enable the UWF feature ?

After the Feature is installed and the computer rebooted there will be a utility called "uwfmgr" within the System32 folder. To enable the feature on the command line, call this utility with the following commands.

uwfmgr filter enable
uwfmgr volume protect c:

Through trial and error we have established a list of file, folder, and Registry Exclusions that should be exempt from UWF to maintain GPO, logs, and SCCM activity.

uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center"
uwfmgr file add-exclusion "c:\windows\ccm"
uwfmgr file add-exclusion "c:\windows\ccm\UserAffinityStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\InventoryStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CcmStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\StateMessageStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\CertEnrollmentStore.sdf"
uwfmgr file add-exclusion "c:\windows\ccm\ServiceData"
uwfmgr file add-exclusion "c:\windows\ccmssetup"
uwfmgr file add-exclusion "c:\windows\ccmcache"
uwfmgr file add-exclusion "c:\_TaskSequence"
uwfmgr file add-exclusion "c:\windows\bootstat.dat"  This caused a Boot failure in Windows 1709
uwfmgr file add-exclusion "C:\Windows\wlansvc\Policies"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces"
uwfmgr file add-exclusion "C:\Windows\dot2svc\Policies"
uwfmgr file add-exclusion "C:\Program Files\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramFiles(X86)\Windows Defender"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr file add-exclusion "C:\Windows\WindowsUpdate.log"
uwfmgr file add-exclusion "C:\Windows\Temp\MpCmdRun.log"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender"
uwfmgr file add-exclusion "c:\Windows\System32\Microsoft\Protect"
uwfmgr file add-exclusion "c:\ProgramData\Microsoft\Crypto"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certificates"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Antimalware"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc"
uwfmgr registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc"
uwfmgr file add-exclusion "C:\ProgramData\Microsoft\Network\Downloader"
uwfmgr file add-exclusion "c:\windows\System32\Winevt\Logs"


Source reference  for Exclusions
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/planning-for-client-deployment-to-windows-embedded-devices

https://deploymentresearch.com/Research/Post/632/Using-the-Unified-Write-Filter-UWF-feature-in-Windows-10

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-antimalware-support

How to Service UWF enabled Windows 10 computers?

SCCM is UWF aware and when Software Updates are deployed the SCCM client will reboot the system with UWF disabled, and lockout the system to non admins.  Once the Updates are installed the system will reboot again enabling UWF.


The "Write Filter handling for Windows Embedded devices" when enabled will trigger the Client notification to restart with UWF disabled.

Update: 13/03/2018

After a while Windows 10 was producing security notifications for 'Disk Scan Errors'  and 'Firewall disabled' toast notifications.  I was able to suppress these toast notifications with Group Policy by setting the Key Windows.SystemToast.SecurityAndMaintenance\Enable = 0

reg add "HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enable /t REG_DWORD /d 0 /f





Comments

  1. How can I use the MDT Install Roles and Features task in a task sequence so that it will enable UWF before the client is installed? The Install Roles and Features task requires that the operating system be online, but the task, Setup Windows and ConfigMgr, that switches from WinPE to the deployed OS also installs the CM client.

    ReplyDelete
    Replies
    1. Hi Rob, From my experience your Task Sequence can install the OS, Drivers and SCCM client, then install the apps and then UWF via a "Install Roles and Features" step. Once the Task Sequence is complete the SCCM Client will initialize for the first time and install the additional UWF aware features/actions/components.

      Delete
  2. Hey, how would you enable UWF before client install in SCCM CB?

    ReplyDelete
    Replies
    1. See comment above. The feature can be installed after the OS and SCCM client is installed. Once the Task Sequence is complete the SCCM Client will initialize for the first time and install the additional UWF aware features/actions/components

      Delete
  3. I just used the option to enable it in my WIM files offline, then updated content in SCCM. I'm not worried about having it installed on all of my systems since it doesn't do anything until you turn on protection on a volume.

    ReplyDelete
  4. Hi Adam, I am glad you found a solution for your environment. The process i was trying to promote was not just for the UWF feature. By integrating the MDT database you can set multiple OSFeatures dynamically in the database but you only need to have one step in the Task Sequence for all builds.

    ReplyDelete
  5. Does the version of SCCM matter when it comes to being aware of UWF? We use SCCM 2012 R2 CU3 in our environment.

    ReplyDelete
  6. Hi,
    How to write a script than can shows overlay get-consumption memory. Actually i have some thin-client which are configured with kiosk mode and in UWF enbale environment system must reboot in certain time when overlay cache memory get exhausted, while user using in kiosk mode so they can see the UWF icon to notice that overlay memory is exhausted. I am planning to integrate some script in the monitoring solution that can shows overlay consumption and its size, so from one interface we can see ok these clinet needs to be rebooted.

    ReplyDelete
  7. Get Geography Assignment Help in UK by expert academic writers. Our assignment helpers aim to provide 100% plagiarism free assignment help. Our approach to the core values helped us from being the most promising online assignment help to the student’s favorite assignment help in UK. For more services : History Essay Help | English Essay Help | Law Assignment Writing Help

    ReplyDelete

Post a Comment

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...

Windows 7 Offline files will not go Online when connected to network

Issue Several laptop users move between networks, domain, home, etc and when they attempt to access DFS shares explorer status is working offline.  The issue only resolves it self after a reboot. Connecting directly to the share works and i am able to ping network resources.  This behavior occurs for VPN users as well. Possible Causes "slow-link mode". In win7 (with default settings) a client will enter slow-link mode if the latency to the server is above 80ms. In slow-link mode all writes are made to the local cache and a background sync only happens every 6 hours.  Depending on your connection the default slow link detection speed is 64,000 bps On client computers running Windows 7 or Windows Server 2008 R2, a shared folder automatically transitions to the slow-link mode if the round-trip latency of the network is greater than 80 milliseconds, or as configured by the "Configure slow-link mode" policy. After transitioning a folder to the slow-link mode, Offline Fil...

SCCM Software Update - Job error 0x80004005 Failed to Add Update Source for WUAgent

SCCM Software Updates - Failed to Add Update Source for WUAgent  Today I have been looking at a range of servers (Server 2008 /R2 2012 /R2) that were failing to communicate with the Software Update Point (SUP) in SCCM and retrieve deployment policy. The UpdateDeployment.log was reporting the Job error 0x80004005 Job error (0x80004005) received for assignment ({af7a48e6-d550-4070-dd9b-ecc234567584}) action UpdatesDeploymentAgent 12/6/2017 10:32:27 AM 2096 (0x0830) The WUAHandler.log  was reporting "Unable to read existing WUA Group Policy object" and "Failed to Add Update Source for WUAgent " Unable to read existing WUA Group Policy object. Error = 0x80004005. WUAHandler 12/6/2017 3:41:00 AM 2828 (0x0B0C) Failed to Add Update Source for WUAgent of type (2) and id ({3AAB6A76-CE2D-4E8A-9F11-123AE69612A1}). Error = 0x80004005. WUAHandler 12/6/2017 11:03:31 AM 2276 (0x08E4) Until the agent can report back to the SUP, SCCM will not be able to summarize Software Update sta...