Set up a kiosk environment using Unified Write Filter (UWF) in Windows 10
Article written by Sergio Calderón
As you can imagine, Windows is widely used in a lot of environments, that means the OS must supply many requested features from user experience to security. In education, like schools or universities, for example, they have frequent guests that use their computers, students download malicious files while searching or install unwanted applications. They don’t have time to reinstall Windows every time a guest uses a computer, they need a way to allow them to use it in a security, reliability and controlled way.
Microsoft has developed some kiosk-related features, choosing one of them depends on what the schools needs.
I am going to talk a little bit about a not well know feature called Unified Write Filter (UWF).
What is Unified Write Filter?
Unified Write Filter or UWF for short, is an optional Windows 10 feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installation, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location that is usually cleared during a reboot or when a guest user logs off (Microsoft, 2018).
Requirements
Windows 10 Enterprise, Windows 10 Education or Windows 10 IoT Core Enterprise (Microsoft, 2018).
Turning on UWF
Unified Write Filter is an optional feature included in Windows 10 Enterprise, Education or IoT; therefore, you have to install it before enabling.
To install UWF
- Click on Start menu
- Type PowerShell
- Right click on Windows PowerShell and click on Run as administrator
4. From the Windows PowerShell console, type and run:
Enable-WindowsOptionalFeature -Online -FeatureName “Client-UnifiedWriteFilter” -All
5. Type “Y” to restart Windows
To enable and configure UWF
After restarting Windows, you can start using the uwfmgr.exe utility to enable Unified Write Filter.
To keep it simple, I’m going to enable UWF to protect the C: drive with the default configurations.
1. Repeat the steps above from 1 to 3 to open a PowerShell console
2. Type and run:
1. uwfmgr.exe filter enable
3. Enable write protection by running:
uwfmgr.exe volume protect c:
4. Restart the system to the changes to apply
From now on, every change you make on the system will remain until a reboot or log off is made. After that, you will get a clean state back.
UWF exclusions
You can add specific files or folders on a protected volume to a file exclusion list to exclude those files and folders from being filtered by UWF. When a file or folder is in the exclusion list for a volume, all writes to that file or folder bypass UWF filtering and are written directly to the protected volume and persist after the device restarts (Microsoft, 2018).
File exclusions
Let´s say I have a TXT file called ProtectedFile.txt on my Desktop folder. Because I enabled all the c: drive to be protected, all the changes I do to that file will be restored after restarting.
Note: remember that all files that were present before enabling the protected volume with UWF will be available on every restart.
If you want the file to be unprotected from the filter, you can add it to the file exclusions by running from an elevated command:
Uwfmgr.exe file add-exclusion [PathToFile]
Where [PathToFile] is the full path to the file you want to add to the exclusion file list. For example:
Uwfmgr.exe file add-exclusion “C:\Users\Andy\Desktop\ProtectedFile.txt”
After Windows is restarted, you will be able to do any changes to the file, even delete it!
Folder exclusions
As for files, you can also exclude an entire folder, so all files included will be modifiable. To add a folder exclusion, run:
Uwfmgr.exe file add-exclusion [FolderPath]
Where [FolderPath] is the full path to the folder. For example:
Uwfmgr.exe file add-exclusion C:\ExcludedFolder
Recommended exclusions
There are, of course, some exclusions you should apply recommended by Microsoft. Look at the Common write-filter exclusion in the official documentation or more info.
Turning off UWF
If you need to install some apps or create some files that will be preserved, you can unprotect any protected volume or disable all the filters.
Unprotecting volumes
To unprotect a volume, just run:
Uwfmgr.exe volume unprotect [Volume]
Where [Volume] is the volume name that was previously protected. For example:
Uwfmgr.exe volume unprotect c:
Disabling Unified Write Filters
To completely disable Unified Write Filter, run from an elevated prompt:
Uwfmgr.exe filter disable
Restart Windows after disabling filters.
If you want to automate this process massively and automatically, use Vtul.
Check out Vtul, a cloud based solution that will allow you to automate this process to thousand of machines with a single instruction using a common web browser.
References
Microsoft. (2018, 01 10). Unified Write Filter (UWF) Feature. Retrieved from Microsoft Docs: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/unified-write-filter
Microsoft. (2018, 01 10). Write filter exclusions. Retrieved from Microsoft Docs: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwfexclusions
