It happens again and again that the staff accidentally or even deliberately adjusts technical devices, such as tablet & co. or installs apps without consulting them. Windows 10 provides an in-house solution function – the “Kiosk Mode”. Officially called the Universal Write Filter or Unified Write Filter. In this article we explain how to deploy and use it.
Functions
With the Universal Write Filter, data is no longer permanently stored on the system. At the same time, all writes are swapped out to memory and are available until the system is restarted. When the system is restarted, it resets itself to the state it was in when the filter was activated.
Also protect the physical storage media of your devices with the Universal Write Filter function. This includes most writable storage types supported by Microsoft Windows. These can be: physical hard disks, solid-state drives, internal USB devices, external SATA devices, etc. Kiosk mode” is only suitable for devices that are used purely as clients and on which no data is written. This is known e.g. from public terminals in museums or banks.
Requirements
- Windows 10 IoT Enterprise or Windows 10 Enterprise.
- Users of Windows 10 Professional can use the Single-App-Kiosk mode (further explanation below).
- Users of Windows XP Embedded and Windows Embedded Standard 7 can use the Enhanced Write Filter. More about this at https://en.wikipedia.org/wiki/Enhanced_Write_Filter
Restrictions
Since not all file systems are supported, there may be some limitations. NTFS file systems are fully supported, but during a device boot, NTFS file system journal files can write to a protected volume before UWF has loaded the volume and begun protection.
For FAT-formatted volumes, a full lock is also possible during boot.
UWF does not support the use of fast boot because this does not erase the overlay when the device is shut down.
Additionally, UWF cannot be used to protect external removable drives, USB flash drives, or external hard drives.
Set up
UWF is an optional component that must first be enabled on Windows 10. When activated, the following changes take place:
- Disabling of the swap files
- Disabling of System Restore
- Disabling of SuperFetch
- Disabling the file indexing service
- Disabling the Quick Start service
- Disabling the defragmentation service
- Ignore BCD.setting bootstatuspolicy errors
1.) Enabling the UWF feature: You can enable the UWF from the Windows 10 UI (Turn Windows Features On or Off), DISM, Deployment Packages, MDM Settings, WMI, or PowerShell.
- PowerShell Kommando: Enable-WindowsOptionalFeature -Online -FeatureName “Client-UnifiedWriteFilter” -All
– Setup via DISM: DISM.exe /Online /enable-Feature /FeatureName:client-UnifiedWriteFilter
2.) Configuration: After activating and rebooting the device, you can start configuration using either the native uwfmgr.exe utility or WMI (PowerShell). Note: Since there are no native PowerShell cmdlets to configure UWF, it is easier to use the “uwfmgr.exe” utility because the WMI methods are not very well implemented in Windows 10.
3.) Updates: the UWF system also allows you to exclude files, folders and registry keys from the write filter. For example, if you want to avoid Windows Defender to re-download all virus signatures at every startup, you can add the following exclusions:
- uwfmgr file add-exclusion “C:\Program Files\Windows Defender”
- uwfmgr file add-exclusion “C:\Windows\WindowsUpdate.log”
- uwfmgr file add-exclusion “C:\Windows\Temp\MpCmdRun.log”
- uwfmgr file add-exclusion “C:\ProgramData\Microsoft\Windows Defender”
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender”
4.) WLAN and LAN networks: Further exceptions are necessary for the correct operation of the device in WLAN or LAN networks:
Exceptions for WLAN networks:
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy“
- uwfmgr file add-exclusion “C:\Windows\wlansvc\Policies”
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc”
- uwfmgr file add-exclusion “C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces\{<Interface GUID>}\{<Profile GUID>}.xml”
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc”
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc”
Exceptions for LAN networks:
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy”
- uwfmgr file add-exclusion “C:\Windows\dot2svc\Policies”
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc”
- uwfmgr file add-exclusion “C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces\{<Interface GUID>}\{<Profile GUID>}.xml”
- uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc”
5.) Activation of the UWF: The following commands are necessary for the activation of the overlay filter and for the subsequent protection of the C drive:
- uwfmgr filter enable
- uwfmgr volume protect c:
- Dann starten Sie die Maschine neu. Von nun an wird alles, was während einer Benutzersitzung auf die Festplatte geschrieben wird, beim Neustart des Rechners verworfen.
6.) Windows and program updates despite UWF:
Of course, it is a challenge that all changes are discarded when rebooting, making it more difficult for you to maintain the devices, for example, installing applications. That’s why you need to use the UWF maintenance mode commands. You can use UWF maintenance mode to apply Windows updates, updates of anti-malware signature files and custom software or third-party software updates.
To update the machine, put it into maintenance mode, again using the uwfmgr.exe utility. To do this, run the following commands and then restart the machine:
- uwfmgr servicing enable
- shutdown /r /t 0
After you have made your changes to disable maintenance mode again, run the following command and restart the machine:
- uwfmgr servicing disable
- Sollte es mit dem Wartungsmodus zu Problemen kommen ist es ebenfalls möglich den Filter vollständig zu deaktivieren:
- exe filter disable
For more info, visit https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-apply-windows-updates
7.) Single app kiosk mode: You can enable kiosk mode using Windows User Account Control UAC. This uses a single-app kiosk that has the assigned access function and runs a single APP above the lockscreen. When the kiosk account logs in, the APP is automatically launched and the person currently using the kiosk cannot change anything on the device outside of the kiosk app. This is especially suitable for public self-service devices, such as ATMs, time and attendance terminals, cash registers, etc. The single-app kiosk is available on Windows 10 Professional, Windows 10 IoT Enterprise and Windows 10 Enterprise. More information about the setup can be found here: https://docs.microsoft.com/de-de/windows/configuration/kiosk-single-app
8.) Troubleshooting UWF: Events, errors, and messages related to overlay consumption, configuration changes, and maintenance are displayed in the Windows Event Log. More information regarding the event log and troubleshooting can be found here: unified write filter (UWF).
If the system fails to boot due to the filter working incorrectly, you can disable the filter by booting from the installation CD and editing the registry in offline mode:
- The filter start can be disabled in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uwfvol by changing the value of the start parameter to 4.
- Delete the string uwfvol in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}\Lower Filters