Deploy UWF from MDT
The Unified Write Filter (UWF) redirects all writes to a virtual overlay, at shutdown or reboot the overlay is cleared. No changes or data on the protected drive persists.
There are 2 overlay types, the default writes to RAM, the amount of writes is limited to the available memory. This isn't normally an issue for UWF intended devices, Kiosks. If the amount of free memory is exceeded it will often cause stability issues. UWF can be configured for redirecting writes to DISK, all writes are directed to C:\uwfswap.sys. The amount of free disk space must be double the size of the overlay size, if the overlay is set to 10Gb then at least 20Gb of free disk space must be available. The uwfswap.sys file is created to the overlay size of 10Gb, any files created are both written to the uwfswap.sys file and to the file system. Its not possible to write to the uwfswap file if there is no free disk space.
The 'Unified Write Filter' feature needs installing by adding 'Install Roles and Features'. and selecting UWF, a restart is required.
Copy the pre-requisites script and save to a sub-folder named 'UWF' under 'Scripts' within the MDT Deployment share.
#Disable the Scheduled Task for Defrag
Disable-ScheduledTask -TaskName ScheduledDefrag -TaskPath \Microsoft\Windows\Defrag
#Stop and then disable Windows Search
Stop-Service WSearch -ErrorAction SilentlyContinue
Get-Service WSearch | Set-Service -StartupType Disabled -ErrorAction SilentlyContinue
#Stop and then disable Windows Updates, dont allow updates as they wont persist but will fill up the Overlay.
Stop-Service Wuauserv -ErrorAction SilentlyContinue
Get-ServiceWuauserv | Set-Service -StartupType Disabled -ErrorAction SilentlyContinue
<#
Both sppsvc and licenceManager are required for licencing Windows, Windows Store and Office.
When UWF is enabled and Windows is licensed with KMS the licence key expires after 180 days, even with KMS being available, UWF resets the activation to the day of deployment. It takes a further 5 minutes for the licence to be reactivated by KMS, in the meantime a warning is posted across the entire Windows 10 desktop that the client isn't licensed, slightly annoying and worrisome to the end user.
To prevent this behavior disable 'sppsvc' and 'LicenceManager' services. It does mean the desktop background cant be changed, other than everything else appears normal.
Alternatively MAC licence the Windows client and the 2 services don't require disabling.
Word of warning if MS Office is installed, the 2 licensing service can't not be disabled, Office wont work. KMS is likely to cause issues at every reboot, leaving MAC licensing for both Windows and Office the only real solution.
#>
#Stop and then disable Software Protection
Stop-Service Sppsvc -ErrorAction SilentlyContinue
Get-Service Sppsvc | Set-Service -StartupType Disabled -ErrorAction SilentlyContinue
#Stop and then disable Windows License Manager Service.
Stop-Service LicenseManager -ErrorAction SilentlyContinue
Get-Service LicenseManager | Set-Service -StartupType Disabled -ErrorAction SilentlyContinue
Alternatively when an access denied message is received for the Set-Service command, run the following:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LicenseManager -Name start -Value 4 -Force
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\sppsvc -Name start -Value 4 -Force
<#Disable Superfetch
0 = Disable
1 = Enable prefetching at program launch
2 = Enable Boot Prefetch
3 = Enable Prefetching for everything
#>
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name EnableSuperfetch -Value 0 -Force
<#Disable Fast Boot
0 = disable fast boot
1 = enable fast boot
#>
Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power" -Name HiberbootEnabled -Value 0 -Force
#Removes C:\pagefile.sys
$comp = gwmi win32_ComputerSystem
$comp.AutomaticManagedPagefile = $false
$comp.Put()
$page = gwmi win32_pagefilesetting
$page.delete()
#Disable Restore Points
Disable-ComputerRestore -Drive "C:\"
#Disabled automaic repair
cmd.exe /c "bcdedit.exe /set recoveryenabled no"
#Disabled Windows error recovery options
cmd.exe /c "bcdedit.exe /set BootStatusPolicy IgnoreAllFailures"
#Disables all Start up UI elements, logo, status, status messages
cmd.exe /c "bcdedit.exe /set bootuxdisabled on"
#Disables advanced startup option (F10)
cmd.exe /c "bcdedit.exe /set optionsedit false"
#Disables advanced startup option (F8)
cmd.exe /c "bcdedit.exe /set advancedoptions false"
#sets boot timout out to zero
cmd.exe /c "bcdedit.exe /timeout 0"
Reboot the client
Ensure all required configurations and updates etc have been installed before enabling UWF with the following script. Save the script to the 'UWF' folder under 'Scripts'
#Enable Write Filter
cmd.exe /c uwfmgr.exe filter enable
#Enable protection for C:
cmd.exe /c uwfmgr.exe volume protect C:
#Default RAM Overlay size is 1Gb, increase to 2Gb
#cmd.exe /c uwfmgr.exe overlay set-size 2048
#Default DISK Overlay size is 1Gb, increase to 10Gb. When set to DISK
cmd.exe /c uwfmgr.exe overlay set-size 10240
#Set either DISK or leave default RAM based overlay
cmd.exe /c uwfmgr overlay set-type DISK
#cmd.exe /c uwfmgr overlay set-type RAM
#The following exclusions are required for Time and if Windows Defender is update its definitions.
#TimeZone and Daylight Savings
cmd.exe /c uwfmgr.exe registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
cmd.exe /c uwfmgr.exe registry add-exclusion "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
#Windows Defender
cmd.exe /c uwfmgr.exe registry add-exclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender"
cmd.exe /c uwfmgr.exe file add-exclusion "C:\Program Files\Windows Defender"
cmd.exe /c uwfmgr.exe file add-exclusion "C:\ProgramData\Microsoft\Windows Defender"
cmd.exe /c uwfmgr.exe file add-exclusion "C:\Windows\Windowsupdate.log"
cmd.exe /c uwfmgr.exe file add-exclusion "C:\Windows\Temp\MpCMDRun.log"
The scripts should look like this.
Update the MDT Task Sequence referencing the scripts by their deployment variable %scriptRoot%