diff --git a/windows/configuration/custom-logon/images/customlogoncad.jpg b/windows/configuration/custom-logon/images/customlogoncad.jpg new file mode 100644 index 00000000000..0f610d3b57f Binary files /dev/null and b/windows/configuration/custom-logon/images/customlogoncad.jpg differ diff --git a/windows/configuration/custom-logon/index.md b/windows/configuration/custom-logon/index.md new file mode 100644 index 00000000000..536cdcb8f95 --- /dev/null +++ b/windows/configuration/custom-logon/index.md @@ -0,0 +1,133 @@ +--- +title: Custom Logon +description: Custom Logon +ms.date: 03/05/2024 +ms.topic: overview +--- + +# Custom Logon + +You can use the Custom Logon feature to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown. + +Custom Logon settings don't modify the credential behavior of **Winlogon**, so you can use any credential provider that is compatible with Windows 10 to provide a custom sign-in experience for your device. For more information about creating a custom logon experience, see [Winlogon and Credential Providers](/windows/win32/secauthn/winlogon-and-credential-providers). + +## Requirements + +Custom Logon can be enabled on: + +- Windows 10 Enterprise +- Windows 10 IoT Enterprise +- Windows 10 Education +- Windows 11 Enterprise +- Windows 11 IoT Enterprise +- Windows 11 Education + +## Terminology + +**Turn on, enable:** To make the feature available and optionally apply settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line. + +**Configure:** To customize the setting or subsettings. + +**Embedded Logon:** This feature is called Embedded Logon in Windows 10, version 1511. + +**Custom Logon:** This feature is called Custom Logon in Windows 10, version 1607 and later. + +## Turn on Custom Logon + +Custom Logon is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Custom Logon in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed and you're applying a provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a provisioning package to be successfully applied. + +The Custom Logon feature is available in the Control Panel. You can set Custom Logon by following these steps: + +### Turn on Custom Logon in Control Panel + +1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window. +1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Custom Logon**. +1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed. + +### Turn on Custom Logon using DISM + +1. Open a command prompt with administrator rights. +1. Enable the feature using the following command. + + ```cmd + dism /online /enable-feature /featureName:Client-EmbeddedLogon + ``` + +## Configure Custom Logon + +### Configure Custom Logon settings using Unattend + +You can configure the Unattend settings in the [Microsoft-Windows-Embedded-EmbeddedLogon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon) component to add custom logon features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the custom logon settings and XML examples, see the settings in Microsoft-Windows-Embedded-EmbeddedLogon. + +The following example shows how to disable all Welcome screen UI elements and the **Switch user** button. + +```xml + + + 17 + 1 + 1 + 1 + 1 + + +``` + +### Remove buttons from Logon screen + +To remove buttons from the Welcome screen, set the appropriate value for **BrandingNeutral** in the following registry key: + +```text +HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon +``` + +1. Make sure you have enabled Custom Logon following the instructions in [Turn on Custom Logon](#turn-on-custom-logon). +1. In the Windows search bar, type "Registry Editor" to open the **Registry Editor** window. +1. Use the file navigation in the left pane to access **HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon**. +1. In the right pane, right click on **BrandingNeutral** and select **Modify**. +1. Select the correct **Base** and enter the value for your desired customizations according to the following table, and click **OK** to apply the changes. + +> [!NOTE] +> Changing the **Base** of **BrandingNeutral** will automatically convert the value field to the selected base. To ensure you are getting the correct value, select the base before entering the value. + +The following table shows the possible values. To disable multiple Logon screen UI elements together, you can select the **Decimal** base when modifying the **BrandingNeutral** value, and combine actions by adding the decimal values of the desired actions and inputting the sum as the value of **BrandingNeutral**. For example, to disable the Power button and the Language button, select the decimal option for the base, then add the decimal values of each, in this case 2 and 4 respectively, and input the total (6) as the value for **BrandingNeutral**. + +| Action |Description| Registry value (Hexadecimal) | Registry value (Decimal)| +|--------|------------|----|---| +| Disable all Logon screen UI elements |Disables the Power, Language, and Ease of Access buttons on the Logon and Ctrl+Alt+Del screens. |`0x1` | 1| +| Disable the Power button |Disables the Power button on the Logon and Ctrl+Alt+Del screens.|`0x2` |2| +| Disable the Language button |Disables the Language button on the Logon and Ctrl+Alt+Del screens.|`0x4` |4| +| Disable the Ease of Access button |Disables the Ease of Access button on the Logon and Ctrl+Alt+Del screens.|`0x8` |8| +| Disable the Switch user button |Disables the Switch User button from the Ctrl+Alt+Del screen, preventing a user from switching accounts. | `0x10` |16| +|Disable the Blocked Shutdown Resolver (BSDR) screen|Disables the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users aren't given a chance to cancel the shutdown process. | `0x20` |32| + +In the following image of the `[ctrl + alt + del]` screen, you can see the Switch user button highlighted by a light green outline, the Language button highlighted by an orange outline, the Ease of Access button highlighted by a red outline, and the power button highlighted by a yellow outline. If you disable these buttons, they're hidden from the UI. + +![custom logon screen](images/customlogoncad.jpg) + +You can remove the Wireless UI option from the Welcome screen by using Group Policy. + +### Remove Wireless UI from Logon screen + +You use the following steps to remove Wireless UI from the Welcome screen + +1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor. +1. In the Local Group Policy Editor, under **Computer Configuration**, expand **Administrative Templates**, expand **System**, and then tap or click **Logon**. +1. Double-tap or click **Do not display network selection UI**. + +## Additional Customizations + +The following table shows additional customizations that can be made using registry keys. + +|Action |Path |Registry Key and Value | +|---------|---------|---------| +|Hide Autologon UI |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideAutoLogonUI = 1`| +|Hide First Logon Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideFirstLogonAnimation = 1` | +|Disable Authentication Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |`AnimationDisabled = 1` | +|Disable Lock Screen | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization |`NoLockScreen = 1` | + +## Related articles + +- [Troubleshooting Custom Logon](troubleshoot.md) +- [Unbranded Boot](../unbranded-boot/index.md) +- [Shell Launcher](../shell-launcher/index.md) diff --git a/windows/configuration/custom-logon/troubleshoot.md b/windows/configuration/custom-logon/troubleshoot.md new file mode 100644 index 00000000000..abb65828de0 --- /dev/null +++ b/windows/configuration/custom-logon/troubleshoot.md @@ -0,0 +1,105 @@ +--- +title: Troubleshooting Custom Logon +description: Troubleshooting Custom Logon +ms.date: 05/02/2017 +ms.topic: troubleshooting +--- + +# Troubleshooting Custom Logon + +This section highlights some common issues that you may encounter when using Custom Logon. + +## When automatic sign-in is enabled, the device asks for a password when resuming from sleep or hibernate + +This can occur when your device is configured to require a password when waking up from a sleep state. + +### To disable password protection on wake-up + +1. If you have write filters enabled on your device, perform the following steps to disable them so that you can save setting changes: + + 1. At an administrator command prompt, type the following command: + + ```cmd + uwfmgr.exe filter disable + ``` + + 1. To restart the device, type the following command: + + ```cmd + uwfmgr.exe restart + ``` + +1. In **Contol Panel**, search for **Power Options** , and then select the Power Options heading. + +1. Under the **Power Options** heading, select **Require a password on wake up**. + +1. On the **Define power buttons and turn on password protection** page, under **Password protection on wakeup**, select **Don't require a password**. + +1. If you have disabled write filters, perform the following steps to enable them again: + + 1. At an administrator command prompt, type the following command: + + ```cmd + uwfmgr.exe filter enable + ``` + + 1. To restart the device, type the following command: + + ```cmd + uwfmgr.exe restart + ``` + +## The device displays a black screen during setup + +Set the **HideAutoLogonUI** and **AnimationDisabled** settings to **0** (zero). The device will then display a default screen during setup. + +## The device displays a black screen when Ctrl+Alt+Del is pressed + +**HideAutoLogonUI** and**ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination. + +## The device displays a black screen when Windows key + L is used to lock the device + +**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination. + +### The device displays a black screen when Notepad is opened, any characters are typed and the current user signs out, or the device is rebooted, or the device is shut down + +**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the Blocked Shutdown Resolver Screen (BSDR). + +> [!WARNING] +> When the BSDR screen is disabled, restarting, or shutting down the device causes the OS to immediately force close any open applications that are blocking system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This can result in lost data if any open applications have unsaved data. + +## The device displays a black screen when the device is suspended and then resumed + +**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the password protection on wake-up. + +### To disable password protection on wake-up + +1. In **Control Panel**, select **Power Options**. + +1. In the **Power Options** item, select **Require a password on wake up**. + +1. On the **Define power buttons and turn on password protection** page, under **Password protection on wake up**, select **Don't require a password**. + +### The device displays a black screen when a password expiration screen is displayed + +**HideAutoLogonUI** has a known issue. To avoid a black screen, we recommend you set the password to never expire. + +### To set a password to never expire on an individual user account + +1. On your device, open a command prompt with administrator privileges. + +1. Type the following, replacing *<accountname>* with the name of the account you want to remove the password expiration from. + + ```cmd + net accounts /expires:never + ``` + +### To set passwords to never expire on all user accounts + +1. On your device, open a command prompt with administrator privileges. + +1. Type the following + + ```cmd + net accounts /MaxPWAge:unlimited + ``` diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 32f9c412472..22924a43cc7 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -80,12 +80,18 @@ "assigned-access//**/*.yml": "paolomatarazzo", "cellular//**/*.md": "paolomatarazzo", "cellular//**/*.yml": "paolomatarazzo", + "custom-logon//**/*.md": "terrywarwick", + "custom-logon//**/*.yml": "terrywarwick", + "keyboard-filter//**/*.md": "terrywarwick", + "keyboard-filter//**/*.yml": "terrywarwick", "lock-screen//**/*.md": "paolomatarazzo", "lock-screen//**/*.yml": "paolomatarazzo", "provisioning-packages//**/*.md": "vinaypamnani-msft", "provisioning-packages//**/*.yml": "vinaypamnani-msft", "shared-pc//**/*.md": "paolomatarazzo", "shared-pc//**/*.yml": "paolomatarazzo", + "shell-launcher//**/*.md": "terrywarwick", + "shell-launcher//**/*.yml": "terrywarwick", "start//**/*.md": "paolomatarazzo", "start//**/*.yml": "paolomatarazzo", "store//**/*.md": "paolomatarazzo", @@ -94,6 +100,10 @@ "taskbar//**/*.yml": "paolomatarazzo", "tips//**/*.md": "paolomatarazzo", "tips//**/*.yml": "paolomatarazzo", + "unbranded-boot//**/*.md": "terrywarwick", + "unbranded-boot//**/*.yml": "terrywarwick", + "unified-write-filter//**/*.md": "terrywarwick", + "unified-write-filter//**/*.yml": "terrywarwick", "wcd//**/*.md": "vinaypamnani-msft", "wcd//**/*.yml": "vinaypamnani-msft" }, @@ -104,12 +114,18 @@ "assigned-access//**/*.yml": "paoloma", "cellular//**/*.md": "paoloma", "cellular//**/*.yml": "paoloma", + "custom-logon//**/*.md": "twarwick", + "custom-logon//**/*.yml": "twarwick", "lock-screen//**/*.md": "paoloma", + "keyboard-filter//**/*.md": "twarwick", + "keyboard-filter//**/*.yml": "twarwick", "lock-screen//**/*.yml": "paoloma", "provisioning-packages//**/*.md": "vinpa", "provisioning-packages//**/*.yml": "vinpa", "shared-pc//**/*.md": "paoloma", "shared-pc//**/*.yml": "paoloma", + "shell-launcher//**/*.md": "twarwick", + "shell-launcher//**/*.yml": "twarwick", "start//**/*.md": "paoloma", "start//**/*.yml": "paoloma", "store//**/*.md": "paoloma", @@ -118,6 +134,10 @@ "taskbar//**/*.yml": "paoloma", "tips//**/*.md": "paoloma", "tips//**/*.yml": "paoloma", + "unbranded-boot//**/*.md": "twarwick", + "unbranded-boot//**/*.yml": "twarwick", + "unified-write-filter//**/*.md": "twarwick", + "unified-write-filter//**/*.yml": "twarwick", "wcd//**/*.md": "vinpa", "wcd//**/*.yml": "vinpa" }, diff --git a/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md index c8e6da20645..9a5c32fb354 100644 --- a/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md +++ b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md @@ -1,8 +1,6 @@ --- title: Disable all blocked key combinations description: Disable all blocked key combinations -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/index.md b/windows/configuration/keyboard-filter/index.md index cb761c4814a..6f7d3cc589d 100644 --- a/windows/configuration/keyboard-filter/index.md +++ b/windows/configuration/keyboard-filter/index.md @@ -1,8 +1,6 @@ --- title: Keyboard Filter description: Keyboard Filter -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: overview --- diff --git a/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md index acb297b4221..129b6e271b2 100644 --- a/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md +++ b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md @@ -1,9 +1,6 @@ --- title: Add blocked key combinations description: Add blocked key combinations -ms.assetid: f51892fc-0262-4b25-b117-6e131b86fb68 -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/keyboardfilter-key-names.md b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md index 39de2bc0290..9fe13801501 100644 --- a/windows/configuration/keyboard-filter/keyboardfilter-key-names.md +++ b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md @@ -1,8 +1,6 @@ --- title: Keyboard Filter key names description: Keyboard Filter key names -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md index 2fa1f6d8e26..35788409b15 100644 --- a/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md +++ b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md @@ -1,8 +1,6 @@ --- title: List all configured key combinations description: List all configured key combinations -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md index 8f8048582e4..7547ba96149 100644 --- a/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md +++ b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md @@ -1,8 +1,6 @@ --- title: Windows PowerShell script samples for Keyboard Filter description: Windows PowerShell script samples for Keyboard Filter -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md index 798cef5c0f0..eeff8800eb9 100644 --- a/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md +++ b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md @@ -1,8 +1,6 @@ --- title: Keyboard Filter WMI provider reference description: Keyboard Filter WMI provider reference -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/modify-global-settings.md b/windows/configuration/keyboard-filter/modify-global-settings.md index 2b69a9de23b..39d26be872d 100644 --- a/windows/configuration/keyboard-filter/modify-global-settings.md +++ b/windows/configuration/keyboard-filter/modify-global-settings.md @@ -1,8 +1,6 @@ --- title: Modify global settings description: Modify global settings -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: how-to --- diff --git a/windows/configuration/keyboard-filter/predefined-key-combinations.md b/windows/configuration/keyboard-filter/predefined-key-combinations.md index 17df2fd3a5c..eb25a41a530 100644 --- a/windows/configuration/keyboard-filter/predefined-key-combinations.md +++ b/windows/configuration/keyboard-filter/predefined-key-combinations.md @@ -1,8 +1,6 @@ --- title: Predefined key combinations description: Predefined key combinations -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/remove-key-combination-configurations.md b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md index eadd760d933..624edc69f49 100644 --- a/windows/configuration/keyboard-filter/remove-key-combination-configurations.md +++ b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md @@ -1,8 +1,6 @@ --- title: Remove key combination configurations description: Remove key combination configurations -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-customkey.md b/windows/configuration/keyboard-filter/wekf-customkey.md index d1869903ee4..dcc812049ec 100644 --- a/windows/configuration/keyboard-filter/wekf-customkey.md +++ b/windows/configuration/keyboard-filter/wekf-customkey.md @@ -1,8 +1,6 @@ --- title: WEKF_CustomKey description: WEKF_CustomKey -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-customkeyadd.md b/windows/configuration/keyboard-filter/wekf-customkeyadd.md index cd56a93da5d..a48eeedb72b 100644 --- a/windows/configuration/keyboard-filter/wekf-customkeyadd.md +++ b/windows/configuration/keyboard-filter/wekf-customkeyadd.md @@ -1,8 +1,6 @@ --- title: WEKF_CustomKey.Add description: WEKF_CustomKey.Add -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-customkeyremove.md b/windows/configuration/keyboard-filter/wekf-customkeyremove.md index 5fdceb9f5a1..26b1d35bdc1 100644 --- a/windows/configuration/keyboard-filter/wekf-customkeyremove.md +++ b/windows/configuration/keyboard-filter/wekf-customkeyremove.md @@ -3,8 +3,6 @@ title: WEKF_CustomKey.Remove description: WEKF_CustomKey.Remove ms.date: 01/13/2025 ms.topic: reference -author: TerryWarwick -ms.author: twarwick --- # WEKF_CustomKey.Remove diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkey.md b/windows/configuration/keyboard-filter/wekf-predefinedkey.md index d81f72d8015..dd5de7d93ac 100644 --- a/windows/configuration/keyboard-filter/wekf-predefinedkey.md +++ b/windows/configuration/keyboard-filter/wekf-predefinedkey.md @@ -1,8 +1,6 @@ --- title: WEKF_PredefinedKey description: WEKF_PredefinedKey -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md index 8b954dee192..b49d3383f01 100644 --- a/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md +++ b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md @@ -1,8 +1,6 @@ --- title: WEKF_PredefinedKey.Disable description: WEKF_PredefinedKey.Disable -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md index a96fbd43653..a674afda86e 100644 --- a/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md +++ b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md @@ -1,8 +1,6 @@ --- title: WEKF_PredefinedKey.Enable description: WEKF_PredefinedKey.Enable -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-scancode.md b/windows/configuration/keyboard-filter/wekf-scancode.md index d24df9ed10c..8cfb7b0f6e2 100644 --- a/windows/configuration/keyboard-filter/wekf-scancode.md +++ b/windows/configuration/keyboard-filter/wekf-scancode.md @@ -1,8 +1,6 @@ --- title: WEKF_Scancode description: WEKF_Scancode -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-scancodeadd.md b/windows/configuration/keyboard-filter/wekf-scancodeadd.md index 11742730380..cd4b70efe8c 100644 --- a/windows/configuration/keyboard-filter/wekf-scancodeadd.md +++ b/windows/configuration/keyboard-filter/wekf-scancodeadd.md @@ -1,8 +1,6 @@ --- title: WEKF_Scancode.Add description: WEKF_Scancode.Add -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-scancoderemove.md b/windows/configuration/keyboard-filter/wekf-scancoderemove.md index ae761e5b61b..18bc6d3514f 100644 --- a/windows/configuration/keyboard-filter/wekf-scancoderemove.md +++ b/windows/configuration/keyboard-filter/wekf-scancoderemove.md @@ -1,8 +1,6 @@ --- title: WEKF_Scancode.Remove description: WEKF_Scancode.Remove -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/keyboard-filter/wekf-settings.md b/windows/configuration/keyboard-filter/wekf-settings.md index 0aa64a5a7d0..df43feb21ea 100644 --- a/windows/configuration/keyboard-filter/wekf-settings.md +++ b/windows/configuration/keyboard-filter/wekf-settings.md @@ -1,8 +1,6 @@ --- title: WEKF_Settings description: WEKF_Settings -author: TerryWarwick -ms.author: twarwick ms.date: 01/13/2025 ms.topic: reference --- diff --git a/windows/configuration/shell-launcher/browser-support.md b/windows/configuration/shell-launcher/browser-support.md new file mode 100644 index 00000000000..1c3b383033d --- /dev/null +++ b/windows/configuration/shell-launcher/browser-support.md @@ -0,0 +1,47 @@ +--- +title: Browser Support +ms.date: 03/30/2023 +ms.topic: concept-article +description: Learn about browser support in Kiosk Mode +--- + +# Browser Support + +Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience. + +## Microsoft Edge Kiosk Mode + +> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021) + +[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available: + +* Digital/Interactive Signage experience - Displays a specific site in full-screen mode. +* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge. + +Both experiences are running a Microsoft Edge InPrivate session, which protects user data. + +## Internet Explorer 11 + +[Internet Explorer 11](/internet-explorer/internet-explorer) is considered a legacy browser, in subsequent releases. + +In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps and modern web apps in a single browser. + +> [!NOTE] +> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022. +> +> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products. + +## Supported Versions + +| Browser | Internet Explorer 11 | Microsoft Edge Legacy | Microsoft Edge | +|--|--|--|--| +| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) | +| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS end of service | Microsoft Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) | +| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Microsoft Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update | +| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) | +| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) | + +## Additional Resources + +* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) +* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan) diff --git a/windows/configuration/shell-launcher/index.md b/windows/configuration/shell-launcher/index.md new file mode 100644 index 00000000000..50eeb99ef6b --- /dev/null +++ b/windows/configuration/shell-launcher/index.md @@ -0,0 +1,344 @@ +--- +title: Shell Launcher +description: Shell Launcher +ms.date: 06/07/2018 +ms.topic: overview +--- + +# Shell Launcher + +Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +You can also configure Shell Launcher to launch different shell applications for different users or user groups. + +There are a few exceptions to the applications and executables you can use as a custom shell: + +- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in. +- You can't use a Universal Windows app as a custom shell. +- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app. +- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell. +- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application. + +> [!NOTE] +> You cannot configure both Shell Launcher and assigned access on the same system. +> +> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2. + +Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services. + +Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs. + +Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/) + +> [!NOTE] +> +> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. +> +> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d). + +## Differences between Shell Launcher v1 and Shell Launcher v2 + +Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application. +Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app. +In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements: + +- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard. +- From a custom UWP shell, you can launch secondary views and run on multiple monitors. +- The custom shell app runs in full screen, and can run other apps in full screen on user's demand. +For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2). + +## Requirements + +Windows 10 Enterprise or Windows 10 Education. + +## Terminology + +- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device. +- **Configure:** To customize the setting or subsettings. +- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511. +- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later. + +## Turn on Shell Launcher + +Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher. + +### Enable Shell Launcher using Control Panel + +1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it. +1. In the **Programs and Features** window, select **Turn Windows features on or off**. +1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.** +1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed. +1. Select **Close** to close the **Windows Features** window. + +> [!NOTE] +> Turning on Shell Launcher does not require a device restart. + +### Enable Shell Launcher by calling WESL_UserSetting + +1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting. +1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in. + +This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism). + +### Enable Shell Launcher using DISM + +1. Open a command prompt with administrator privileges. +1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim). +1. Create a new directory. + + ```CMD + md c:\wim + ``` + +1. Mount the image. + + ```CMD + dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim + ``` + +1. Enable the feature. + + ```CMD + dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher + ``` + +1. Commit the change. + + ```CMD + dism /unmount-wim /MountDir:c:\wim /Commit + ``` + +### Enable Shell Launcher using Windows Configuration Designer + +The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply. + +Use the following steps to create a provisioning package that contains the ShellLauncher settings. + +1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). +1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**. +1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired. +1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same. + +## Configure Shell Launcher + +There are two ways you can configure Shell Launcher: + +1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it. +1. Use the Shell Launcher WMI providers directly in a PowerShell script or application. + +You can configure the following options for Shell Launcher: + +- Enable or disable Shell Launcher. +- Specify a shell configuration for a specific user or group. +- Remove a shell configuration for a specific user or group. +- Change the default shell configuration. +- Get information on a shell configuration for a specific user or group. + +Any changes don't take effect until a user signs in. + +## Launch different shells for different user accounts + +By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell. + +You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device. + +If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name. + +For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids). + +When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations. + +## Perform an action when the shell exits + +When a custom shell exits, Shell Launcher can perform one of four actions: + +|Action|Description| +|:---:|:---| +|0|Restart the shell.| +|1|Restart the device.| +|2|Shut down the device.| +|3|Do nothing.| + +> [!IMPORTANT] +> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing. + +### Default return code action + +You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits. + +### Map the exit code to a Shell Launcher action + +Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions. + +If the exit code doesn't match a defined value, Shell Launcher performs the default return code action. + +For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to: + +- restart the device (1) when the shell returns an exit code of value -1 +- restart the shell (0) when the shell returns an exit code of value 0 +- do nothing (3) when the shell returns an exit code of value 1 +- shut down the device (2) when the shell returns an exit code of value 255 + +Your custom return code action mapping would look like this: + +|Exit code|Action| +|:----:|----| +|-1|1 (restart the device)| +|0|0 (restart the shell)| +|1|3 (do nothing)| +|255|2 (shut down the device)| + +## Set your custom shell + +Modify the following PowerShell script as appropriate and run the script on the device. + +```PowerShell +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 +$do_nothing = 3 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` + +> [!NOTE] +> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is. + +## Shell Launcher user rights + +A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't. + +> [!WARNING] +> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application. + +## Related articles + +- [Unbranded Boot](../unbranded-boot/index.md) +- [Custom Logon](../custom-logon/index.md) +- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher) +- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts) +- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits) +- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights) diff --git a/windows/configuration/shell-launcher/kiosk-mode.md b/windows/configuration/shell-launcher/kiosk-mode.md new file mode 100644 index 00000000000..d5285fa51d7 --- /dev/null +++ b/windows/configuration/shell-launcher/kiosk-mode.md @@ -0,0 +1,61 @@ +--- +title: Kiosk Mode +ms.date: 01/18/2024 +ms.topic: overview +description: Learn about Kiosk Mode in Windows IoT Enterprise. +--- + +# Kiosk mode + +Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use: [assigned access single-app kiosks](single-app-kiosk.md), [assigned access multi-app kiosks](multi-app-kiosk.md), or [shell launcher](index.md). + +Kiosk configurations are based upon either [assigned access](../assigned-access/overview.md) or [shell launcher](index.md). There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. + +> [!NOTE] +> +> A benefit of using an assigned access kiosk mode is [these policies](/windows/configuration/kiosk-policies) are automatically applied to the device to optimize the lock-down experience. + +## Which type of app will your kiosk run? + +Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](/windows/configuration/setup-digital-signage), select a digital sign player as your kiosk app. Check out the [Guidelines for Kiosk Apps](/windows/configuration/guidelines-for-assigned-access-app). + +## Which type of kiosk do you need? + +If you want your kiosk to run a single app for anyone to see or use, consider an [assigned-access single-app kiosk](/windows/configuration/shell-launcher/single-app-kiosk) that runs either a [Universal Windows Platform (UWP) app](/windows/configuration/kiosk-methods#uwp) or a [Windows desktop application](/windows/configuration/kiosk-methods#classic). + +For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an [assigned access multi-app kiosk](/windows/configuration/kiosk-methods#desktop). + +## Which type of user account will be the kiosk account? + +The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + +## Kiosk capabilities for Windows 10 IoT Enterprise + +| Mode | Features | Description | Customer Usage | +|------|----------|------------ |-----------------| +| Assigned access | Single-app kiosk (UWP) | Auto launches a UWP app in full screen and prevents access to other system functions, while monitoring the lifecycle of the kiosk app. Only supports one single-app kiosk profile under one account per device. | Digital signs & single function devices +| Assigned access | Single-app kiosk (Microsoft Edge) | Auto launches Microsoft Edge and prevents access to other system functions, while monitoring the lifecycle of browser. Only supports one single-app kiosk profile under one account per device. | Public browsing kiosks & digital signs | +| Assigned access | Multi-app kiosk (Restricted User Experience) | Windows 10: Always auto launches a restricted Start menu in full screen with the list of allowed app tiles.
Windows 11: Presents the familiar Windows desktop experience with a restricted set of apps. | Frontline Worker shared devices | +| Shell launcher | Shell launcher | Auto launches an app that the customer specifies and monitors the lifecycle of this app. App can be used as a "shell" if desired. No default lockdown policies like hotkey blocking are enforced in Shell Launcher. | Fixed purpose devices with a custom shell experience | + +## How to configure your device for kiosk mode? + +Visit the following documentation to set up a kiosk according to your scenario: + +* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods) +* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app) +* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps) +* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) + +## Additional Resources + +* [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app) +* [Validate your kiosk configuration](/windows/configuration/kiosk-validate) +* [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app) +* [Policies enforced on kiosk devices](/windows/configuration/kiosk-policies) +* [Assigned access XML reference](/windows/configuration/kiosk-xml) +* [Use AppLocker to create a Windows 10 kiosk](/windows/configuration/lock-down-windows-10-applocker) +* [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) +* [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](/windows/configuration/kiosk-mdm-bridge) +* [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot) +* [Plan your kiosk mode transition to Microsoft Edge](/deployedge/microsoft-edge-kiosk-mode-transition-plan) diff --git a/windows/configuration/shell-launcher/multi-app-kiosk.md b/windows/configuration/shell-launcher/multi-app-kiosk.md new file mode 100644 index 00000000000..b77d2fd604e --- /dev/null +++ b/windows/configuration/shell-launcher/multi-app-kiosk.md @@ -0,0 +1,39 @@ +--- +title: Multi-App Kiosk +ms.date: 08/16/2023 +ms.topic: concept-article +description: Learn about the Multi-App Kiosk in Windows IoT Enterprise. +--- + +# Assigned access multi-app kiosk + +An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk. + +> [!NOTE] +> Multi-app kiosk mode isn't available for Windows 11 IoT Enterprise, version 21H2, or 22H2. Refer to [What's new for subsequent releases](/windows/iot/iot-enterprise/whats-new/release-history#windows-11-iot-enterprise) for information about its return. +> +> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12). + +## Benefits of using a multi-app kiosk + +The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they don't need to access. + +A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration. + +## Configuring your multi-app kiosk + +* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune) +* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package) + +> [!NOTE] +> +> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that affects all nonadministrator users on the device. + +## More Resources + +* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps) +* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps) +* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access) +* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app) +* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods) +* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference) diff --git a/windows/configuration/shell-launcher/single-app-kiosk.md b/windows/configuration/shell-launcher/single-app-kiosk.md new file mode 100644 index 00000000000..541fb49a2e5 --- /dev/null +++ b/windows/configuration/shell-launcher/single-app-kiosk.md @@ -0,0 +1,38 @@ +--- +title: Assigned access Single-App Kiosk +ms.date: 03/30/2023 +ms.topic: concept-article +description: Learn about the Single-App Kiosk in Windows IoT Enterprise. +--- + +# Assigned access single-app kiosk + +A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app. + +> [!NOTE] +> +> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + +## Benefits of using a single-app kiosk + +A single-app kiosk is ideal for public use. Using [shell launcher](./index.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information. + +## Configuring your single-app kiosks + +You have several options for configuring your single-app kiosk. + +* [Settings App](/windows/configuration/kiosk-single-app#local) +* [PowerShell](/windows/configuration/kiosk-single-app#powershell) +* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard) +* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm) + +> [!TIP] +> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile). + +## Additional Resources + +* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app) +* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app) +* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access) +* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods) +* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference) diff --git a/windows/configuration/shell-launcher/toc.yml b/windows/configuration/shell-launcher/toc.yml new file mode 100644 index 00000000000..07c18e4e826 --- /dev/null +++ b/windows/configuration/shell-launcher/toc.yml @@ -0,0 +1,25 @@ + +items: +- name: Shell Launcher + items: + - name: Overview + href: index.md + - name: WMI Provider Reference + items: + - name: Class WESL_UserSetting + href: wesl-usersetting.md + - name: GetCustomShell + href: wesl-usersettinggetcustomshell.md + - name: GetDefaultShell + href: wesl-usersettinggetdefaultshell.md + - name: IsEnabled + href: wesl-usersettingisenabled.md + - name: RemoveCustomShell + href: wesl-usersettingremovecustomshell.md + - name: SetCustomShell + href: wesl-usersettingsetcustomshell.md + - name: SetDefaultShell + href: wesl-usersettingsetdefaultshell.md + - name: SetEnabled + href: wesl-usersettingsetenabled.md + diff --git a/windows/configuration/shell-launcher/wedl-assignedaccess.md b/windows/configuration/shell-launcher/wedl-assignedaccess.md new file mode 100644 index 00000000000..62039435784 --- /dev/null +++ b/windows/configuration/shell-launcher/wedl-assignedaccess.md @@ -0,0 +1,141 @@ +--- +title: WEDL\_AssignedAccess +description: WEDL\_AssignedAccess +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WEDL\_AssignedAccess + +This Windows Management Instrumentation (WMI) provider class configures settings for assigned access. + +## Syntax + +```powershell +class WEDL_AssignedAccess { + [Key] string UserSID; + [Read, Write] string AppUserModelId; + [Read] sint32 Status; +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Methods + +This class contains no methods. + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| **UserSID** | string | [key] | The security identifier (SID) for the user account that you want to use as the assigned access account. | +| **AppUserModelId** | string | [read, write] | The Application User Model ID (AUMID) of the Windows app to launch for the assigned access account. | +| **Status** | Boolean | none | Indicates the current status of the assigned access configuration | + +| Value | Description | +|:-----:|-------------| +| 0 | A valid account is configured, but no Windows app is specified. Assigned access is not enabled. | +| 1 | Assigned access is enabled. | +| 0x100 | UserSID error: cannot find the account. | +| 0x103 | UserSID error: the account profile does not exist. | +| 0x200 | AppUserModelID error: cannot find the Windows app. | +| 0x201 | Task Scheduler error: Could not schedule task. Make sure that the Task Scheduler service is running. | +| 0xffffffff | Unspecified error.| + +### Remarks + +Changes to assigned access do not affect any sessions that are currently signed in; you must sign out and sign back in. + +## Example + +The following Windows PowerShell script demonstrates how to use this class to set up an assigned access account. + +```powershell +# +#---Define variables--- +# + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define the assigned access account. +# To use a different account, change $AssignedAccessAccount to a user account that is present on your device. + +$AssignedAccessAccount = "KioskAccount" + +# Define the Windows app to launch, in this example, use the Application Model User ID (AUMID) for Windows Calculator. +# To use a different Windows app, change $AppAUMID to the AUMID of the Windows app to launch. +# The Windows app must be installed for the account. + +$AppAUMID = "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" + +# +#---Define helper functions--- +# + +function Get-UsernameSID($AccountName) { + +# This function retrieves the SID for a user account on a machine. +# This function does not check to verify that the user account actually exists. + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value +} + +# +#---Set up the new assigned access account--- +# + +# Get the SID for the assigned access account. + +$AssignedAccessUserSID = Get-UsernameSID($AssignedAccessAccount) + +# Check to see if an assigned access account is already set up, and if so, clear it. + +$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess + +if ($AssignedAccessConfig) { + +# Configuration already exists. Delete it so that we can create a new one, since only one assigned access account can be set up at a time. + + $AssignedAccessConfig.delete(); + +} + +# Configure assigned access to launch the specified Windows app for the specified account. + +Set-WmiInstance -class WEDL_AssignedAccess -ComputerName $COMPUTER -Namespace $NAMESPACE -Arguments @{ + UserSID = $AssignedAccessUserSID; + AppUserModelId = $AppAUMID + } | Out-Null; + +# Confirm that the settings were created properly. + +$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess + +if ($AssignedAccessConfig) { + + "Set up assigned access for the " + $AssignedAccessAccount + " account." + " UserSID = " + $AssignedAccessConfig.UserSid + " AppModelId = " + $AssignedAccessConfig.AppUserModelId + +} else { + + "Could not set up assigned access account." +} +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | diff --git a/windows/configuration/shell-launcher/wesl-usersetting.md b/windows/configuration/shell-launcher/wesl-usersetting.md new file mode 100644 index 00000000000..3d7851941ee --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersetting.md @@ -0,0 +1,174 @@ +--- +title: WESL_UserSetting +description: WESL_UserSetting +ms.date: 05/02/2017 +ms.topic: reference +--- + +# WESL_UserSetting + +This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits. + +## Syntax + +```powershell +class WESL_UserSetting { + [read, write, Required] string Sid; + [read, write, Required] string Shell; + [read, write] Sint32 CustomReturnCodes[]; + [read, write] Sint32 CustomReturnCodesAction[]; + [read, write] sint32 DefaultAction; + + [Static] uint32 SetCustomShell( + [In, Required] string Sid, + [In, Required] string Shell, + [In] sint32 CustomReturnCodes[], + [In] sint32 CustomReturnCodesAction[], + [In] sint32 DefaultAction + ); + [Static] uint32 GetCustomShell( + [In, Required] string Sid, + [Out, Required] string Shell, + [Out, Required] sint32 CustomReturnCodes[], + [Out, Required] sint32 CustomReturnCodesAction[], + [Out, Required] sint32 DefaultAction + ); + [Static] uint32 RemoveCustomShell( + [In, Required] string Sid + ); + [Static] uint32 GetDefaultShell( + [Out, Required] string Shell, + [Out, Required] sint32 DefaultAction + ); + [Static] uint32 SetDefaultShell( + [In, Required] string Shell, + [In, Required] sint32 DefaultAction + ); + [Static] uint32 IsEnabled( + [Out, Required] boolean Enabled + ); + [Static] uint32 SetEnabled( + [In, Required] boolean Enabled); + ); +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Methods + +| Methods | Description | +|---------|-------------| +| [WESL_UserSetting.SetCustomShell](wesl-usersettingsetcustomshell.md) | Configures Shell Launcher for a specific user or group, based on SID. | +| [WESL_UserSetting.GetCustomShell](wesl-usersettinggetcustomshell.md) | Retrieves the Shell Launcher configuration for a specific user or group, based on the SID. | +| [WESL_UserSetting.RemoveCustomShell](wesl-usersettingremovecustomshell.md) | Removes a Shell Launcher configuration for a specific user or group, based on the SID. | +| [WESL_UserSetting.GetDefaultShell](wesl-usersettinggetdefaultshell.md) | Retrieves the default Shell Launcher configuration. | +| [WESL_UserSetting.SetDefaultShell](wesl-usersettingsetdefaultshell.md) | Sets the default Shell Launcher configuration. | +| [WESL_UserSetting.IsEnabled](wesl-usersettingisenabled.md) | Retrieves a value that indicates if Shell Launcher is enabled or disabled. | +| [WESL_UserSetting.SetEnabled](wesl-usersettingsetenabled.md) | Enables or disables Shell Launcher. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| **Sid** | string | [read, write, required] | User or group SID. | +| **shell** | string | [read, write, required] | The application to start as the shell.
The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path.
Any spaces in the **shell** property must be part of a quote-delimited string. | +| **CustomReturnCodes** | Sint32[] |[read, write] | An array of custom return codes that can be returned by the shell. | +| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**.
The possible actions are:
0 - Restart the shell.
1 - Restart the device.
2 - Shut down the device.
3 - Do nothing. | +| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits.
The possible actions are defined as follows:
0 - Restart the shell.
1 - Restart the device.
2 - Shut down the device.
3 - Do nothing. | + +### Remarks + +Only one **WESL_UserSetting** instance exists on a device with Shell Launcher. + +Shell Launcher uses the custom configuration defined for the SID of the user currently signed in, if one exists. Otherwise, Shell Launcher uses a custom configuration defined for a group SID that the user is a member of, if any exist. If multiple group custom configurations for the user exist, Shell Launcher uses the first valid configuration it finds. The search order is not defined. + +If there is no custom configuration for the user's SID or any group SIDs that the user is a member of, Shell Launcher uses the default configuration. + +You can find the SID for a user and any groups that the user is a member of by using the [whoami](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771299(v=ws.10)) command-line tool. + +## Example + +The following Windows PowerShell script demonstrates how to add and remove custom shell configurations for Shell Launcher by using the Windows Management Instrumentation (WMI) providers for Shell Launcher. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 +$do_nothing = 3 + +# Examples + +# Set the command prompt as the default shell, and restart the device if it's closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if it's closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md new file mode 100644 index 00000000000..5633e7df6ec --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md @@ -0,0 +1,77 @@ +--- +title: WESL_UserSetting.GetCustomShell +description: WESL_UserSetting.GetCustomShell +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.GetCustomShell + +This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID). + +## Syntax + +```powershell +[Static] uint32 GetCustomShell ( + [In, Required] string Sid, + [Out, Required] string Shell, + [Out, Required] sint32 CustomReturnCodes[], + [Out, Required] sint32 CustomReturnCodesAction[], + [Out, Required] sint32 DefaultAction +); +``` + +## Parameters + +**Sid**
\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for. + +**Shell**
\[out, required\] The application or executable that Shell Launcher starts as the shell. + +**CustomReturnCodes**
\[out, required\] An array of custom return codes returned by the shell application. + +**CustomReturnCodesAction**
\[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*. + +The possible actions are defined in the following table: + +| Value | Description | +|:-----:|-------------| +| 0 | Restart the shell. | +| 1 | Restart the device. | +| 2 | Shut down the device. | +| 3 | Do nothing. | + +**DefaultAction**
\[out, required\] The default action that Shell Launcher takes when the shell application exits. + +The possible actions are defined in the following table: + +| Value | Description | +|:------:|-------------| +| 0 | Restart the shell. | +| 1 | Restart the device. | +| 2 | Shut down the device. | +| 3 | Do nothing. | + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application. + +If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md new file mode 100644 index 00000000000..9cabb200ab5 --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md @@ -0,0 +1,57 @@ +--- +title: WESL_UserSetting.GetDefaultShell +description: WESL_UserSetting.GetDefaultShell +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.GetDefaultShell + +This method retrieves the default Shell Launcher configuration. + +## Syntax + +```powershell +[Static] uint32 GetDefaultShell ( + [Out, Required] string Shell, + [Out, Required] sint32 DefaultAction +); +``` + +## Parameters + +**Shell**
\[out, required\] The application or executable that Shell Launcher starts as the shell. + +**DefaultAction**
\[out, required\] The default action Shell Launcher takes when the shell application exits. + +The possible actions are defined in the following table: + +| Value | Description | +|:-----:|-------------| +| 0 | Restart the shell. | +| 1 | Restart the device. | +| 2 | Shut down the device. | +| 3 | Do nothing. | + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md new file mode 100644 index 00000000000..fb4739ce371 --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md @@ -0,0 +1,41 @@ +--- +title: WESL_UserSetting.IsEnabled +description: WESL_UserSetting.IsEnabled +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.IsEnabled + +This method retrieves a value that indicates if Shell Launcher is enabled or disabled. + +## Syntax + +```powershell +[Static] uint32 IsEnabled( + [Out, Required] boolean Enabled +); +``` + +## Parameters + +**Enabled**
\[out, required\] A Boolean value that indicates if Shell Launcher is enabled. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md new file mode 100644 index 00000000000..fb1df0e87fe --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md @@ -0,0 +1,45 @@ +--- +title: WESL_UserSetting.RemoveCustomShell +description: WESL_UserSetting.RemoveCustomShell +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.RemoveCustomShell + +This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID). + +## Syntax + +```powershell +[Static] uint32 RemoveCustomShell ( + [In, Required] string Sid +); +``` + +## Parameters + +**Sid**
\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must restart your device for the changes to take effect. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md new file mode 100644 index 00000000000..a90450063c6 --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md @@ -0,0 +1,77 @@ +--- +title: WESL_UserSetting.SetCustomShell +description: WESL_UserSetting.SetCustomShell +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.SetCustomShell + +This method configures Shell Launcher for a specific user or group, based on the security identifier (SID). + +## Syntax + +```powershell +[Static] uint32 SetCustomShell ( + [In, Required] string Sid, + [In, Required] string Shell, + [In] sint32 CustomReturnCodes[], + [In] sint32 CustomReturnCodesAction[], + [In] sint32 DefaultAction +); +``` + +## Parameters + +**Sid**
\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for. + +**Shell**
\[in, required\] The application or executable that Shell Launcher starts as the shell. + +**CustomReturnCodes**
\[in\] An array of custom return codes that can be returned by the shell application. + +**CustomReturnCodesAction**
\[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*. + +The possible actions are defined in the following table: + +| Value | Description | +|:-----:|-------------| +| 0 | Restart the shell. | +| 1 | Restart the device. | +| 2 | Shut down the device. | +| 3 | Do nothing. | + +**DefaultAction**
\[In\] The default action that Shell Launcher takes when the shell application exits. + +The possible actions are defined in the following table: + +| Value | Description | +|:-----:|-------------| +| 0 | Restart the shell.| +| 1 | Restart the device. | +| 2 | Shut down the device. | +| 3 | Do nothing. | + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application. + +If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md new file mode 100644 index 00000000000..ec89600f381 --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md @@ -0,0 +1,57 @@ +--- +title: WESL_UserSetting.SetDefaultShell +description: WESL_UserSetting.SetDefaultShell +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.SetDefaultShell + +This method sets the default Shell Launcher configuration. + +## Syntax + +```powershell +[Static] uint32 SetDefaultShell ( + [In, Required] string Shell, + [In, Required] sint32 DefaultAction +); +``` + +## Parameters + +**Shell**
\[in, required\] The application or executable that Shell Launcher starts as the shell. + +**DefaultAction**
\[in, required\] The default action that Shell Launcher takes when the *Shell* application exits. + +The possible actions are defined in the following table: + +| Value | Description | +|:-------:|-------------| +| 0 | Restart the shell. | +| 1 | Restart the device. | +| 2 | Shut down the device. | +| 3 | Do nothing. | + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md new file mode 100644 index 00000000000..43aff8b5a7a --- /dev/null +++ b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md @@ -0,0 +1,47 @@ +--- +title: WESL_UserSetting.SetEnabled +description: WESL_UserSetting.SetEnabled +ms.date: 05/20/2024 +ms.topic: reference +--- + +# WESL_UserSetting.SetEnabled + +This method enables or disables Shell Launcher. + +## Syntax + +```powershell +[Static] uint32 SetEnabled( + [In, Required] boolean Enabled +); +``` + +## Parameters + +**Enabled**
\[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](../unified-write-filter/uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher. + +Enabling or disabling Shell Launcher does not take effect until a user signs in. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related topics + +- [WESL_UserSetting](wesl-usersetting.md) +- [Shell Launcher](index.md) diff --git a/windows/configuration/unbranded-boot/images/boot.jpg b/windows/configuration/unbranded-boot/images/boot.jpg new file mode 100644 index 00000000000..bc46adb1cfb Binary files /dev/null and b/windows/configuration/unbranded-boot/images/boot.jpg differ diff --git a/windows/configuration/unbranded-boot/index.md b/windows/configuration/unbranded-boot/index.md new file mode 100644 index 00000000000..e3aa95b2444 --- /dev/null +++ b/windows/configuration/unbranded-boot/index.md @@ -0,0 +1,160 @@ +--- +title: Unbranded Boot +description: Unbranded Boot +ms.date: 09/10/2024 +ms.topic: overview +--- + +# Unbranded Boot + +You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot. + +> [!IMPORTANT] +> The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator. + +## Requirements + +Unbranded Boot can be enabled on: + +- Windows 10 Enterprise +- Windows 10 IoT Enterprise +- Windows 10 Education +- Windows 11 Enterprise +- Windows 11 IoT Enterprise +- Windows 11 Education + +## Terminology + +- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line. + +- **Configure:** To customize the setting or subsettings. + +- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511. + +- **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later. + +## Turn on Unbranded Boot settings + +Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring. + +If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed. + +BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD. + +### Turn on Unbranded Boot by using Control Panel + +1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window. +1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**. +1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed. +1. Restart your device to apply the changes. + +## Configure Unbranded Boot settings at runtime using BCDEdit + +1. Open a command prompt as an administrator. +1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu. + + ```cmd + bcdedit.exe -set {globalsettings} advancedoptions false + ``` + +1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu. + + ```cmd + bcdedit.exe -set {globalsettings} optionsedit false + ``` + +1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup. + + ```cmd + bcdedit.exe -set {globalsettings} bootuxdisabled on + ``` + +1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen. + + ```cmd + bcdedit.exe -set {bootmgr} noerrordisplay on + ``` + +## Configure Unbranded Boot using Unattend + +You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp. + +### Unbranded Boot settings + +The following table shows Unbranded Boot settings and their values. + +| Setting | Description | Value | +|---------|-------------|-------| +| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. | +| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. | +| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. | +| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. | +| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. | +| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. | + +## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM) + +You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup. + +1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). + +1. In the Available customizations page, select **Runtime settings** > **SMISettings** and then set the value for the boot screen settings. The following values are just examples. + + - **HideAllBootUI**=FALSE + - **HideBootLogo**=FALSE + - **HideBootStatusIndicator**=TRUE + - **HideBootStatusMessage**=TRUE + - **CrashDumpEnabled**=Full dump + + > [!TIP] + > For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference. + +1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings. + 1. Open a command prompt with administrator privileges. + 1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim). + 1. Create a new directory. + + ```cmd + md c:\wim + ``` + + 1. Mount the image. + + ```cmd + dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim + ``` + + 1. Enable the feature. + + ```cmd + dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp + ``` + + 1. Commit the change. + + ```cmd + dism /unmount-wim /MountDir:c:\wim /Commit + ``` + +In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue. + +![unbranded boot screen](images/boot.jpg) + +## Replace the startup logo + +The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo. + +## Suppress Errors During Boot + +Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting. + +1. Open a command prompt as an administrator. +1. Run the following command to suppress error screens during boot. + + ```cmd + bcdedit.exe -set {bootmgr} noerrordisplay on + ``` + +## Related articles + +- [Custom Logon](../custom-logon/index.md) diff --git a/windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md b/windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md new file mode 100644 index 00000000000..f58729857a7 --- /dev/null +++ b/windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md @@ -0,0 +1,165 @@ +--- +title: Hibernate Once/Resume Many (HORM) +description: Hibernate Once/Resume Many (HORM) +ms.date: 04/12/2018 +ms.topic: concept-article +--- + +# Hibernate Once/Resume Many (HORM) + +You can use the Hibernate Once/Resume Many (HORM) feature with Unified Write Filter (UWF) to start your device in a preconfigured state. When HORM is enabled, your system always resumes and restarts from the last saved hibernation file (hiberfil.sys). + +A device with HORM enabled can quickly be turned off or shut down, and then restarted into the preconfigured state, even if a sudden power loss. + +> [!NOTE] +> HORM can be used on Unified Extensible Firmware Interface (UEFI) devices running Windows 10, version 1709, or newer versions of Windows, only. In previous Windows versions, the installation procedure for UEFI creates a hidden system partition. Because UWF can't protect hidden partitions, HORM can't be used on any devices that contain a hidden partition, including UEFI-capable devices on older versions of Windows. + +## Requirements + +Windows 10 Enterprise, Windows 10 Education, or Windows IoT Core (IoT Core). Supported on x86-based and x64-based devices. + +On Windows 10, version 21H2 or newer versions of Windows, Read-Only Media mode must be implemented to enable HORM. + +## UWF configuration + +UWF must be enabled before you can enable or disable HORM. UWF must be configured in the following ways to protect the hibernation file from becoming invalid: + +- All fixed volumes that are mounted on the system are protected by UWF. +- Your system must not have any file, folder, or registry exclusions configured for UWF. +- The UWF overlay must be configured to use RAM mode. HORM doesn't support disk-backed overlays. + +UWF doesn't filter hibernation files from being written to disk. If you want to protect the preconfigured state of your device, lock down any functionality that can modify the hibernation file. For example, disable hibernation, hybrid sleep, and fast startup for standard user accounts to prevent the saved hibernation file from being overwritten when entering sleep, hibernate, or shutdown state. + +To disable hybrid sleep and fast startup on your device, follow these steps. + +### How to disable hybrid sleep + +1. Open the Local Group Policy Editor (gpedit.msc) and navigate to the following path. + Computer Configuration\Administrative Templates\System\Power Management\Sleep settings + +1. Enable the following two settings under the path: + + Turn off hybrid sleep (plugged in) + Turn off hybrid sleep (on battery) + +### How to disable fast startup + +To disable fast startup, set the following registry value: + +> [!IMPORTANT] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power +Name: HiberbootEnabled +Type: DWORD +Value: 0 (0 = Disabled、1 = Enabled) + +### How to prevent Windows from entering hibernation due to the system idle time-out or user operations + +Configure the following two policies in Local Group Policy Editor (gpedit.msc): + +Policy to prevent Windows from entering hibernation by the system idle time: + +1. Under the following path: + Computer Configuration\Administrative Templates\System\Power Management\Sleep settings + +1. Enable these two settings and set the value to 0. + + Specify the system hibernate timeout (plugged in) + Specify the system hibernate timeout (on battery) + +Disable the policy to show "Hibernation" in the power options menu: + +1. Under the following path: + Computer Configuration\Windows Components\File Explorer + +1. Disable the following setting: + Show hibernate in the power options menu + +> [!NOTE] +> +> - Don't disable hibernate (i.e. powercfg /h off) because it deletes the hiberfil.sys which HORM requires. +> - Even after you set all these settings, the timestamp of hiberfil.sys is updated after the system reboot. This is because UWF can't filter the hiberfil.sys file, and the file needs to be compressed and decompressed during the system reboot. However, this doesn't change the content of hiberfil.sys so the preconfigured state of the device is protected. + +## Configure HORM + +1. On the device, open a command prompt as an administrator. +1. To enable hibernation on the device, type the following command: + + `powercfg /h on` + +1. To enable UWF on your device, type the following command: + + `uwfmgr.exe filter enable` + +1. To protect all volumes on your device, type the following command: + + `uwfmgr.exe volume protect all` + + > [!Note] + > DVD RW and floppy drives throw an expected error that can be safely ignored. + +1. To restart your device to enable UWF, type the following command: + + `uwfmgr.exe filter restart` + +1. After the device restarts, to verify the UWF changes that you made on your device, type the following command: + + `uwfmgr.exe get-config` + +1. To enable HORM on your device, type the following command: + + `uwfmgr.exe filter enable-horm` + + > [!Note] + > Remove all file and registry exclusions before you enable HORM. + +1. (Optional) In Control Panel, set the Power Option **When I press the power button** to avoid displaying the command prompt when resuming from hibernation, or use a script to close the command prompt on startup. +1. To hibernate the system one time to create an initial hibernation file, at the command prompt, type the following command: + + `shutdown /h` + +1. Press the power button to wake the system from hibernation. +1. After the system starts from hibernation to create an initial hibernation file, to shut down and restart the system, type the following command: + + `uwfmgr.exe restart` + +1. When HORM is enabled, you can't change the UWF configuration. To make changes, you must first disable HORM. To disable HORM, type the following command: + + `uwfmgr.exe filter disable-horm` + +1. To restart the system to finish disabling HORM, type the following command: + + `uwfmgr.exe restart` + + The system restarts normally with HORM disabled. + +> [!WARNING] +> Don't uninstall UWF when the filter is enabled or when HORM is enabled, either online or offline by using Windows PE. + +## Fix an issue when you can't disable HORM + +In rare circumstances, your device can enter a state where you can't disable HORM normally. + +If you can't disable HORM on your device, use following procedure to resolve this issue: + +1. Start your device in Windows PE. +1. Type the following command: + + `bcdedit.exe /set {bootmgr} custom:26000024 0` + +1. Restart the device: + + `shutdown /r/t 0` + +1. Disable HORM: + + `uwfmgr.exe filter disable-horm` + +1. Enable HORM: + + `uwfmgr.exe filter enable-horm` + +1. Hibernate the device: + + `shutdown /h` diff --git a/windows/configuration/unified-write-filter/images/administratorcommandprompt.png b/windows/configuration/unified-write-filter/images/administratorcommandprompt.png new file mode 100644 index 00000000000..3e16f5dc745 Binary files /dev/null and b/windows/configuration/unified-write-filter/images/administratorcommandprompt.png differ diff --git a/windows/configuration/unified-write-filter/images/administratorcompactprompt.png b/windows/configuration/unified-write-filter/images/administratorcompactprompt.png new file mode 100644 index 00000000000..6e2d631dd9a Binary files /dev/null and b/windows/configuration/unified-write-filter/images/administratorcompactprompt.png differ diff --git a/windows/configuration/unified-write-filter/images/administratorprompt.png b/windows/configuration/unified-write-filter/images/administratorprompt.png new file mode 100644 index 00000000000..e58c02c5957 Binary files /dev/null and b/windows/configuration/unified-write-filter/images/administratorprompt.png differ diff --git a/windows/configuration/unified-write-filter/images/fullvolumecommit.png b/windows/configuration/unified-write-filter/images/fullvolumecommit.png new file mode 100644 index 00000000000..8b1c889cd1c Binary files /dev/null and b/windows/configuration/unified-write-filter/images/fullvolumecommit.png differ diff --git a/windows/configuration/unified-write-filter/images/overlaysettings.png b/windows/configuration/unified-write-filter/images/overlaysettings.png new file mode 100644 index 00000000000..d82148918a5 Binary files /dev/null and b/windows/configuration/unified-write-filter/images/overlaysettings.png differ diff --git a/windows/configuration/unified-write-filter/index.md b/windows/configuration/unified-write-filter/index.md new file mode 100644 index 00000000000..86456e0582b --- /dev/null +++ b/windows/configuration/unified-write-filter/index.md @@ -0,0 +1,124 @@ +--- +title: Unified Write Filter (UWF) feature (unified-write-filter) +description: Unified Write Filter (UWF) feature (unified-write-filter) +ms.date: 10/02/2018 +ms.topic: overview +--- + +# Unified Write Filter (UWF) feature + +Unified Write Filter (UWF) is an optional Windows 10 feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location that is cleared during a reboot or when a guest user logs off. + +## Benefits + +- Provides a clean experience for thin clients and workspaces that have frequent guests, like school, library or hotel computers. Guests can work, change settings, and install software. After the device reboots, the next guest receives a clean experience. + +- Increases security and reliability where new apps aren't frequently added. + +- Can be used to reduce wear on solid-state drives and other write-sensitive media. + +- Optimizing Application load timing on boot – it can be faster to resume from a HORM file on every boot rather than reloading the system on each boot + +UWF replaces the Windows 7 Enhanced Write Filter (EWF) and the File Based Write Filter (FBWF). + +## Features + +- UWF can protect most supported writable storage types, including physical hard disks, solid-state drives, internal USB devices, and external SATA devices. You can't use UWF to protect external removable drives, USB devices or flash drives. Supports both master boot record (MBR) and GUID partition table (GPT) volumes. + +- You can use UWF to make read-only media appear to the OS as a writable volume. + +- You can manage UWF directly on a Windows 10 device using [uwfmgr.exe](uwfmgrexe.md), or remotely using MDM tools with the [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp) or the [UWF WMI](uwf-wmi-provider-reference.md). + +- You can [update and service UWF-protected devices](service-uwf-protected-devices.md) by using UWF servicing mode or adding file and registry exclusions to specific system areas. + +- On Windows 10, version 1803, you can use a [persistent overlay](uwfoverlay.md#persistent-overlay) to allow data saved in the virtual overlay to remain even after a reboot. + +- On devices with a disk overlay, you can use [free space passthrough)](uwfoverlay.md#freespace-passthrough-recommended) to access your drive's free space. + +- UWF supports paging to increase virtual memory, if the page file exists on an unprotected volume. When paging is used together with a RAM-based overlay, the uptime of the system can be increased. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Limitations + +- File systems: + - FAT: fully supported. + - NTFS: fully supported. However, during device startup, NTFS file system journal files can write to a protected volume before UWF has started protecting the volume. + - Other file systems (example: exFAT): You can protect the volume, but can't create file exclusions or do file commit operations on the volume. Writes to excluded files still influence the growth of the Overlay. + +- The overlay doesn't mirror the entire volume, but dynamically grows to keep track of redirected writes. + +- UWF supports up to 16 terabytes of protected volumes. + +- UWF doesn't support the use of fast startup when shutting down your device. If fast startup is turned on, shutting down the device doesn't clear the overlay. You can disable fast startup in Control Panel by navigating to **Control Panel** > **All Control Panel Items** > **Power Options** > **System Settings** and clearing the checkbox next to **Turn on fast startup (recommended)**. + +- UWF doesn't support [Storage Spaces](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831739(v=ws.11)). + +- On a computer on which [UWF is enabled and used to protect drive C](./uwf-turnonuwf.md#turn-on-uwf-on-a-running-pc), you can't permanently set the date and time to a past time. If you make such a change, the original date and time settings will be restored after the computer restarts. + + To work around this issue, you must disable UWF before you change the date and time with th the following command. + + ```cmd + uwfmgr.exe filter disable + ``` + + > [!NOTE] + > Do not add the file that retains date and time settings ("%windir%\bootstat.dat") to the [write filter exclusions](./uwfexclusions.md) to work around this issue. Doing this causes Stop error 0x7E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) to occur. + +## Turn on and configure UWF + +UWF is an optional component and isn't enabled by default in Windows 10. You must [turn on UWF](uwf-turnonuwf.md) before you can configure it. + +## UWF overlay + +You can choose the type of overlay, reserved space and persistence after a reboot. + +To increase uptime, set up monitoring to check if your overlay is filling up. At certain levels, your device can warn users and/or reboot the device. + +To learn more, see [UWF Overlay location and size](uwfoverlay.md). + +## Volumes + +A volume is a logical unit that represents an area of persistent storage to the file system that is used by the OS such as: + +- A single physical storage device, such as a hard disk +- A single partition on a physical storage device with multiple partitions +- Span across multiple physical storage devices + +For example, a collection of hard disks in a RAID array can be represented as a single volume to the OS. + +When you configure UWF to protect a volume, you can specify the volume by using either a drive letter or the volume device identifier. To determine the device identifier for a volume, query the **DeviceID** property in the **Win32_Volume** WMI class. + +If you specify a volume using a drive letter, UWF uses *loose binding* to recognize the volume. With *loose binding*, drive letters are assigned dynamically as the volume configuration changes. + +If you specify a volume using the volume device identifier, UWF uses *tight binding* to recognize the volume. With *tight binding*, the device identifier is unique to the storage volume and is independent from the drive letter assigned to the volume by the file system. + +## Exclusions + +You can add specific files, folders, and registry keys to the [write filter exclusion](uwfexclusions.md) list to prevent them from being filtered. + +## UWF servicing mode + +When a device is protected with UWF, you must use UWF servicing mode commands to service the device and apply updates to an image. You can use UWF servicing mode to apply Windows updates, antimalware signature file updates, and custom software or third-party software updates. + +For more information about how to use UWF servicing mode to apply software updates to your device, see [Service UWF-protected devices](service-uwf-protected-devices.md). + +## Troubleshooting UWF + +UWF uses Windows Event Log to log events, errors and messages related to overlay consumption, configuration changes, and servicing. + +For more information about how to find event log information for troubleshooting problems with Unified Write Filter (UWF), see [Troubleshooting Unified Write Filter (UWF)](uwftroubleshooting.md). + +## Related articles + +- [Unbranded Boot](../unbranded-boot/index.md) +- [Custom Logon](../custom-logon/index.md) +- [Shell Launcher](../shell-launcher/index.md) diff --git a/windows/configuration/unified-write-filter/service-uwf-protected-devices.md b/windows/configuration/unified-write-filter/service-uwf-protected-devices.md new file mode 100644 index 00000000000..0891306f216 --- /dev/null +++ b/windows/configuration/unified-write-filter/service-uwf-protected-devices.md @@ -0,0 +1,35 @@ +--- +title: Service UWF-protected devices +description: Service UWF-protected devices +ms.date: 10/02/2018 +ms.topic: reference +--- + +# Service UWF-protected devices + +To update your devices, use UWF servicing mode. UWF servicing mode allows you to apply Windows updates, anti-malware signature file updates, and custom software or third-party software updates. + +Normally, when the Unified Write Filter (UWF) is active, system updates are disabled, as they would be erased when the overlay is cleared. + +When UWF servicing mode is triggered, Windows does the following: + +1. Clears the UWF overlay +1. Reboots the devices +1. Triggers a system maintenance hour +1. Disables the UWF filter +1. Scans for and applies Windows updates +1. Scans for and applies app updates from the Microsoft store +1. After servicing is complete, it re-enables the UWF filter and resumes UWF protection + +>[!NOTE] +> Servicing mode requires that all user accounts on the system have a password. If there's a user account that doesn't include a password, UWF servicing fails. + +## In this section + +| Article | Description | +|:------------------------------------------|:-----------------------------------------------------------------------------------| +| [Anti-malware support on UWF-protected devices](uwf-antimalware-support.md) |Describes the procedures to add support for Microsoft Defender and System Center Endpoint Protection (SCEP/Forefront) anti-malware to your UWF-protected devices. | +| [Apply OEM updates to UWF-protected devices](uwf-apply-windows-updates.md) |Provides information about how to apply OEM updates to a UWF-protected device. | +| [Apply Windows updates to UWF-protected devices](uwf-apply-windows-updates.md) | Describes the procedures to apply Windows updates to your UWF-protected devices. | +| [UWF master servicing script](uwf-master-servicing-script.md) | Provides information about the UWF master servicing script (UwfServicingMasterScript.cmd). | +| [UWF servicing screen saver](uwf-servicing-screen-saver.md) | Provides information about how to modify the default UWF servicing screen saver. | diff --git a/windows/configuration/unified-write-filter/toc.yml b/windows/configuration/unified-write-filter/toc.yml new file mode 100644 index 00000000000..d8105e71ecb --- /dev/null +++ b/windows/configuration/unified-write-filter/toc.yml @@ -0,0 +1,126 @@ + +items: +- name: Unified Write Filter + items: + - name: Overview + href: index.md + - name: Hibernate Once/Resume Many (HORM) + href: hibernate-once-resume-many-horm.md + - name: Exclusions + href: uwfexclusions.md + - name: Overlay + href: uwfoverlay.md + - name: Enable + href: uwf-turnonuwf.md + - name: Command Line Utility (uwfmgr.exe) + href: uwfmgrexe.md + - name: Servicing + items: + - name: Servicing protected devices + href: service-uwf-protected-devices.md + - name: Antimalware support + href: uwf-antimalware-support.md + - name: Windows Updates + href: uwf-apply-windows-updates.md + - name: OEM Updates + href: uwf-apply-oem-updates.md + - name: Servicing master script + href: uwf-master-servicing-script.md + - name: Servicing screen saver + href: uwf-servicing-screen-saver.md + - name: Troubleshooting + href: uwftroubleshooting.md + - name: WMI Provider Reference + items: + - name: Overview + href: uwf-wmi-provider-reference.md + - name: Class UWF_ExcludedFile + href: uwf-excludedfile.md + - name: Class UWF_ExcludedRegistryKey + href: uwf-excludedregistrykey.md + - name: Class UWF_Filter + items: + - name: Overview + href: uwf-filter.md + - name: Disable + href: uwf-filterdisable.md + - name: Enable + href: uwf-filterdisable.md + - name: ResetSettings + href: uwf-filterresetsettings.md + - name: RestartSystem + href: uwf-filterrestartsystem.md + - name: ShutdownSystem + href: uwf-filtershutdownsystem.md + - name: Class UWF_Overlay + items: + - name: Overview + href: uwf-overlay.md + - name: GetOverlayFiles + href: uwf-overlaygetoverlayfiles.md + - name: OverlayFile + href: uwf-overlayfile.md + - name: SetCriticalThreshold + href: uwf-overlaysetcriticalthreshold.md + - name: SetWarningThreshold + href: uwf-overlaysetwarningthreshold.md + - name: Class UWF_OverlayConfig + items: + - name: Overview + href: uwf-overlayconfig.md + - name: SetMaximumSize + href: uwf-overlayconfigsetmaximumsize.md + - name: SetType + href: uwf-overlayconfigsettype.md + - name: Class UWF_RegistryFilter + items: + - name: Overview + href: uwf-registryfilter.md + - name: AddExclusion + href: uwf-registryfilteraddexclusion.md + - name: CommitRegistry + href: uwf-registryfiltercommitregistry.md + - name: CommitRegistryDeletion + href: uwf-registryfiltercommitregistrydeletion.md + - name: FindExclusion + href: uwf-registryfilterfindexclusion.md + - name: GetExclusions + href: uwf-registryfiltergetexclusions.md + - name: RemoveExclusion + href: uwf-registryfilterremoveexclusion.md + - name: Class UWF_Servicing + items: + - name: Overview + href: uwf-servicing.md + - name: Disable + href: uwf-servicingdisable.md + - name: Enable + href: uwf-servicingenable.md + - name: UpdateWindows + href: uwf-servicingupdatewindows.md + - name: Class UWF_Volume + items: + - name: Overview + href: uwf-volume.md + - name: AddExclusion + href: uwf-volumeaddexclusion.md + - name: CommitFile + href: uwf-volumecommitfile.md + - name: CommitFileDeletion + href: uwf-volumecommitfiledeletion.md + - name: FindExclusion + href: uwf-volumefindexclusion.md + - name: GetExclusions + href: uwf-volumegetexclusions.md + - name: protect + href: uwf-volumeprotect.md + - name: RemoveAllExclusions + href: uwf-volumeremoveallexclusions.md + - name: RemoveExclusion + href: uwf-volumeremoveexclusion.md + - name: SetBindByDriveLetter + href: uwf-volumesetbindbydriveletter.md + - name: Unprotect + href: uwf-volumeunprotect.md + - name: Migration from Enhanced Write Filter + href: uwf-wes7-ewf-to-win10-uwf.md \ No newline at end of file diff --git a/windows/configuration/unified-write-filter/uwf-antimalware-support.md b/windows/configuration/unified-write-filter/uwf-antimalware-support.md new file mode 100644 index 00000000000..9dfd69b37d2 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-antimalware-support.md @@ -0,0 +1,73 @@ +--- +title: Antimalware support on UWF-protected devices +description: Antimalware support on UWF-protected devices +ms.date: 05/02/2017 +ms.topic: reference +--- + +# Antimalware support on UWF-protected devices + +Learn how to enable antimalware support on your USB Filter-enabled Windows 10 Enterprise device. + +When using antimalware software on your Unified Write Filter (UWF)-protected device, you must add the required file and registry exclusions that enable the software to apply updates to signature files and persist changes to the device after a system restart. + +## Add support for Microsoft Defender on UWF-protected devices + +Add these exclusions to UWF: + +1. File exclusions + + ```text + C:\Program Files\Windows Defender + C:\ProgramData\Microsoft\Windows Defender + C:\Windows\WindowsUpdate.log + C:\Windows\Temp\MpCmdRun.log + ``` + +1. Registry exclusions + + ```reg + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend + ``` + + > [!NOTE] + > If a Windows IoT Enterprise computer stops responding during Windows startup, see [Windows doesn't start after you exclude UWF from Microsoft Defender](/troubleshoot/windows-client/performance/windows-hangs-on-startup-after-excluding-uwf-from-microsoft-defender) for a workaround. This issue impacts: + > + > - Windows 10 IoT Enterprise, version 21H1 + > - Windows 10 IoT Enterprise, version 21H2 + > - Windows 10 IoT Enterprise, version 22H1 + > - Windows 10 IoT Enterprise LTSC 2016 + > - Windows 10 IoT Enterprise LTSC 2019 + > - Windows 10 IoT Enterprise LTSC 2021 + > - Windows 11 IoT Enterprise + +## Add support for System Center Endpoint Protection on UWF-protected devices + +Add these exclusions to UWF: + +1. File exclusions + + ```txt + C:\Program Files\Microsoft Security Client + C:\Windows\Windowsupdate.log + C:\Windows\Temp\Mpcmdrun.log + C:\ProgramData\Microsoft\Microsoft Antimalware + ``` + +1. Registry exclusions + + ```reg + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware + ``` + +> [!NOTE] +> Windows 10 Enterprise doesn't include System Center Endpoint Protection. You can purchase licenses and install System Center Endpoint Protection independently. + +## Related articles + +- [Service UWF-protected devices](service-uwf-protected-devices.md) diff --git a/windows/configuration/unified-write-filter/uwf-apply-oem-updates.md b/windows/configuration/unified-write-filter/uwf-apply-oem-updates.md new file mode 100644 index 00000000000..cb9ea97d956 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-apply-oem-updates.md @@ -0,0 +1,42 @@ +--- +title: Apply OEM updates to UWF-protected devices +description: Apply OEM updates to UWF-protected devices +ms.date: 05/02/2017 +ms.topic: reference +--- + +# Apply OEM updates to UWF-protected devices + +To apply OEM updates on a Unified Write Filter (UWF)-protected Windows 10 device, you can modify the UPDATE\_SUCCESS block of UWF master servicing script (UwfServicingMasterScript.cmd) to call a custom OEM script that applies any required OEM updates. The OEM script should return control back to the UWF Master Servicing Script when finished. + +The UWF Master Servicing Script (UwfServicingMasterScript.cmd) is located in the \Windows\System32 folder. + +## UPDATE_SUCCESS (UwfServicingMasterScript.cmd) + +The UPDATE_SUCCESS block of the UWF master servicing script follows: + +```powershell +:UPDATE_SUCCESS +echo UpdateAgent returned success. +REM +REM echo UpdateAgent executing OEM script +REM OEM can call their custom scripts +REM at this point through a "call". +REM +REM The OEM script should hand control +REM back to this script once complete. +REM +REM Any error recovery for OEM script +REM should be handled outside of this script +REM post a reboot. +REM +uwfmgr servicing disable +echo Restarting system +goto UPDATE_EXIT +``` + +## Related articles + +- [Service UWF-protected devices](service-uwf-protected-devices.md) +- [UWF master servicing script](uwf-master-servicing-script.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-apply-windows-updates.md b/windows/configuration/unified-write-filter/uwf-apply-windows-updates.md new file mode 100644 index 00000000000..02d0791dc87 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-apply-windows-updates.md @@ -0,0 +1,69 @@ +--- +title: Apply Windows updates to UWF-protected devices +description: Apply Windows updates to UWF-protected devices +ms.date: 05/02/2017 +ms.topic: reference +--- + +# Apply Windows updates to UWF-protected devices + +When a device is protected with Unified Write Filter (UWF), you must use UWF servicing mode commands to service the device and apply updates to an image. + +UWF servicing mode uses the following files to when it applies Windows updates to your device: + +- UWFMgr.exe command-line tool +- UwfServicingScr.scr screen saver +- UwfServicingMasterScript.cmd script + +> [!NOTE] +> The master servicing script can be modified to service third-party applications, service custom OEM applications, or call custom OEM servicing scripts. + +UWF servicing supports the following types of Windows updates: + +- Critical updates +- Security updates +- Driver updates + +## Enable Servicing Mode + +1. To apply Windows updates to your device, at an administrator command prompt, type the following command: + + ```cmd + uwfmgr.exe servicing enable + ``` + +1. Restart the device. Use either command. + + ```cmd + uwfmgr.exe filter restart + ``` + + ```cmd + shutdown /r /t 0 + ``` + +On restart, the device automatically signs in to the servicing account and servicing starts. + +> [!IMPORTANT] +> The default servicing account that is automatically created and used for servicing is named **UWF-Servicing**. It's important that you don't have a user account that has that same name on a device before starting UWF servicing. + +Once servicing has started, no user interaction is required. The system may restart if it's required by the Windows updates that are installing. If a restart is required, the system reenters servicing mode on restart and continues until all updates are installed. + +While servicing is underway, the UwfServicingScr.scr screen saver displays on the device. + +> [!NOTE] +> The UwfServicingScr.scr screen saver that is included with Windows 10 Enterprise is a standard Windows screen saver and can be replaced by a custom OEM screen saver if necessary. + +When Windows update servicing is finished, the system disables UWF servicing and restarts the system with UWF-protection enabled and all file and registry exclusions restored to their original pre-servicing state. + +> [!NOTE] +> During UWF servicing in Windows 10 Enterprise, Windows Update automatically accepts all Microsoft Software License Terms. + +> [!NOTE] +> If Windows updates can't be installed or return an error, servicing is disabled and the system restarts with UWF-protection re-enabled and all file and registry exclusions restored to their original pre-servicing state. + +## Related articles + +- [Unified Write Filter]( index.md) +- [UWF master servicing script](uwf-master-servicing-script.md) +- [UWF servicing screen saver](uwf-servicing-screen-saver.md) diff --git a/windows/configuration/unified-write-filter/uwf-excludedfile.md b/windows/configuration/unified-write-filter/uwf-excludedfile.md new file mode 100644 index 00000000000..4ede7c857b7 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-excludedfile.md @@ -0,0 +1,51 @@ +--- +title: UWF_ExcludedFile +description: UWF_ExcludedFile +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_ExcludedFile + +Contains the files and folders that are currently in the file exclusion list for a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +class UWF_ExcludedFile { + [Read] string FileName; +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Properties + +| Property | Data type | Qualifier | Description | +|----------|-----------|-----------|-------------| +| FileName | string | [read] | The name of the file or folder path in the file exclusion list, including the full path relative to the volume. | + +### Remarks + +UWF_ExcludedFile does not represent an actual WMI object, and you cannot use this class to get or set file exclusions. + +You must use the [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md) method to retrieve UWF_ExcludedFile objects. + +You can use the [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) and [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) methods to add or remove file and folder exclusions to a volume. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-excludedregistrykey.md b/windows/configuration/unified-write-filter/uwf-excludedregistrykey.md new file mode 100644 index 00000000000..6ed0903f551 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-excludedregistrykey.md @@ -0,0 +1,51 @@ +--- +title: UWF_ExcludedRegistryKey +description: UWF_ExcludedRegistryKey +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_ExcludedRegistryKey + +Contains the registry keys that are currently in the registry key exclusion list for Unified Write Filter (UWF). + +## Syntax + +```powershell +class UWF_ExcludedRegistryKey { + [Read] string RegistryKey; +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Properties + +| Property | Data type | Qualifier | Description | +|-------------|----------------|-----------|-------------| +| RegistryKey | string | [read] | The full path of the registry key in the registry key exclusion list. | + +### Remarks + +UWF_ExcludedRegistryKeydoes not represent an actual WMI object, and you cannot use this class to get or set registry key exclusions. + +You can use the [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) or [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) methods to retrieve UWF_ExcludedRegistryKey objects. + +You can use the [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) and [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) methods to add or remove registry keys to the UWF registry key exclusion list. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-filter.md b/windows/configuration/unified-write-filter/uwf-filter.md new file mode 100644 index 00000000000..4d209d93e28 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-filter.md @@ -0,0 +1,169 @@ +--- +title: UWF_Filter +description: UWF_Filter +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Filter + +Enables or disables Unified Write Filter (UWF), resets configuration settings for UWF, and shuts down or restarts your device. + +## Syntax + +```powershell +class UWF_Filter{ + [key] string Id; + [read] boolean CurrentEnabled; + [read] boolean NextEnabled; + UInt32 Enable(); + UInt32 Disable(); + UInt32 ResetSettings(); + UInt32 ShutdownSystem(); + UInt32 RestartSystem(); +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Methods + +| Methods | Description | +|----------|-------------| +| [UWF_Filter.Enable](uwf-filterenable.md) | Enables UWF on the next restart. | +| [UWF_Filter.Disable](uwf-filterdisable.md) | Disables UWF on the next restart. | +| [UWF_Filter.ResetSettings](uwf-filterresetsettings.md) | Restores UWF settings to the original state that was captured at install time. | +| [UWF_Filter.ShutdownSystem](uwf-filtershutdownsystem.md) |Safely shuts down a system protected by UWF, even if the overlay is full. | +| [UWF_Filter.RestartSystem](uwf-filterrestartsystem.md) | Safely restarts a system protected by UWF, even if the overlay is full. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| **Id** | string | [key] | A unique ID. This is always set to **UWF_Filter** | +| **CurrentEnabled** | Boolean | [read] | Indicates if UWF is enabled for the current session. | +| **NextEnabled** | Boolean | [read] | Indicates if UWF is enabled after the next restart. | + +### Remarks + +You must use an administrator account to make any changes to the configuration settings for UWF. Users with any kind of account can read the current configuration settings. + +## Example + +The following example demonstrates how to enable or disable UWF by using the WMI provider in a PowerShell script. + +The PowerShell script creates three functions to help enable or disable UWF. It then demonstrates how to use each function. + +The first function, `Disable-UWF`, retrieves a WMI object for **UWF_Filter**, and calls the **Disable()** method to disable UWF after the next device restart. + +The second function, `Enable-UWF`, retrieves a WMI object for **UWF_Filter**, and calls the **Enable()** method to enable UWF after the next device restart. + +The third function, `Display-UWFState`, examines the properties of the **UWF_Filter** object, and prints out the current settings for **UWF_Filter**. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a function to disable the Unified Write Filter driver after the next restart. +function Disable-UWF() { + +# Retrieve the UWF_Filter settings. + $objUWFInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Filter; + + if(!$objUWFInstance) { + "Unable to retrieve Unified Write Filter settings." + return; + } + +# Call the method to disable UWF after the next restart. This sets the NextEnabled property to false. + + $retval = $objUWFInstance.Disable(); + +# Check the return value to verify that the disable is successful + if ($retval.ReturnValue -eq 0) { + "Unified Write Filter will be disabled after the next system restart." + } else { + "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue + } +} + +# Create a function to enable the Unified Write Filter driver after the next restart. +function Enable-UWF() { + +# Retrieve the UWF_Filter settings. + $objUWFInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Filter; + + if(!$objUWFInstance) { + "Unable to retrieve Unified Write Filter settings." + return; + } + +# Call the method to enable UWF after the next restart. This sets the NextEnabled property to false. + + $retval = $objUWFInstance.Enable(); + +# Check the return value to verify that the enable is successful + if ($retval.ReturnValue -eq 0) { + "Unified Write Filter will be enabled after the next system restart." + } else { + "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue + } +} + +# Create a function to display the current settings of the Unified Write Filter driver. +function Display-UWFState() { + +# Retrieve the UWF_Filter object + $objUWFInstance = Get-WmiObject -Namespace $NAMESPACE -Class UWF_Filter; + + if(!$objUWFInstance) { + "Unable to retrieve Unified Write Filter settings." + return; + } + +# Check the CurrentEnabled property to see if UWF is enabled in the current session. + if($objUWFInstance.CurrentEnabled) { + $CurrentStatus = "enabled"; + } else { + $CurrentStatus = "disabled"; + } + +# Check the NextEnabled property to see if UWF is enabled or disabled after the next system restart. + if($objUWFInstance.NextEnabled) { + $NextStatus = "enabled"; + } else { + $NextStatus = "disabled"; + } +} + +# Some examples of how to call the functions + +Display-UWFState + +"Enabling Unified Write Filter" +Enable-UWF + +Display-UWFState + +"Disabling Unified Write Filter" +Disable-UWF + +Display-UWFState +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-filterdisable.md b/windows/configuration/unified-write-filter/uwf-filterdisable.md new file mode 100644 index 00000000000..c6ada6a1889 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-filterdisable.md @@ -0,0 +1,43 @@ +--- +title: UWF_Filter.Disable +description: UWF_Filter.Disable +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Filter.Disable + +Disables Unified Write Filter (UWF) on the next restart. + +## Syntax + +```powershell +UInt32 Disable(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to disable UWF. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Filter](uwf-filter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-filterenable.md b/windows/configuration/unified-write-filter/uwf-filterenable.md new file mode 100644 index 00000000000..9789518d3fa --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-filterenable.md @@ -0,0 +1,66 @@ +--- +title: UWF_Filter.Enable +description: UWF_Filter.Enable +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Filter.Enable + +Enables Unified Write Filter (UWF) on the next restart. + +## Syntax + +```powershell +UInt32 Enable(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to enable UWF. + +You must restart your device after you enable or disable UWF before the change takes effect. + +The first time you enable UWF on your device, UWF makes the following changes to your system to improve the performance of UWF: + +- Paging files are disabled. +- System restore is disabled. +- SuperFetch is disabled. +- File indexing service is turned off. +- Defragmentation service is turned off. +- Fast boot is disabled. +- BCD setting **bootstatuspolicy** is set to **ignoreallfailures**. + +You can change these settings after you enable UWF if you want to. For example, you can move the page file location to an unprotected volume and re-enable paging files. + +Additionally, after you run `uwfmgr filter enable`, restart the computer and exit the servicing mode, the following things are disabled: + +- Windows Update by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate` +- Windows Store Update by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload` +- Registry Reorganization by setting `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Configuration Manager\RegistryReorganizationLimitDays` +- Maintenance Hour by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled` + +After you run `uwfmgr filter disable`, restart the computer and enter the serving mode, the changes are reverted. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Filter](uwf-filter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-filterresetsettings.md b/windows/configuration/unified-write-filter/uwf-filterresetsettings.md new file mode 100644 index 00000000000..24528c7d763 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-filterresetsettings.md @@ -0,0 +1,47 @@ +--- +title: UWF_Filter.ResetSettings +description: UWF_Filter.ResetSettings +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Filter.ResetSettings + +Restores UWF settings to the original configuration settings. + +## Syntax + +```powershell +UInt32 ResetSettings(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to reset UWF settings. + +The original configuration settings are captured the first time that you enable UWF after you add UWF to your device by using **Turn Windows features on or off**. You can change the original configuration settings by using **Turn Windows features on or off** to remove and then add UWF, and then modifying the configuration to the desired state before you enable UWF. + +If you added UWF to your device by using SMI settings in an unattend.xml file, the original configuration settings are captured when Windows 10 Enterprise is installed on your device. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Filter](uwf-filter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-filterrestartsystem.md b/windows/configuration/unified-write-filter/uwf-filterrestartsystem.md new file mode 100644 index 00000000000..d442c0ff841 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-filterrestartsystem.md @@ -0,0 +1,48 @@ +--- +title: UWF_Filter.RestartSystem +description: UWF_Filter.RestartSystem +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Filter.RestartSystem + +Safely restarts a system protected by UWF, even if the overlay is full. + +## Syntax + +```powershell +UInt32 RestartSystem(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to call this method. +You can't run on WMI providers; it's only available from Intune/CSP. + +If the overlay is full, or near full, shutting down or restarting the system normally can cause the system to take a long time to shut down. This occurs when the system repeatedly tries to write files during shutdown, which constantly fail due to the overlay being full. You can call this method to safely restart a system by avoiding this scenario. + +If the overlay becomes full while the system is performing a large number of writes, such as copying a large group of files, calling this method can still result in a long shutdown time. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Filter](uwf-filter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md b/windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md new file mode 100644 index 00000000000..60cd1b79d92 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md @@ -0,0 +1,47 @@ +--- +title: UWF_Filter.ShutdownSystem +description: UWF_Filter.ShutdownSystem +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Filter.ShutdownSystem + +Safely shuts down a system protected by UWF, even if the overlay is full. + +## Syntax + +```powershell +UInt32 ShutdownSystem(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to call this method. + +If the overlay is full, or near full, shutting down or restarting the system normally can cause the system to take an extremely long time to shut down. This occurs when the system repeatedly tries to write files during shutdown, which constantly fail due to the overlay being full. You can call this method to safely shut down a system by avoiding this scenario. + +If the overlay becomes full while the system is performing a large number of writes, such as copying a large group of files, calling this method can still result in a long shutdown time. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Filter](uwf-filter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-master-servicing-script.md b/windows/configuration/unified-write-filter/uwf-master-servicing-script.md new file mode 100644 index 00000000000..502d9324994 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-master-servicing-script.md @@ -0,0 +1,88 @@ +--- +title: UWF master servicing script +description: UWF master servicing script +ms.date: 05/02/2017 +ms.topic: reference +--- + +# UWF master servicing script + +The UWF master servicing script (UwfServicingMasterScript.cmd) is located in the \\Windows\\System32 folder. + +## UwfServicingMasterScript.cmd + +The full UWF master servicing script follows: + +```powershell +REM servicing of the device with UWF installed. The script will +REM call UWF manager application to update the system with the +REM latest available updates. +REM The script will detect whether the update operation +REM ended successfully or requires a reboot. +REM +REM The script will change the "SERVICING" state of the device +REM only when the update operation results in a "SUCCESS". +REM A state change of the device requires a reboot. +REM +REM If the update operation requires a "REBOOT" the script will +REM reboot device without changing the "SERVICING" state. The +REM Will then run again on the following reboot until +REM the update operation either return a "SUCCESS" or a "ERROR" +REM +REM Any third-party script that needs to run before the state +REM change should run in the UPDATE_SUCCESS block +REM +REM Environment : +REM It is expected that UWF is turned "OFF", "SERVICING" mode +REM enabled and all other preconditions +REM for servicing are in place. +REM +REM +REM + + +echo UpdateAgent starting. +uwfmgr servicing update-windows +if ERRORLEVEL 3010 goto UPDATE_REBOOT +if ERRORLEVEL 0 goto UPDATE_SUCCESS +echo UpdateAgent returned error =%ERRORLEVEL% + +:UPDATE_ERROR +uwfmgr servicing disable +echo Restarting system +goto UPDATE_EXIT + +:UPDATE_REBOOT +echo UpdateAgent requires a reboot. +echo UpdateAgent restarting system +goto UPDATE_EXIT + +:UPDATE_SUCCESS +echo UpdateAgent returned success. +REM +REM echo UpdateAgent executing OEM script +REM OEM can call their custom scripts +REM at this point through a "call". +REM +REM The OEM script should hand control +REM back to this script once it is done. +REM +REM Any error recovery for OEM script +REM should be handled outside of this script +REM post a reboot. +REM +uwfmgr servicing disable +echo Restarting system +goto UPDATE_EXIT + +:UPDATE_EXIT +echo UpdateAgent exiting. +shutdown -r -t 5 +EXIT /B +``` + +## Related articles + +[Service UWF-protected devices](service-uwf-protected-devices.md) + +[Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlay.md b/windows/configuration/unified-write-filter/uwf-overlay.md new file mode 100644 index 00000000000..db7a523a512 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlay.md @@ -0,0 +1,164 @@ +--- +title: UWF_Overlay +description: UWF_Overlay +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Overlay + +Contains the current size of the Unified Write Filter (UWF) overlay and manages the critical and warning thresholds for the overlay size. + +## Syntax + +```powershell +class UWF_Overlay { + [key] string Id; + [read] UInt32 OverlayConsumption; + [read] UInt32 AvailableSpace; + [read] UInt32 CriticalOverlayThreshold; + [read] UInt32 WarningOverlayThreshold; + + UInt32 GetOverlayFiles( + [in] string Volume, + [out, EmbeddedInstance("UWF_OverlayFile")] string OverlayFiles[] + ); + UInt32 SetWarningThreshold( + UInt32 size + ); + UInt32 SetCriticalThreshold( + UInt32 size + ); +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +| Methods | Description | +|---------|-------------| +| [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) | Returns a list of files of a volume that were cached in the UWF overlay. | +| [UWF_Overlay.SetWarningThreshold](uwf-overlaysetwarningthreshold.md) | Sets the warning threshold for monitoring the size of the UWF overlay. | +| [UWF_Overlay.SetCriticalThreshold](uwf-overlaysetcriticalthreshold.md) | Sets the critical warning threshold for monitoring the size of the UWF overlay. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| ID | string | [key] | A unique ID. This is always set to **UWF_Overlay**. | +| OverlayConsumption | Uint32 | [read] | The current size, in megabytes, of the UWF overlay. | +| AvailableSpace | Uint32 | [read] | The amount of free space, in megabytes, available to the UWF overlay. | +| CriticalOverlayThreshold | Uint32 | [read] | The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value. | +| WarningOverlayThreshold | Uint32 | [read] | The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value. | + +### Examples + +The following example demonstrates how to use the UWF overlay by using the WMI provider in a PowerShell script. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Function to set the Unified Write Filter overlay warning threshold + +function Set-OverlayWarningThreshold($ThresholdSize) { + +# Retrieve the overlay WMI object + + $OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay; + + if(!$OverlayInstance) { + "Unable to get handle to an instance of the UWF_Overlay class" + return; + } + +# Call the instance method to set the warning threshold value + + $retval = $OverlayInstance.SetWarningThreshold($ThresholdSize); + +# Check the return value to verify that setting the warning threshold is successful + + if ($retval.ReturnValue -eq 0) { + "Overlay warning threshold has been set to " + $ThresholdSize + " MB" + } else { + "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue + } +} + +# Function to set the Unified Write Filter overlay critical threshold + +function Set-OverlayCriticalThreshold($ThresholdSize) { + +# Retrieve the overlay WMI object + + $OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay; + + if(!$OverlayInstance) { + "Unable to get handle to an instance of the UWF_Overlay class" + return; + } + +# Call the instance method to set the warning threshold value + + $retval = $OverlayInstance.SetCriticalThreshold($ThresholdSize); + +# Check the return value to verify that setting the critical threshold is successful + + if ($retval.ReturnValue -eq 0) { + "Overlay critical threshold has been set to " + $ThresholdSize + " MB" + } else { + "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue + } +} + +# Function to print the current overlay information + +function Get-OverlayInformation() { + +# Retrieve the Overlay WMI object + + $OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay; + + if(!$OverlayInstance) { + "Unable to get handle to an instance of the UWF_Overlay class" + return; + } + +# Display the current values of the overlay properties + + "`nOverlay Consumption: " + $OverlayInstance.OverlayConsumption + "Available Space: " + $OverlayInstance.AvailableSpace + "Critical Overlay Threshold: " + $OverlayInstance.CriticalOverlayThreshold + "Warning Overlay Threshold: " + $OverlayInstance.WarningOverlayThreshold +} + +# Examples of using these functions + +"`nSetting the warning threshold to 768 MB." +Set-OverlayWarningThreshold( 768 ) + +"`nSetting the critical threshold to 896 MB." +Set-OverlayCriticalThreshold( 896 ) + +"`nDisplaying the current state of the overlay." +Get-OverlayInformation +``` + +### Remarks + +Only one **UFW\_Overlay** instance exists for a system protected with UWF. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlayconfig.md b/windows/configuration/unified-write-filter/uwf-overlayconfig.md new file mode 100644 index 00000000000..ff15b1fcb21 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlayconfig.md @@ -0,0 +1,159 @@ +--- +title: UWF_OverlayConfig +description: UWF_OverlayConfig +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_OverlayConfig + +Displays and configures global settings for the Unified Write Filter (UWF) overlay. You can modify the maximum size and the type of the UWF overlay. + +## Syntax + +```powershell +class UWF_OverlayConfig{ + [key, Read] boolean CurrentSession; + [read] UInt32 Type; + [read] SInt32 MaximumSize; + + UInt32 SetType( + UInt32 type + ); + UInt32 SetMaximumSize( + UInt32 size + ); +}; +``` + +## Members + +The following tables list the methods and properties that belong to this class. + +### Methods + +| Method | Description | +|--------|-------------| +| [UWF_OverlayConfig.SetMaximumSize](uwf-overlayconfigsetmaximumsize.md) | Sets the maximum cache size, in megabytes, of the overlay. | +| [UWF_OverlayConfig.SetType](uwf-overlayconfigsettype.md) | Sets the type of the UWF overlay to either RAM-based or disk-based. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| CurrentSession | Boolean | [key, read] | Indicates which session the object contains settings for.
- **True** for the current session
- **False** for the next session that begins after a restart. | +| Type | UInt32 | [read] | Indicates the type of overlay.
- **0** for a RAM-based overlay
- **1** for a disk-based overlay. | +| MaximumSize | SInt32 | [read] | Indicates the maximum cache size, in megabytes, of the overlay. | + +### Remarks + +Changes to the overlay configuration take effect on the next restart in which UWF is enabled. + +Before you can change the **Type** or **MaximumSize** properties, UWF must be disabled in the current session. + +### Example + +The following example demonstrates how to change the maximum size or the storage type of the overlay in UWF by using the Windows Management Instrumentation (WMI) provider in a PowerShell script. + +The PowerShell script creates two functions to modify the overlay configuration. It then demonstrates how to use the functions. The first function, **Set-OverlaySize**, sets the maximum size of the overlay. The second function, **Set-OverlayType**, sets the type of the overlay to RAM-based or disk-based. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define common parameters + +$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER} + +function Set-OverlaySize([UInt32] $size) { + +# This function sets the size of the overlay to which file and registry changes are redirected +# Changes take effect after the next restart + +# $size is the maximum size in MB of the overlay + +# Make sure that UWF is currently disabled + + $UWFFilter = Get-WmiObject -class UWF_Filter @commonParams + + if ($UWFFilter.CurrentEnabled -eq $false) { + +# Get the configuration for the next session after a restart + + $nextConfig = Get-WMIObject -class UWF_OverlayConfig -Filter "CurrentSession = false" @CommonParams; + + if ($nextConfig) { + +# Set the maximum size of the overlay + + $nextConfig.SetMaximumSize($size); + write-host "Set overlay max size to $size MB." + } + } else { + write-host "UWF must be disabled in the current session before you can change the overlay size." + } +} + +function Set-OverlayType([UInt32] $overlayType) { + +# This function sets the type of the overlay to which file and registry changes are redirected +# Changes take effect after the next restart + +# $overlayType is the type of storage that UWF uses to maintain the overlay. 0 = RAM-based; 1 = disk-based. + + $overlayTypeText = @("RAM-based", "disk-based") + +# Make sure that the overlay type is a valid value + + if ($overlayType -eq 0 -or $overlayType -eq 1) { + +# Make sure that UWF is currently disabled + + $UWFFilter = Get-WmiObject -class UWF_Filter @commonParams + + if ($UWFFilter.CurrentEnabled -eq $false) { + +# Get the configuration for the next session after a restart + + $nextConfig = Get-WMIObject -class UWF_OverlayConfig -Filter "CurrentSession = false" @CommonParams; + + if ($nextConfig) { + +# Set the type of the overlay + + $nextConfig.SetType($overlayType); + write-host "Set overlay type to $overlayTypeText[$overlayType]." + } + } else { + write-host "UWF must be disabled in the current session before you can change the overlay type." + } + } else { + write-host "Invalid value for overlay type. Valid values are 0 (RAM-based) or 1 (disk-based)." + } +} + +# The following sample commands demonstrate how to use the functions to change the overlay configuration + +$RAMMode = 0 +$DiskMode = 1 + +Set-OverlaySize 2048 + +Set-OverlayType $DiskMode +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) + +[Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md b/windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md new file mode 100644 index 00000000000..82755919f7b --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md @@ -0,0 +1,55 @@ +--- +title: UWF_OverlayConfig.SetMaximumSize +description: UWF_OverlayConfig.SetMaximumSize +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_OverlayConfig.SetMaximumSize + +Sets the maximum cache size of the Unified Write Filter (UWF) overlay. + +## Syntax + +```powershell +UInt32 SetMaximumSize( + UInt32 size +); +``` + +## Parameters + +**size**
An integer that represents the maximum cache size, in megabytes, of the overlay. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +When the size of the overlay reaches the *size* value, UWF returns an error for any attempt to write to a protected volume. + +If the overlay type is disk-based, your device must meet the following requirements to change the maximum size of the overlay. + +- UWF must be disabled in the current session. +- The *size* value must be at least 1024. +- The system volume on your device must have available free space greater than the new maximum size value. + +If the overlay type is RAM-based, your device must meet the following requirement to change the maximum size of the overlay. + +- UWF must be disabled in the current session. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_OverlayConfig](uwf-overlayconfig.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md b/windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md new file mode 100644 index 00000000000..af23ce50dcb --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md @@ -0,0 +1,58 @@ +--- +title: UWF_OverlayConfig.SetType +description: UWF_OverlayConfig.SetType +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_OverlayConfig.SetType + +Sets the type of the Unified Write Filter (UWF) overlay to either RAM-based or disk-based. + +## Syntax + +```powershell +UInt32 SetType( + UInt32 type +); +``` + +## Parameters + +**type**
The type of overlay. Set to **0** for a RAM-based overlay; set to **1** for a disk-based overlay. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Changes to the overlay type take effect during the next device restart in which UWF is enabled. + +When you change the overlay type from RAM-based to disk-based, UWF creates a file on the system volume. The file has a size equal to the **MaximumSize** property of [UWF_OverlayConfig](uwf-overlayconfig.md). + +Before you can change the overlay type to disk-based, your device must meet the following requirements. + +- UWF must be disabled in the current session. +- The system volume on your device must have available free space greater than the maximum size of the overlay. +- The maximum size of the overlay must be at least 1024 MB. + +Before you can change the overlay type to RAM-based, your device must meet the following requirements. + +- UWF must be disabled in the current session. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_OverlayConfig](uwf-overlayconfig.md) +- [Overlay for Unified Write Filter (UWF)](uwfoverlay.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlayfile.md b/windows/configuration/unified-write-filter/uwf-overlayfile.md new file mode 100644 index 00000000000..9a0887c3c09 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlayfile.md @@ -0,0 +1,51 @@ +--- +title: UWF_OverlayFile +description: UWF_OverlayFile +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_OverlayFile + +Contains a file that is currently in the overlay for a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +class UWF_OverlayFile { + [read] string FileName; + [read] UInt64 FileSize; +}; +``` + +## Members + +The following table lists any properties that belong to this class. + +### Properties + +| Property | Data type | Qualifier | Description | +|----------|----------------|-----------|-------------| +| FileName | string | [read] | The name of the file in the file overlay. | +| FileSize | UInt64 | [read] | The size of the file in the file overlay. | + +### Remarks + +You cannot use the **UWF_ OverlayFile** class directly to get overlay files. You must use the **UWF_Overlay.GetOverlayFiles** method to retrieve **UWF_ OverlayFile** objects. + +For more information about specific limitations and conditions when using the **GetOverlayFiles** method, see the **Remarks** section in the [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) topic in the UWF WMI provider technical reference. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md b/windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md new file mode 100644 index 00000000000..cc8bba2b300 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md @@ -0,0 +1,67 @@ +--- +title: UWF_Overlay.GetOverlayFiles +description: UWF_Overlay.GetOverlayFiles +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Overlay.GetOverlayFiles + +Returns a list of files of a volume that were cached in the Unified Write Filter (UWF) overlay. + +## Syntax + +```powershell +UInt32 GetOverlayFiles( + [in] string Volume, + [out, EmbeddedInstance("UWF_OverlayFile")] string OverlayFiles[] +); +``` + +## Parameters + +**Volume**
A string that specifies the drive letter or volume name. + +**OverlayFiles**
An array of **UWF_OverlayFiles** objects embedded as strings. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to access this method. + +The **GetOverlayFiles** method is intended to be used as a diagnostic tool. + +Do not base decisions about what to commit based on this method’s output. + +You should be aware of the following limitations: + +- This method is only supported on the NTFS file system. +- This method requires a significant amount of free system memory to succeed (in a linear relationship to overlay usage). The method call fails when there is insufficient memory available to complete the call. +- This method requires significant time to complete (in an exponential relationship to overlay usage). +- This method may show files that are affected by seemingly unrelated operations to both registry and file exclusions and commits. + +You should also be aware of the following items when you use the **GetOverlayFiles** method: + +- Files that were committed with the `uwfmgr.exe file commit` command are also contained in the overlay files list. +- Excluded files may be contained in the overlay files list. +- Files that are smaller than the cluster size (for example, 4 KB in most cases) will not be listed even if they are cached in overlay. +- Changes and deletions in excluded directories, excluded files, or excluded registry items add to overlay usage. +- File and registry commits add to overlay usage. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Overlay](uwf-overlay.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md b/windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md new file mode 100644 index 00000000000..687ef6b6b1b --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md @@ -0,0 +1,51 @@ +--- +title: UWF_Overlay.SetCriticalThreshold +description: UWF_Overlay.SetCriticalThreshold +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Overlay.SetCriticalThreshold + +Sets the critical threshold for monitoring the size of the Unified Write Filter (UWF) overlay. + +## Syntax + +```powershell +UInt32 SetCriticalThreshold( + UInt32 size +); +``` + +## Parameters + +**size**
An integer that represents the size, in megabytes, of the critical threshold level for the overlay. If *size* is 0 (zero), UWF does not raise critical threshold events. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +When the size of the overlay reaches or exceeds the *size* threshold value, UWF writes the following notification event to the event log. + +| Message ID | Event code | Message text | +|------------|------------|--------------| +| UWF_OVERLAY_REACHED_CRITICAL_LEVEL | 0x80010002L | The UWF overlay size has reached CRITICAL level. | + +The critical threshold must be higher than the warning threshold. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Overlay](uwf-overlay.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md b/windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md new file mode 100644 index 00000000000..66e7999304a --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md @@ -0,0 +1,51 @@ +--- +title: UWF_Overlay.SetWarningThreshold +description: UWF_Overlay.SetWarningThreshold +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Overlay.SetWarningThreshold + +Sets the warning threshold for monitoring the size of the Unified Write Filter (UWF) overlay. + +## Syntax + +```powershell +UInt32 SetWarningThreshold( + UInt32 size +); +``` + +## Parameters + +**size**
An integer that represents the size, in megabytes, of the warning threshold level for the overlay. If *size* is set to 0 (zero), UWF does not raise warning threshold events. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +When the size of the overlay reaches or exceeds the *size* threshold value, UWF writes the following notification event to the event log. + +| Message ID | Event code | Message text | +|------------|------------|--------------| +|UWF_OVERLAY_REACHED_WARNING_LEVEL | 0x80010001L | The UWF overlay size has reached WARNING level. | + +The warning threshold must be lower than the critical threshold. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Overlay](uwf-overlay.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfilter.md b/windows/configuration/unified-write-filter/uwf-registryfilter.md new file mode 100644 index 00000000000..5e6316cb9b4 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfilter.md @@ -0,0 +1,269 @@ +--- +title: UWF_RegistryFilter +description: UWF_RegistryFilter +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter + +Adds or removes registry exclusions from Unified Write Filter (UWF) filtering, and also commits registry changes. + +## Syntax + +```powershell +class UWF_RegistryFilter{ + [key, Read] boolean CurrentSession; + [Read, Write] boolean PersistDomainSecretKey; + [Read, Write] boolean PersistTSCAL; + + UInt32 AddExclusion( + string RegistryKey + ); + UInt32 RemoveExclusion( + string RegistryKey + ); + UInt32 FindExclusion( + [in] string RegistryKey, + [out] boolean bFound + ); + UInt32 GetExclusions( + [out, EmbeddedInstance("UWF_ExcludedRegistryKey")] string ExcludedKeys[] + ); + UInt32 CommitRegistry( + [in] string RegistryKey, + [in] string ValueName + ); + UInt32 CommitRegistryDeletion( + string Registrykey, + string ValueName + ); +}; +``` + +## Members + +The following tables list the methods and properties that belong to this class. + +| Method | Description                                                                           | +|--------|-------------| +| [UWF_RegistryFilter.AddExclusion](uwf-registryfilteraddexclusion.md) | Adds a registry key to the registry exclusion list for UWF. | +| [UWF_RegistryFilter.CommitRegistry](uwf-registryfiltercommitregistry.md) | Commits changes to the specified registry key and value. | +| [UWF_RegistryFilter.CommitRegistryDeletion](uwf-registryfiltercommitregistrydeletion.md) | Deletes the specified registry key or registry value and commits the deletion. | +| [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) | Determines whether a specific registry key is excluded from being filtered by UWF. | +| [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) | Retrieves all registry key exclusions from a system that is protected by UWF | +| [UWF_RegistryFilter.RemoveExclusion](uwf-registryfilterremoveexclusion.md) | Removes a registry key from the registry exclusion list for Unified Write Filter (UWF). | + +### Properties + +| Property | Data type | Qualifiers | Description                                                                       | +|----------|----------------|------------|-------------| +| CurrentSession | Boolean | [key, read] | Indicates which session the object contains settings for.
- **True** if settings are for the current session
- **False** if settings are for the next session that follows a restart. | +| PersistDomainSecretKey | Boolean | [read, write] | Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart.
- **True** to include in the exclusion list
- Otherwise **False**. | +| PersistTSCAL | Boolean | [read, write] | Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart.
- **True** to include in the exclusion list
- Otherwise, set to **False** | + +### Remarks + +Additions or removals of registry exclusions, including changes to the values of **PersistDomainSecretKey** and **PersistTSCAL**, take effect after the next restart in which UWF is enabled. + +You can only add registry keys in the HKLM registry root to the UWF registry exclusion list. + +You can also use **UWF_RegistryFilter** to exclude the domain secret registry key and the TSCAL registry key from UWF filtering. + +### Example + +The following example demonstrates how to manage UWF registry exclusions by using the Windows Management Instrumentation (WMI) provider in a PowerShell script. + +The PowerShell script creates four functions, and then demonstrates how to use them. + +The first function, **Get-RegistryExclusions**, displays a list of UWF registry exclusions for both the current session and the next session that follows a restart. + +The second function, **Add-RegistryExclusion**, adds a registry entry to the UWF registry exclusion list after you restart the device. + +The third function, **Remove-RegistryExclusion**, removes a registry entry from the UWF exclusion list after you restart the device. + +The fourth function, **Clear-RegistryExclusions**, removes all UWF registry exclusions. You must restart the device before UWF stops filtering the exclusions. + +```powershell +$COMPUTER = "EMBEDDEDDEVICE" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define common parameters + +$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER} + +function Get-RegistryExclusions() { + +# This function lists the UWF registry exclusions, both +# for the current session as well as the next session after a restart. + + +# Get the UWF_RegistryFilter configuration for the current session + + $currentConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams | + where { + $_.CurrentSession -eq $true + }; + +# Get the UWF_RegistryFilter configuration for the next session after a restart + + $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams | + where { + $_.CurrentSession -eq $false + }; + +# Display registry exclusions for the current session + + if ($currentConfig) { + + Write-Host "" + Write-Host "The following registry entries are currently excluded from UWF filtering:"; + + $currentExcludedList = $currentConfig.GetExclusions() + + if ($currentExcludedList.ExcludedKeys) { + foreach ($registryExclusion in $currentExcludedList.ExcludedKeys) { + Write-Host " " $registryExclusion.RegistryKey + } + } else { + Write-Host " None" + } + } else { + Write-Error "Could not retrieve UWF_RegistryFilter."; +} + +# Display registry exclusions for the next session after a restart + + if ($nextConfig) { + + Write-Host "" + Write-Host "The following registry entries will be excluded from UWF filtering after the next restart:"; + + $nextExcludedList = $nextConfig.GetExclusions() + + if ($nextExcludedList.ExcludedKeys) { + foreach ($registryExclusion in $nextExcludedList.ExcludedKeys) { + Write-Host " " $registryExclusion.RegistryKey + } + } else { + Write-Host " None" + } + Write-Host "" + } +} + +function Add-RegistryExclusion($exclusion) { + +# This function adds a new UWF registry exclusion. +# The new registry exclusion takes effect the next time the device is restarted and UWF is enabled. + +# $exclusion is the path of the registry exclusion + +# Get the UWF_RegistryFilter configuration for the next session after a restart + + $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams | + where { + $_.CurrentSession -eq $false + }; + +# Add the exclusion + + if ($nextConfig) { + $nextConfig.AddExclusion($exclusion) | Out-Null; + Write-Host "Added exclusion $exclusion."; + } else { + Write-Error "Could not retrieve UWF_RegistryFilter"; + } +} + +function Remove-RegistryExclusion($exclusion) { + +# This function removes a UWF registry exclusion. +# The registry exclusion is removed the next time the device is restarted + +# $exclusion is the path of the registry exclusion + +# Get the UWF_RegistryFilter configuration for the next session after a restart + + $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams | + where { + $_.CurrentSession -eq $false + }; + +# Try to remove the exclusion + + if ($nextConfig) { + try { + $nextConfig.RemoveExclusion($exclusion) | Out-Null; + Write-Host "Removed exclusion $exclusion."; + } catch { + Write-Host "Could not remove exclusion $exclusion." + } + } else { + Write-Error "Could not retrieve UWF_RegistryFilter"; + } +} + +function Clear-RegistryExclusions() { + +# This function removes all UWF registry exclusions +# The registry exclusions are removed the next time the device is restarted + +# Get the configuration for the next session + + $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams | + where { + $_.CurrentSession -eq $false + }; + +# Remove all registry exclusions + + if ($nextConfig) { + + Write-Host "Removing all registry exclusions:"; + + $nextExcludedList = $nextConfig.GetExclusions() + + if ($nextExcludedList) { + foreach ($registryExclusion in $nextExcludedList.ExcludedKeys) { + Write-Host "Removing:" $registryExclusion.RegistryKey + $nextConfig.RemoveExclusion($registryExclusion.RegistryKey) | Out-Null + } + } else { + Write-Host "No registry exclusions to remove." + } + Write-Host "" + } +} + +# Some examples of using the functions + +Clear-RegistryExclusions + +Get-RegistryExclusions + +Add-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" +Add-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers\(Default)" + +Get-RegistryExclusions + +Remove-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" + +Get-RegistryExclusions + +Clear-RegistryExclusions +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md b/windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md new file mode 100644 index 00000000000..38aa47814ca --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md @@ -0,0 +1,58 @@ +--- +title: UWF_RegistryFilter.AddExclusion +description: UWF_RegistryFilter.AddExclusion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter.AddExclusion + +Adds a registry key to the registry exclusion list for Unified Write Filter (UWF). + +> [!IMPORTANT] +> Only registry subkeys under the following registry keys can be added to the exclusion list. +> +> - HKEY_LOCAL_MACHINE\BCD00000000 +> - HKEY_LOCAL_MACHINE\SYSTEM +> - HKEY_LOCAL_MACHINE\SOFTWARE +> - HKEY_LOCAL_MACHINE\SAM +> - HKEY_LOCAL_MACHINE\SECURITY +> - HKEY_LOCAL_MACHINE\COMPONENTS + +> [!IMPORTANT] +> Excluding a registry key from filtering also excludes all subkeys from filtering. + +## Syntax + +```powershell +UInt32 AddExclusion( + string RegistryKey +); +``` + +## Parameters + +**RegistryKey**
A string that contains the full path of the registry key. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must restart the device before the registry key is excluded from UWF filtering. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_RegistryFilter](uwf-registryfilter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md new file mode 100644 index 00000000000..ff2fd4cdc24 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md @@ -0,0 +1,50 @@ +--- +title: UWF_RegistryFilter.CommitRegistry +description: UWF_RegistryFilter.CommitRegistry +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter.CommitRegistry + +Commits changes to the specified registry key and value. + +## Syntax + +```powershell +UInt32 CommitRegistry( + [in] string RegistryKey, + [in] string ValueName +); +``` + +## Parameters + +**RegistryKey**
A string that contains the full path of the registry key to be committed. + +**ValueName**
A string that contains the name of the value to be committed. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +This method will commit only the value specified by *ValueName* under *RegistryKey* if *ValueName* is specified. + +You must use an administrator account to change any properties or call any methods that change the configuration settings. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_RegistryFilter](uwf-registryfilter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md new file mode 100644 index 00000000000..a7e69eb9702 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md @@ -0,0 +1,52 @@ +--- +title: UWF_RegistryFilter.CommitRegistryDeletion +description: UWF_RegistryFilter.CommitRegistryDeletion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter.CommitRegistryDeletion + +Deletes the specified registry key or registry value and commits the deletion. + +## Syntax + +```powershell +UInt32 CommitRegistryDeletion( + string Registrykey, + string ValueName +); +``` + +## Parameters + +**RegistryKey**
A string that contains the full path of the registry key that contains the value to be deleted. If *ValueName* is empty, the entire registry key is deleted. + +**ValueName**
A string that contains the name of the value to be deleted. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +If *ValueName* is specified, this method will delete only the value specified by *ValueName* that is contained by *RegistryKey*. If *ValueName* is empty, the entire *RegistryKey* and all its sub keys are deleted. + +This method deletes the registry key or registry value from both the overlay and the persistent storage. + +You must use an administrator account to change any properties or call any methods that change the configuration settings. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_RegistryFilter](uwf-registryfilter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md b/windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md new file mode 100644 index 00000000000..fec85d3b5ef --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md @@ -0,0 +1,44 @@ +--- +title: UWF_RegistryFilter.FindExclusion +description: UWF_RegistryFilter.FindExclusion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter.FindExclusion + +Checks if a specific registry key is excluded from being filtered by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 FindExclusion( + [in] string RegistryKey, + [out] boolean bFound +); +``` + +## Parameters + +**RegistryKey**
\[in\] A string that contains the full path of the registry key. + +**bFound**
\[out\] Indicates if the *RegistryKey* is in the exclusion list of registry keys. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_RegistryFilter](uwf-registryfilter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md b/windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md new file mode 100644 index 00000000000..3f3e8802ba0 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md @@ -0,0 +1,45 @@ +--- +title: UWF_RegistryFilter.GetExclusions +description: UWF_RegistryFilter.GetExclusions +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter.GetExclusions + +Retrieves all registry key exclusions from a device that is protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 GetExclusions( + [out, EmbeddedInstance("UWF_ExcludedRegistryKey")] string ExcludedKeys[] +); +``` + +## Parameters + +**ExcludedKeys**
\[out\] An array of [UWF_ExcludedRegistryKey](uwf-excludedregistrykey.md) objects that represent the registry keys excluded from UWF filtering. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +If this method does not find any registry keys in the registry key exclusion list, it sets the *ExcludedKeys* parameter to null. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_RegistryFilter](uwf-registryfilter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md b/windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md new file mode 100644 index 00000000000..03e5282ad8a --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md @@ -0,0 +1,45 @@ +--- +title: UWF_RegistryFilter.RemoveExclusion +description: UWF_RegistryFilter.RemoveExclusion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_RegistryFilter.RemoveExclusion + +Removes a registry key from the registry exclusion list for Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 RemoveExclusion( + string RegistryKey +); +``` + +## Parameters + +**RegistryKey**
A string that contains the full path of the registry key. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must restart the device before the registry key is excluded from UWF filtering. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_RegistryFilter](uwf-registryfilter.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-servicing-screen-saver.md b/windows/configuration/unified-write-filter/uwf-servicing-screen-saver.md new file mode 100644 index 00000000000..c9672f601be --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-servicing-screen-saver.md @@ -0,0 +1,51 @@ +--- +title: UWF servicing screen saver +description: UWF servicing screen saver +ms.date: 05/02/2017 +ms.topic: reference +--- + +# UWF servicing screen saver + +The default settings for the Unified Write Filter (UWF) servicing screen saver can be changed through the Windows registry to use custom text, title, font, and color settings. + +The UWF servicing screen saver (UwfServicingScr.scr) is located in the \\Windows\\System32 folder. + +> [!IMPORTANT] +> When UWF is installed on your device, when you right-click on the **Desktop**, and then click **Personalize** > **Screen Saver**, the UWF servicing screen saver will appear in the list of available screen savers in the **Screen Saver Settings** dialog box. + +Do not select **UwfServicingScr** as the screen saver and then click **Preview**, as you will not be able to exit the UWF servicing screen saver by moving the mouse or pressing a key. The only way to exit the UWF servicing screen saver in this case is by pressing the Ctrl+Alt+Delete keys. + +## Modify the default registry settings for the UWF servicing screen saver + +1. To modify the default registry settings for the UWF servicing screen saver, from the example shown here, change the values in a text editor, and then save as a .reg file (for example, Overridescreensaver.reg). + + ```powershell + Windows Registry Editor Version 5.00 + [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\ServicingScreenSaver] + "ColorBackground"=dword:000000ff + "ColorText"=dword:0000ff00 + "ColorProgress"=dword:00ff0000 + "ScreenSaverTitle"="Device" + "ScreenSaverSubTitle"="Servicing device…" + "HideScreenSaverText"=dword:00000000 + "HideScreenSaverProgress"=dword:00000000 + "Font"="Algerian" + ``` + +1. On the device, open a command prompt as an administrator. For Windows Shell, to open a command prompt, do the following: + 1. In Windows Explorer, move to \\Windows\\System32, right-click **cmd.exe**, and then click **Run as Administrator**. + 1. Accept the UAC prompt. +1. To apply the custom registry settings for the screen saver to the device, type the following command: + + ```powershell + regedit.exe /s overridescreensaver.reg + ``` + +The next time the device enters UWF servicing mode, the UwfServicingScr.scr screen saver will use the custom settings. + +## Related articles + +[Service UWF-protected devices](service-uwf-protected-devices.md) + +[Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-servicing.md b/windows/configuration/unified-write-filter/uwf-servicing.md new file mode 100644 index 00000000000..324f86d59ae --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-servicing.md @@ -0,0 +1,99 @@ +--- +title: UWF_Servicing +description: UWF_Servicing +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Servicing + +This class contains properties and methods that enable you to query and control Unified Write Filter (UWF) servicing mode. + +## Syntax + +```powershell +class UWF_Servicing { + [key, read] boolean CurrentSession; + [read] boolean ServicingEnabled; + + UInt32 Enable(); + UInt32 Disable(); + UInt32 UpdateWindows( + [out] UInt32 UpdateStatus + ); +}; +``` + +## Members + +The following tables list the methods and properties that belong to this class. + +### Methods + +| Method | Description                                                                      | +|--------|-------------| +|[UWF_Servicing.Disable](uwf-servicingdisable.md) | Disables Unified Write Filter (UWF) servicing mode.
The system leaves servicing mode in the next session that follows a restart. | +| [UWF_Servicing.Enable](uwf-servicingenable.md) | Enables Unified Write Filter (UWF) servicing mode.
The system enters servicing mode in the next session that follows a restart. | +| [UWF_Servicing.UpdateWindows](uwf-servicingupdatewindows.md) | Calls Windows Update to download and install critical and security updates for your device running Windows 10 Enterprise. | + +### Properties + +| Property | Data type | Qualifiers | Description                                                                     & | +|----------|----------------|------------|-------------| +| CurrentSession | Boolean | [key, read] | Indicates when to enable servicing.
- **True** if servicing is enabled in the current session
- **False** if servicing will be enabled in the session that follows a restart. | +| ServiceEnabled | Boolean | [read] | Indicates if the system is in servicing mode in the current session, or will be in servicing mode in the next session that follows a restart.
- **True** if servicing is enabled
- otherwise, **False**. | + +### Remarks + +This class only has two instances, one for the current session, and another for the next session that follows a restart. + +### Example + +The following example shows how to enable and disable UWF servicing mode on a device by using the Windows Management Instrumentation (WMI) provider in a PowerShell script. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define common parameters + +$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER} + +# Enable UWF servicing + +$nextSession = Get-WmiObject -class UWF_Servicing @CommonParams | where { + $_.CurrentSession -eq $false +} + +if ($nextSession) { + + $nextSession.Enable() | Out-Null; + Write-Host "This device is enabled for servicing mode after the next restart." +} + +# Disable UWF servicing + +$nextSession = Get-WmiObject -class UWF_Servicing @CommonParams | where { + $_.CurrentSession -eq $false +} + +if ($nextSession) { + + $nextSession.Disable() | Out-Null; + Write-Host "Servicing mode is now disabled for this device." +} +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-servicingdisable.md b/windows/configuration/unified-write-filter/uwf-servicingdisable.md new file mode 100644 index 00000000000..616e9d66691 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-servicingdisable.md @@ -0,0 +1,43 @@ +--- +title: UWF_Servicing.Disable +description: UWF_Servicing.Disable +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Servicing.Disable + +Disables Unified Write Filter (UWF) servicing mode. + +## Syntax + +```powershell +UInt32 Disable(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +When this method is called, the system will leave servicing mode in the next session after a restart. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Servicing](uwf-servicing.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-servicingenable.md b/windows/configuration/unified-write-filter/uwf-servicingenable.md new file mode 100644 index 00000000000..8261b42c158 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-servicingenable.md @@ -0,0 +1,43 @@ +--- +title: UWF_Servicing.Enable +description: UWF_Servicing.Enable +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Servicing.Enable + +Enables Unified Write Filter (UWF) servicing mode. + +## Syntax + +```powershell +UInt32 Enable(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +When this method is called, the system will enter servicing mode in the next session after a restart. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Servicing](uwf-servicing.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-servicingupdatewindows.md b/windows/configuration/unified-write-filter/uwf-servicingupdatewindows.md new file mode 100644 index 00000000000..2f5cb89d90e --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-servicingupdatewindows.md @@ -0,0 +1,53 @@ +--- +title: UWF_Servicing.UpdateWindows +description: UWF_Servicing.UpdateWindows +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Servicing.UpdateWindows + +Calls Windows Update to download and install critical and security updates for your device running Windows 10 Enterprise. + +## Syntax + +```powershell +UInt32 UpdateWindows( + [out] UInt32 UpdateStatus +); +``` + +## Parameters + +**UpdateStatus**
\[out\] An integer that contains the status of the Windows Update operation, according to the following table: + +| UpdateStatus | Description | +|:----------------:|-------------------| +| 0 | Success. | +| 3010 | Restart required. | +| Any other value. | Generic error. | + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +This method is meant to be used as part of a servicing script. For more information, see [Service UWF-protected devices](service-uwf-protected-devices.md). + +This method does not disable or enable Unified Write Filter (UWF). If you call this method while UWF is enabled, updates may be lost when the device restarts. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Servicing](uwf-servicing.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-turnonuwf.md b/windows/configuration/unified-write-filter/uwf-turnonuwf.md new file mode 100644 index 00000000000..65d54c3fd74 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-turnonuwf.md @@ -0,0 +1,146 @@ +--- +title: Unified Write Filter (UWF) feature (uwf-turnonuwf) +description: Unified Write Filter (UWF) feature (uwf-turnonuwf) +ms.date: 05/20/2024 +ms.topic: reference +ms.custom: RS5 +--- + +# Use the Unified Write Filter (UWF) feature + +The Unified Write Filter (UWF) is an Windows 10 optional feature. + +To use UWF, you'll first need to install the feature. + +Next, you'll enable (and optionally configure) the feature. The first time you enable UWF on your device, UWF makes the following changes to your system to improve the performance of UWF: + +- Paging files are disabled. +- System restore is disabled. +- SuperFetch (aka "SysMain" service) is disabled. +- File indexing service is turned off. +- Fast boot is disabled. +- Defragmentation service (aka "Optimize drives" service) is turned off. +- BCD setting **bootstatuspolicy** is set to **ignoreallfailures**. + +After UWF is enabled, you can finally select a drive to protect and start using UWF. If you'll disable after enable it, features above will not be turned on automatically. + +You can install UWF for running PCs and devices, prepare it for customized Windows images, or manage it remotely using CSP or WMI. + +## Turn on UWF on a running PC + +1. Install the feature: + + 1. Click Start, type **Turn Windows features on or off**. + + 1. In the **Windows Features** window, expand the **Device Lockdown** node, and check **Unified Write Filter** > **OK**. + + The **Windows Features** window indicates Windows is searching for required files and displays a progress bar. Once found, the window indicates Windows is applying the changes. When completed, the window indicates the requested changes are completed. + + 1. Click **Close** to close the **Windows Features** window. + +1. Enable the filter: + + ```cmd + uwfmgr filter enable + ``` + + > [!Note] + > After you run this command, restart the computer and exit the servicing mode, the following things are disabled: + > - Windows Update (by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate.) + > - Windows Store Update (by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload.) + > - Registry Reorganization (by setting HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Configuration Manager\RegistryReorganizationLimitDays.) + > - Maintenance Hour (by setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled.) + > + > After you run `uwfmgr filter disable`, restart the computer and enter the serving mode, the changes will be reverted. + +1. Enable write protection for a drive: + + ```cmd + uwfmgr.exe volume protect C: + ``` + +1. Restart your computer. + +1. Confirm that UWF is running: + + ```cmd + uwfmgr.exe get-config + ``` + +## Install UWF on a customized Windows image + +1. Open a command prompt with administrator privileges. +1. Copy install.wim to a temporary folder on hard drive (in the following steps, we'll assume it's called C:\\wim). +1. Create a new directory. + + ```cmd + md c:\wim + ``` + +1. Mount the image. + + ```cmd + dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim + ``` + +1. Enable the feature. + + ```cmd + dism /image:c:\wim /enable-feature /featureName:Client-UnifiedWriteFilter + ``` + +1. Commit the change. + + ```cmd + dism /unmount-wim /MountDir:c:\wim /Commit + ``` + +To activate UWF, you can use a command-line script, CSP, or WMI: + +- [CMD](uwfmgrexe.md): `uwfmgr filter enable`, then `uwfmgr.exe volume protect C:` +- [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `CurrentSession/FilterEnabled`, then `CurrentSession/Volume` +- [WMI](uwf-wmi-provider-reference.md): `UWF\Filter.Enable`, then `UWF\Volume`. + +## Install the UWF feature by using Windows Configuration Designer + +1. Create a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). + + > [!Note] + > When setting the file exclusion in Windows Configuration Designer, you do not need to specify the drive letter since that is already input via the Volume protection setting. For example, if the file being excluded is `C:\testdir\test.txt`, after adding a drive in Volume protection, you only need to input `\testdir\test.txt` to add this file exclusion. + +1. In the Available customizations page, select **Runtime settings** > **SMISettings** and then set the value for the Unified Write Filter setting. + +1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. See [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. + +To activate UWF, you can use a command-line script, CSP, or WMI: + +- [CMD](uwfmgrexe.md): `uwfmgr filter enable`, then `uwfmgr.exe volume protect C:` +- [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `CurrentSession/FilterEnabled`, then `CurrentSession/Volume` +- [WMI](uwf-wmi-provider-reference.md): `UWF\Filter.Enable`, then `UWF\Volume`. + +## Install the UWF feature by using Windows Management Instrumentation (WMI) + +If Windows has already been installed and you do not want to use a provisioning package, you can also configure UWF by using the Windows Management Instrumentation (WMI) providers. To turn on UWF using WMI, you can use the [UWF_Filter](uwf-filter.md) function, specifically the [UWF_Filter.Enable](uwf-filterenable.md) method. You can do this in one of the following ways: + +- Use the WMI providers directly in a PowerShell script. +- Use the WMI providers directly in an application. +- Use the command line tool, [uwfmgr.exe](uwfmgrexe.md). + +You must restart your device after you turn on or turn off UWF before the change takes effect. + +You can change these settings after you turn on UWF if you want to. For example, you can move the page file location to an unprotected volume and re-enable paging files. + +> [!IMPORTANT] +> If you add UWF to your image by using SMI settings in an unattend.xml file, turning on UWF only sets the **bootstatuspolicy** BCD setting and turns off the defragmentation service. In this case, you must manually turn off the other features and services if you want to increase the performance of UWF. + +All configuration settings for UWF are stored in the registry. UWF automatically excludes these registry entries from filtering. + +UWF maintains configuration settings in the registry for the current session and for the next session after a device restart. Static configuration changes do not take effect until after a device restart, and these changes are saved in the registry entries for the next session. Dynamic configuration changes occur immediately and persist after a device restart. + +## Related articles + +[Unified Write Filter]( index.md) + +[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) + +UWF Command-line tool: [uwfmgr.exe](uwfmgrexe.md) diff --git a/windows/configuration/unified-write-filter/uwf-volume.md b/windows/configuration/unified-write-filter/uwf-volume.md new file mode 100644 index 00000000000..3d73fc6db03 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volume.md @@ -0,0 +1,311 @@ +--- +title: UWF_Volume +description: UWF_Volume +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume + +This class manages a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +class UWF_Volume { + [key, Read] boolean CurrentSession; + [key, Read] string DriveLetter; + [key, Read] string VolumeName; + [Read, Write] boolean BindByDriveLetter; + [Read] boolean CommitPending; + [Read, Write] boolean Protected; + + UInt32 CommitFile([in] string FileFullPath); + UInt32 CommitFileDeletion(string FileName); + UInt32 Protect(); + UInt32 Unprotect(); + UInt32 SetBindByDriveLetter(boolean bBindByVolumeName); + UInt32 AddExclusion(string FileName); + UInt32 RemoveExclusion(string FileName); + UInt32 RemoveAllExclusions(); + UInt32 FindExclusion([in] string FileName, [out] bFound); + UInt32 GetExclusions([out, EmbeddedInstance("UWF_ExcludedFile")] string ExcludedFiles[]); + +}; +``` + +## Members + +The following tables list the methods and properties that belong to this class. + +### Methods + +| Method | Description | +|--------|-------------| +| [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) | Adds a file or folder to the file exclusion list for a volume protected byUWF. | +| [UWF_Volume.CommitFile](uwf-volumecommitfile.md) | Commits changes from the overlay to the physical volume for a specified file on a volume protected by Unified Write Filter (UWF). | +| [UWF_Volume.CommitFileDeletion](uwf-volumecommitfiledeletion.md) | Deletes a protected file from the volume, and commits the deletion to the physical volume. | +| [UWF_Volume.FindExclusion](uwf-volumefindexclusion.md) | Determines whether a specific file or folder is in the exclusion list for a volume protected byUWF. | +| [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md) | Retrieves a list of all file exclusions for a volume protected byUWF. | +| [UWF_Volume.Protect](uwf-volumeprotect.md) | Protects the volume after the next system restart, if UWF is enabled after the restart. | +| [UWF_Volume.RemoveAllExclusions](uwf-volumeremoveallexclusions.md) | Removes all files and folders from the file exclusion list for a volume protected by UWF. | +| [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) | Removes a specific file or folder from the file exclusion list for a volume protected byUWF. | +| [UWF_Volume.SetBindByDriveLetter](uwf-volumesetbindbydriveletter.md) | Sets the **BindByDriveLetter** property, which indicates whether the UWF volume is bound to the physical volume by drive letter or by volume name. | +| [UWF_Volume.Unprotect](uwf-volumeunprotect.md) | Disables UWF protection of the volume after the next system restart. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| **BindByDriveLetter** | Boolean | [read, write] | Indicates the type of binding that the volume uses.
- **True** to bind the volume by **DriveLetter**(loose binding)
- **False** to bind the volume by **VolumeName** (tight binding). | +| **CommitPending** | Boolean | [read] | Reserved for Microsoft use.| +| **CurrentSession** | Boolean | [key, read] | Indicates which session the object contains settings for.
- **True** if settings are for the current session
- **False** if settings are for the next session that follows a restart. | +| **DriveLetter** | string | [key, read] | The drive letter of the volume. If the volume does not have a drive letter, this value is **NULL**. | +| **Protected** | Boolean | [read, write] | If **CurrentSession** is **true**, indicates whether the volume is currently protected by UWF.
If **CurrentSession** is **false**, indicates whether the volume is protected in the next session after the device restarts. | +| **VolumeName** | string | [key, read] | The unique identifier of the volume on the current system. The **VolumeName** is the same as the **DeviceID** property of the [Win32_Volume](/previous-versions/windows/desktop/legacy/aa394515(v=vs.85)) class for the volume. | + +### Remarks + +You must use an administrator account to change any properties or call any methods that change the configuration settings. + +### Turn UWF protection on or off + +The following example demonstrates how to protect or unprotect a volume with UWF by using the Windows Management Instrumentation (WMI) provider in a PowerShell script. + +The PowerShellscript creates a function, **Set-ProtectVolume**, that turns UWF protection on or off for a volume. The script then demonstrates how to use the function. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define common parameters + +$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER} + +# Create a function to protect or unprotect a volume based on the drive letter of the volume + +function Set-ProtectVolume($driveLetter, [bool] $enabled) { + +# Each volume has two entries in UWF_Volume, one for the current session and one for the next session after a restart +# You can only change the protection status of a drive for the next session + + $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams | + where { + $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false + }; + +# If a volume entry is found for the drive letter, enable or disable protection based on the $enabled parameter + + if ($nextConfig) { + + Write-Host "Setting drive protection on $driveLetter to $enabled" + + if ($Enabled -eq $true) { + $nextConfig.Protect() | Out-Null; + } else { + $nextConfig.Unprotect() | Out-Null; + } + } + +# If the drive letter does not match a volume, create a new UWF_volume instance + + else { + Write-Host "Error: Could not find $driveLetter. Protection is not enabled." + } +} + +# The following sample commands demonstrate how to use the Set-ProtectVolume function +# to protect and unprotect volumes + +Set-ProtectVolume "C:" $true +Set-ProtectVolume "D:" $true + +Set-ProtectVolume "C:" $false +``` + +### Manage UWF file and folder exclusions + +The following example demonstrates how to manage UWF file and folder exclusions by using the WMI provider in a PowerShell script. The PowerShell script creates four functions, and then demonstrates how to use them. + +The first function, **Get-FileExclusions**, displays a list of UWF file exclusions that exist on a volume. Exclusions for both the current session and the next session that follows a restart are displayed. + +The second function, **Add-FileExclusion**, adds a file or folder to the UWF exclusion list for a given volume. The exclusion is added for the next session that follows a restart. + +The third function, **Remove-FileExclusion**, removes a file or folder from the UWF exclusion list for a given volume. The exclusion is removed for the next session that follows a restart. + +The fourth function, **Clear-FileExclusions**, removes all UWF file and folder exclusions from a given volume. The exclusions are removed for the next session that follows a restart. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define common parameters + +$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER} + +function Get-FileExclusions($driveLetter) { + +# This function lists the UWF file exclusions for a volume, both +# for the current session as well as the next session after a restart + +# $driveLetter is the drive letter of the volume + +# Get the UWF_Volume configuration for the current session + + $currentConfig = Get-WMIObject -class UWF_Volume @CommonParams | + where { + $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $true + }; + +# Get the UWF_Volume configuration for the next session after a restart + + $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams | + where { + $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false + }; + +# Display file exclusions for the current session + + if ($currentConfig) { + + Write-Host "The following files and folders are currently excluded from UWF filtering for $driveLetter"; + + $currentExcludedList = $currentConfig.GetExclusions() + + if ($currentExcludedList) { + foreach ($fileExclusion in $currentExcludedList.ExcludedFiles) { + Write-Host " " $fileExclusion.FileName + } + } else { + Write-Host " None" + } + } else { + Write-Error "Could not find drive $driveLetter"; +} + +# Display file exclusions for the next session after a restart + + if ($nextConfig) { + + Write-Host "" + Write-Host "The following files and folders will be excluded from UWF filtering for $driveLetter after the next restart:"; + + $nextExcludedList = $nextConfig.GetExclusions() + + if ($nextExcludedList) { + foreach ($fileExclusion in $nextExcludedList.ExcludedFiles) { + Write-Host " " $fileExclusion.FileName + } + } else { + Write-Host " None" + } + + Write-Host "" + } +} + +function Add-FileExclusion($driveLetter, $exclusion) { + +# This function adds a new UWF file exclusion to a volume +# The new file exclusion takes effect the next time the device is restarted and UWF is enabled + +# $driveLetter is the drive letter of the volume +# $exclusion is the path and filename of the file or folder exclusion + +# Get the configuration for the next session for the volume + + $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams | + where { + $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false + }; + +# Add the exclusion + + if ($nextConfig) { + $nextConfig.AddExclusion($exclusion) | Out-Null; + Write-Host "Added exclusion $exclusion for $driveLetter"; + } else { + Write-Error "Could not find drive $driveLetter"; + } +} + +function Remove-FileExclusion($driveLetter, $exclusion) { + +# This function removes a UWF file exclusion from a volume +# The file exclusion is removed the next time the device is restarted + +# $driveLetter is the drive letter of the volume +# $exclusion is the path and filename of the file or folder exclusion + +# Get the configuration for the next session for the volume + + $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams | + where { + $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false + }; + +# Try to remove the exclusion + + if ($nextConfig) { + try { + $nextConfig.RemoveExclusion($exclusion) | Out-Null; + Write-Host "Removed exclusion $exclusion for $driveLetter"; + } catch { + Write-Host "Could not remove exclusion $exclusion on drive $driveLetter" + } + } else { + Write-Error "Could not find drive $driveLetter"; + } +} + +function Clear-FileExclusions($driveLetter) { + +# This function removes all UWF file exclusions on a volume +# The file exclusions are removed the next time the device is restarted + +# $driveLetter is the drive letter of the volume + +# Get the configuration for the next session for the volume + + $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams | + where { + $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false + }; + +# Remove all file and folder exclusions + + if ($nextConfig) { + $nextConfig.RemoveAllExclusions() | Out-Null; + Write-Host "Cleared all exclusions for $driveLetter"; + } else { + Write-Error "Could not clear exclusions for drive $driveLetter"; + } +} + +# Some examples of using the functions + +Clear-FileExclusions "C:" + +Add-FileExclusion "C:" "\Users\Public\Public Documents" +Add-FileExclusion "C:" "\myfolder\myfile.txt" + +Get-FileExclusions "C:" + +Remove-FileExclusion "C:" "\myfolder\myfile.txt" + +Get-FileExclusions "C:" +``` + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumeaddexclusion.md b/windows/configuration/unified-write-filter/uwf-volumeaddexclusion.md new file mode 100644 index 00000000000..72c46d69c6b --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumeaddexclusion.md @@ -0,0 +1,56 @@ +--- +title: UWF_Volume.AddExclusion +description: UWF_Volume.AddExclusion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.AddExclusion + +Adds a file or folder to the file exclusion list for a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 AddExclusion( + string FileName +); +``` + +## Parameters + +**FileName**
A string that contains the full path of the file or folder relative to the volume. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to add or remove file or folder exclusions during run time, and you must restart the device for new exclusions to take effect. + +> [!IMPORTANT] +> You can’t add exclusions for the following items: +> +> - The volume root. For example, C: or D:. +> - The \Windows folder on the system volume. +> - The \Windows\System32 folder on the system volume. +> - The \Windows\system32\drivers folder on the system volume. +> - Paging files. + +However, you can exclude subdirectories and files under these items. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumecommitfile.md b/windows/configuration/unified-write-filter/uwf-volumecommitfile.md new file mode 100644 index 00000000000..0487c47c19f --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumecommitfile.md @@ -0,0 +1,47 @@ +--- +title: UWF_Volume.CommitFile +description: UWF_Volume.CommitFile +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.CommitFile + +Commits changes from the overlay to the physical volume for a specified file on a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 CommitFile( + [in] string FileName +); +``` + +## Parameters + +**FileName**
\[in\] A string that contains the path of the file to commit on the overlay, but does not include the drive letter or volume name. For example, “\\users\\test.dat”. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +The *FileName* must contain the name of a file that exists. The **CommitFile** method cannot commit a file that does not exist. + +You must use an administrator account to change any properties or call any methods that change the configuration settings. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumecommitfiledeletion.md b/windows/configuration/unified-write-filter/uwf-volumecommitfiledeletion.md new file mode 100644 index 00000000000..ec071c45088 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumecommitfiledeletion.md @@ -0,0 +1,47 @@ +--- +title: UWF_Volume.CommitFileDeletion +description: UWF_Volume.CommitFileDeletion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.CommitFileDeletion + +Deletes the specified file and commits the deletion to the physical volume. + +## Syntax + +```powershell +UInt32 CommitFileDeletion( + string FileName +); +``` + +## Parameters + +**FileName**
\[in\] A string that contains the path of the file to delete, but does not include the drive letter or volume name. For example: “\\users\\test.dat”. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +The *FileName* must contain the name of a file that exists on the physical volume. The **CommitFileDeletion** method cannot delete a file that does not exist. + +You must use an administrator account to call this method. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumefindexclusion.md b/windows/configuration/unified-write-filter/uwf-volumefindexclusion.md new file mode 100644 index 00000000000..e2cdf900605 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumefindexclusion.md @@ -0,0 +1,48 @@ +--- +title: UWF_Volume.FindExclusion +description: UWF_Volume.FindExclusion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.FindExclusion + +Checks if a specific file or folder is in the exclusion list for a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 FindExclusion ( + [in] string FileName, + [out] boolean bFound +); +``` + +## Parameters + +**FileName**
\[in\] A string that contains the full path of the file or folder relative to the volume. + +**bFound**
\[out\] Indicates if *FileName* is in the file exclusion list for the volume. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +**FindExclusion** sets *bFound* to **true** only for file and folder exclusions that have been explicitly added to the exclusion list. Files and subfolders that are in an excluded folder are not identified as excluded by **FindExclusion**, unless they have been explicitly excluded. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumegetexclusions.md b/windows/configuration/unified-write-filter/uwf-volumegetexclusions.md new file mode 100644 index 00000000000..b14bd1d11cb --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumegetexclusions.md @@ -0,0 +1,45 @@ +--- +title: UWF_Volume.GetExclusions +description: UWF_Volume.GetExclusions +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.GetExclusions + +Gets a list of all file exclusions for a Unified Write Filter (UWF) protected volume. + +## Syntax + +```powershell +UInt32 GetExclusions( + [out, EmbeddedInstance("UWF_ExcludedFile")] string ExcludedFiles[] +); +``` + +## Parameters + +**ExcludedFiles**
\[out\] An array of [UWF_ExcludedFile](uwf-excludedfile.md) objects that represent the files and folders that are excluded from UWF filtering for a volume. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +If **GetExclusions** does not find any files or folders in the file exclusion list for the volume, **GetExclusions** sets the *ExcludedFiles* parameter to null. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumeprotect.md b/windows/configuration/unified-write-filter/uwf-volumeprotect.md new file mode 100644 index 00000000000..30283fc314f --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumeprotect.md @@ -0,0 +1,45 @@ +--- +title: UWF_Volume.Protect +description: UWF_Volume.Protect +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.Protect + +Enables Unified Write Filter (UWF) to protect the volume after the next system restart, if UWF is enabled after the restart. + +## Syntax + +```powershell +UInt32 Protect(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +UWF starts protecting the volume after the next device restart in which UWF is enabled. + +This method does not enable UWF if it is disabled; you must explicitly enable UWF for the next session to start volume protection. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumeremoveallexclusions.md b/windows/configuration/unified-write-filter/uwf-volumeremoveallexclusions.md new file mode 100644 index 00000000000..c85992e7ff2 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumeremoveallexclusions.md @@ -0,0 +1,45 @@ +--- +title: UWF_Volume.RemoveAllExclusions +description: UWF_Volume.RemoveAllExclusions +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.RemoveAllExclusions + +Removes all files and folders from the file exclusion list for a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 RemoveAllExclusions(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI errorj constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +This command does not remove registry exclusions. + +You must use an administrator account to remove file or folder exclusions, and you must restart the device for this change to take effect. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumeremoveexclusion.md b/windows/configuration/unified-write-filter/uwf-volumeremoveexclusion.md new file mode 100644 index 00000000000..6e9f3c3f247 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumeremoveexclusion.md @@ -0,0 +1,45 @@ +--- +title: UWF_Volume.RemoveExclusion +description: UWF_Volume.RemoveExclusion +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.RemoveExclusion + +Removes a specific file or folder from the file exclusion list for a volume protected by Unified Write Filter (UWF). + +## Syntax + +```powershell +UInt32 RemoveExclusion( + string FileName +); +``` + +## Parameters + +**FileName**
A string that contains the full path of the file or folder relative to the volume. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +You must use an administrator account to remove file or folder exclusions, and you must restart the device for this change to take effect. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumesetbindbydriveletter.md b/windows/configuration/unified-write-filter/uwf-volumesetbindbydriveletter.md new file mode 100644 index 00000000000..3f2262afcd7 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumesetbindbydriveletter.md @@ -0,0 +1,50 @@ +--- +title: UWF_Volume.SetBindByDriveLetter +description: UWF_Volume.SetBindByDriveLetter +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.SetBindByDriveLetter + +Sets the **BindByDriveLetter** property, which indicates if the Unified Write Filter (UWF) volume is bound to the physical volume by drive letter or volume name. + +## Syntax + +```powereshell +UInt32 SetBindByDriveLetter( + boolean bBindByDriveLetter +); +``` + +## Parameters + +**bBindByDriveLetter**
A Boolean value that indicates the type of binding to use. The **BindByDriveLetter** property is set to this value. + +| Value | Description | +|:------:|--------------| +| **true** | Binds the UWF volume by the drive letter (*loose binding*). | +| **false** | Binds the UWF volume by the volume name (*tight binding*). | + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Binding by volume name is considered more reliable than binding by drive letter, since drive letters can change for a volume if devices are added or removed. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-volumeunprotect.md b/windows/configuration/unified-write-filter/uwf-volumeunprotect.md new file mode 100644 index 00000000000..015e73e77db --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-volumeunprotect.md @@ -0,0 +1,43 @@ +--- +title: UWF_Volume.Unprotect +description: UWF_Volume.Unprotect +ms.date: 05/20/2024 +ms.topic: reference +--- + +# UWF_Volume.Unprotect + +Disables UWF protection of the volume after the next system restart. + +## Syntax + +```powershell +UInt32 Unprotect(); +``` + +## Parameters + +None. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +Unprotecting the volume does not remove the [UWF_Volume](uwf-volume.md) entry or any configuration settings from the UWF configuration registry. This means that you can unprotect a volume, and then protect it again later, while keeping any file exclusions or volume configurations that you have defined. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [UWF_Volume](uwf-volume.md) +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwf-wes7-ewf-to-win10-uwf.md b/windows/configuration/unified-write-filter/uwf-wes7-ewf-to-win10-uwf.md new file mode 100644 index 00000000000..90f771ca8cc --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-wes7-ewf-to-win10-uwf.md @@ -0,0 +1,60 @@ +--- +title: Windows Embedded Systems7 Enhanced Write Filter to Windows 10 Unified Write Filter +description: Migration of WES7 EWF to Win10 UWF +ms.date: 05/20/2024 +ms.topic: reference +--- + +# Windows Embedded Systems 7 Enhanced Write Filter to Windows 10 Unified Write Filter + +## Allow UWF swapfile (aka. DISK Overlay) to be created and used on any volume + +We added ability for Overlay in DISK mode to use file on any available volume unrelated to whether the volume is protected or not. The main purpose for the change is to allow booting from devices susceptible to wear by writings (such as Flash/SD/SSD devices) while redirecting the DISK overlay to less *precious* media. Prior to that change, DISK mode Overlay was exclusively restricted to OS (aka C:) volume. + +:::image type="content" source="images/administratorcommandprompt.png" alt-text="This is a administrator command prompt"::: + +New subcommand `create-swapfile` was introduced under `uwfmgr.exe volume` to allow user control over the location of the DISK mode Overlay swapfile. This command requires volume DOS name (such as C:, D:, and so on.) or volume GUID as argument. The initial size of the file is deduced from the size of the Overlay at the time and may be later changed by issuing `uwfmgr.exe overlay set-size` subcommand. +The new subcommand `create-swapfile` is only allowed when UWF filter is disabled and UWF Overlay is in DISK mode. + +## Read Only Media mode + +Read Only Mode allows elimination of all and any writes to the physical storage device, even metadata writes that does not have any effect on a files content. Read Only Media mode can be easily configured using UWF to get into it and out of it. The new functionality supports many popular scenarios that users of legacy WES7 EWF volume-based filter used. +The new subcommand `set-rom-mode` was introduced under `uwfmgr.exe. overlay` to allow the user to enable/disable Read-Only Media mode. + +:::image type="content" source="images/administratorcompactprompt.png" alt-text="This is a administrator compact prompt"::: + +This subcommand requires `on` or `off` argument. Read-Only Media mode can be enabled only when UWF is currently disabled. The mode can be disabled, if UWF is currently enabled, but after `off` command is issued there is no way to re-enable Read-Only Media mode until the next reboot. Also, UWF can be enabled/disabled while in Read-Only Media mode, but such *state change* results in files and/or metadata to be changed on physical device protected by UWF. + +> [!NOTE] +> +>- After enabling Read-Only Media mode, all writes will be filtered out as earlier as next reboot, so anything that is written until then may cause changes on the physical device. +>- All existing exclusions are ignored (nonfunctional) and no file/registry commits are possible in Read Only Media mode. See Full Volume Commit in this document). +>- Enabling Read Only Media mode is only possible when UWF is configured to use RAM overlay. + +:::image type="content" source="images/overlaysettings.png" alt-text="This is a overlay settings"::: + +UWF CSP provider was updated by allowing setting new bit (0x4) in CFG_DATATYPE_INTEGER UnifiedWriteFilter\NextSession\OverlayFlags property. + +After the implementation of Read-Only Media mode we were able to make HORM mode transitions significantly more consistent, safe, and reliable. To enable HORM mode, UWF must be configured and booted into Read Only Media mode, which eliminates the need for user to care about exclusions and situation where HORM enablement is not possible by other reasons. + +### Full Volume Commit in Read-Only Media mode + +After introduction of Read-Only Media mode, we were able to implement ability to commit entire state of the UWF protected volumes to the physical disk at once, which was architecturally impossible before in presence of active file/registry exclusions. + +The new subcommand `commit` was introduced under `uwfmgr.exe overlay` to allow the user to commit all accumulated changes since, previous boot and all following changes until next reboot to the underlying physical device. After successful `full volume commit` and until the next reboot OS behaves like being totally unprotected. Protection is restored on the next reboot. + +:::image type="content" source="images/administratorprompt.png" alt-text="This is a administrator prompt"::: + +> [!NOTE] +> +>- UWF must be enabled and configured in Read-Only Media mode +>- UWF must not be in HORM mode: +> HORM mode cannot be enabled after Full Volume Commit and before the next reboot. +> +>- UWF can be disabled after Full Volume Commit + +UWF CSP provider was updated by adding read/write CFG_DATATYPE_BOOLEAN `UnifiedWriteFilter\CurrentSession\OverlayCommit` property, which indicates if Full Overlay Commit was issued after the last boot. Setting that property from zero (FALSE) to non-zero value (TRUE) causes immediate Full Volume Commit to be performed. Setting this property to zero (FALSE) if its current value is non-zero (TRUE) is not allowed. + +Customer can easily determine `Full Volume Commit` state by checking current configuration (for example, uwfmgr get-config): + +:::image type="content" source="images/fullvolumecommit.png" alt-text="This is a full volume commit"::: diff --git a/windows/configuration/unified-write-filter/uwf-wmi-provider-reference.md b/windows/configuration/unified-write-filter/uwf-wmi-provider-reference.md new file mode 100644 index 00000000000..81c39bca3ec --- /dev/null +++ b/windows/configuration/unified-write-filter/uwf-wmi-provider-reference.md @@ -0,0 +1,43 @@ +--- +title: Unified Write Filter WMI provider reference +description: Unified Write Filter WMI provider reference +ms.date: 05/20/2024 +ms.topic: reference +--- + +# Unified Write Filter WMI provider reference + +To help protect physical storage media, you can use the WMI providers for Unified Write Filter (UWF) to configure UWF. + +This section describes the WMI provider classes for UWF. + +## In this section + +| Classes | Description | +|---------|-------------| +| [UWF_ExcludedFile](uwf-excludedfile.md) | A container class that contains the files and folders that are currently in the file exclusion list for a volume protected by UWF.| +| [UWF_ExcludedRegistryKey](uwf-excludedregistrykey.md) | A container class that contains the registry keys that are currently in the registry key exclusion list for UWF. | +| [UWF_Filter](uwf-filter.md) | Enables or disables Unified Write Filter (UWF), resets configuration settings for UWF, and shuts down or restarts your device. | +| [UWF_Overlay](uwf-overlay.md) | Contains the current size of the UWF overlay and manages the critical and warning thresholds for the overlay size. | +| [UWF_OverlayConfig](uwf-overlayconfig.md) | Manages the configuration of the UWF overlay. | +| [UWF_OverlayFile](uwf-overlayfile.md) | Displays and configures global settings for the UWF overlay. You can modify the maximum size and the type of the UWF overlay. | +| [UWF_RegistryFilter](uwf-registryfilter.md) | Adds or removes registry exclusions from UWF filtering. | +| [UWF_Servicing](uwf-servicing.md) | Contains properties and methods that enable you to query and control UWF servicing mode. | +| [UWF_Volume](uwf-volume.md) | Manages a volume protected by UWF. | + +> [!NOTE] +> We recommend setting the authentication level to PacketIntegrity or PacketPrivacy for remote clients when you connect to WMI providers under root\\standardcimv2\\embedded when using WMI scripts or applications. For more information about how to use authentication with WMI providers, see this [WMI Enhancements in Windows PowerShell 2.0 CTP](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730973(v=technet.10)) on TechNet. + +## Requirements + +| Windows Edition | Supported | +|:-----------------------|:---------:| +| Windows Home | No | +| Windows Pro | No | +| Windows Enterprise | Yes | +| Windows Education | Yes | +| Windows IoT Enterprise | Yes | + +## Related articles + +- [uwfmgr.exe](uwfmgrexe.md) diff --git a/windows/configuration/unified-write-filter/uwfexclusions.md b/windows/configuration/unified-write-filter/uwfexclusions.md new file mode 100644 index 00000000000..a2e371583f4 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwfexclusions.md @@ -0,0 +1,189 @@ +--- +title: Common write filter exclusions +description: Common write filter exclusions +ms.date: 08/11/2023 +ms.topic: reference +--- + +# Write filter exclusions + +You can add specific files or folders on a protected volume to a file exclusion list. When a file or folder is in the exclusion list all writes to that file or folder persists through a device restart. + +You must use an administrator account to add or remove file or folder exclusions during run time, and you must restart the device for new exclusions to take effect. + +> [!IMPORTANT] +> Adding files and folders to exclusions will not reduce overlay consumption. Exclusions are intended to allow small amounts of data and configuration to persist after the device restarts. +> +> Don't add exclusions for the following: +> +> - \Windows\System32\config\DEFAULT +> - \Windows\System32\config\SAM +> - \Windows\System32\config\SECURITY +> - \Windows\System32\config\SOFTWARE +> - \Windows\System32\config\SYSTEM +> - \Users\\NTUSER.DAT +> - \Windows\BOOTSTAT.DAT +> - %System Drive%\EFI\Microsoft\Boot\BOOTSTAT.DAT +> - %System Drive%\Boot\BOOTSTAT.DAT +> +> Also, don't add exclusions for the following: +> +> - The volume root. For example, C: or D:. +> - The `\Windows` folder on the system volume. +> - The `\Windows\System32` folder on the system volume. +> - The `\Windows\System32\Drivers` folder on the system volume. +> - Paging files. +> +> Adding an exclusion for any of these items is unsupported and may lead to unpredictable results. +> It's OK to exclude subdirectories and files under these locations. +> +> Folders need to exist prior to adding them to the exclusion list. +> + +You can't rename or move a file or folder from a protected location to an unprotected location, or vice versa. An error occurs if you attempt to delete a file folder in the exclusion list on a write filter protected volume. In this case, Windows attempts to move the file or folder to the Recycle Bin. The Recycle Bin isn't in the exclusion list. You can't move files that are in the exclusion list to a location that is write filter protected. + +You can work around this error using one of the following options: + +- Disable the Recycle Bin +- User can press Ctrl+Shift and then left-click on the file to directly delete the excluded file to bypass the Recycle Bin. +- User can delete the excluded file directly from a command prompt. + +You must restart the device for new exclusions to take effect. + +## Virtual Hard Disk (VHD) file exclusions + +When you deploy a Windows image with UWF on a VHD boot disk, you can protect the volume that contains the VHD file by adding a file exclusion for the VHD file before enabling UWF and protecting the volume. + +To add a file exclusion for the VHD file at an administrator command prompt: + +```cmd +uwfmgr.exe file add-exclusion :\\.vhd +``` + +For example: + +```cmd +uwfmgr.exe file add-exclusion E:\VHD\test.vhd +``` + +## Registry exclusions + +You can add specific registry keys to an exclusion list to exclude those keys from UWF protection. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts. + +You must use an administrator account to add or remove registry exclusions during run time, and you must restart the device for new exclusions to take effect. + +If you exclude a registry key, all its subkeys are also excluded from filtering. You can exclude registry subkeys only under the following registry keys: + +- `HKEY\LOCAL\MACHINE\BCD00000000` +- `HKEY\LOCAL\MACHINE\SYSTEM` +- `HKEY\LOCAL\MACHINE\SOFTWARE` +- `HKEY\LOCAL\MACHINE\SAM` +- `HKEY\LOCAL\MACHINE\SECURITY` +- `HKEY\LOCAL\MACHINE\COMPONENTS` + +> [!IMPORTANT] +> Don't add exclusions for the following: +> +> - `HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC` + +> [!NOTE] +> UWF automatically excludes certain registry keys from being filtered. These registry keys are primarily related to UWF configuration settings and cannot be removed from the exclusion list. + +For more information about common registry exclusions, see [Common write filter exclusions](uwfexclusions.md). + +## Common write-filter exclusions + +Some services and features write information to a device’s persistent volume, and expect that information to be present across device restarts. You may need to configure your write filter to allow for specific file and registry exclusions in order for these services and features to work correctly. + +This article lists registry and file exclusions that can help enable some common services and features to work correctly when write filters are enabled. + +If you're running any antivirus or security software in addition to UWF, consult with your antivirus vendor for advice on how to configure their solution in a UWF environment. You may need to add a UWF exclusion for the signature or update folder. + +### Customer Experience Improvement Program (CEIP) + +When you choose to participate in the CEIP, your computer or device automatically sends information to Microsoft about how you use certain products. Information from your computer or device is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. + +CEIP data is stored in files that have a `.sqm` file name extension. To make sure that the CEIP data in the `.sqm` files is available on a device that has write filters enabled, you can add file and folder exclusions for the `.sqm` files and folders. + +To locate the `.sqm` files and folders on your device, search for `.sqm` files by using File Explorer. Alternately, at a command prompt with administrator rights at the root of the drive, type the following command to obtain a list of `.sqm` files on the device: + +```powershell +dir *.sqm /s +``` + +Add file and folder exclusions as required for any `.sqm` files located on your device. + +Add registry exclusions for the following registry keys: + +- `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable` +- `HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\CEIPEnable` +- `HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\UploadDisableFlag` + +### Background Intelligent Transfer Service (BITS) + +Background Intelligent Transfer Service (BITS) downloads or uploads files between a client and server and provides progress information related to the transfers. + +Add file exclusions for the following folders and files: + +- `%ALLUSERSPROFILE%*\Microsoft\Network\Downloader` + +Add registry exclusions for the following registry keys: + +- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex` + +### Windows Explorer + +If you attempt to delete an excluded file or folder on a protected volume using Windows Explorer, you experience an error. In this case, Windows attempt to move the file or folder to the Recycle Bin, which isn't in the exclusion list. The write filter doesn't support moving a file or folder in the exclusion list to a location that is write filter protected. + +You can work around this error using one of the following options: + +- Disable the Recycle Bin +- User can press Ctrl+Shift and then left-click on the file to directly delete the excluded file to bypass the Recycle Bin. +- User can delete the excluded file directly from a command prompt. + +### Networks + +When you use write filters on your device, you can add file and registry exclusions to enable your device to join wired and wireless networks. The following file and registry exclusions may be required on your device. + +Client Group Policy Object (GPO) registry keys: + +- Wireless: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy` +- Wired: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy` + +GPO policy files: + +- Wireless: `C:\Windows\wlansvc\Policies` +- Wired: `C:\Windows\dot2svc\Policies` + +Interface profile registry keys: + +- Wireless: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc` +- Wired: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc` + +Interface policy file: + +- Wireless: `C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces\{***<Interface GUID>***}\{***<Profile GUID>***}.xml` +- Wired: `C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces\{***<Interface GUID>***}\{***<Profile GUID>***}.xml` + +Services registry keys: + +- Wireless: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc` +- Wireless: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc` +- Wired: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc` + +> [!IMPORTANT] +> Folders need to exist prior to adding them to the exclusion list. +> + +### Daylight saving time (DST) + +You can add the following registry exclusions to persist daylight saving time (DST) settings on your device. + +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones` +- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation` + +## Related articles + +- [Unified Write Filter]( index.md) +- [Service UWF-protected devices](service-uwf-protected-devices.md) +- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) diff --git a/windows/configuration/unified-write-filter/uwfmgrexe.md b/windows/configuration/unified-write-filter/uwfmgrexe.md new file mode 100644 index 00000000000..81f17dbbf73 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwfmgrexe.md @@ -0,0 +1,214 @@ +--- +title: uwfmgr.exe +description: uwfmgr.exe +ms.date: 10/02/2018 +ms.topic: reference +--- + +# uwfmgr.exe + +The UWFMgr tool can be used at the command-line or in PowerShell to configure and retrieve settings for [Unified Write Filter (UWF)]( index.md). + +> [!IMPORTANT] +> Users with standard accounts can use commands that retrieve information, but only users who have administrator accounts can use commands that change the configuration settings. + +## Syntax + +```powershell +uwfmgr.exe + Help | ? + Get-Config + Filter + Help | ? + Enable + Disable + Reset-Settings + Shutdown + Restart + Volume + Help | ? + Get-Config { | all} + Protect { | all} + Unprotect + File + Help | ? + Get-Exclusions { | all} + Add-Exclusion + Remove-Exclusion + Commit + Commit-Delete + Registry + Help | ? + Get-Exclusions + Add-Exclusion + Remove-Exclusion + Commit [] + Commit-Delete [] + Overlay + Help | ? + Get-Config + Get-AvailableSpace + Get-Consumption + Set-Size + Set-Type {RAM | DISK} + Set-WarningThreshold + Set-CriticalThreshold + Set-Passthrough + Set-Persistent + Reset-PersistentState + Servicing + Enable + Disable + Update-Windows + Get-Config + Help +``` + +## Location + +**Uwfmgr** can be found under the %WINDIR%\\System32\\ folder. + +## Command-line options and parameters + +The following list describes the options and sub-options that are available to use in **uwfmgr.exe**, and it lists the corresponding WMI class or method for each command-line option and sub-option (if available). + +- **Help | ?** + - Displays command-line help for basic parameters for **uwfmgr.exe**. +- **Get-Config** + - Displays UWF configuration settings for the current and next session. +- **Filter** + - Configures basic UWF settings. + - [UWF_Filter](uwf-filter.md) + - *Enable* + - Enables UWF protection for the next session after a system restart. + - [UWF_Filter.Enable](uwf-filterenable.md) + - *Disable* + - Disables UWF protection for the next session after a system restart. + - [UWF_Filter.Disable](uwf-filterdisable.md) + - *Reset-Settings* + - Restores UWF settings to the original state.
If you added UWF to your image by using **Turn Windows features on or off** or by using DISM, the original state is the state of UWF settings when UWF was first enabled.
If you added UWF to your image by using SMI settings in an unattend file, the original state is the state of UWF settings when Windows was installed on the device. **Starting in Windows 10, this command is no longer supported.** + - [UWF_Filter.ResetSettings](uwf-filterresetsettings.md) + - *Shutdown* + - Shuts down the device immediately, even if the overlay is full or near full. Administrator-level permissions are required to use this command. + - [UWF_Filter.ShutdownSystem](uwf-filtershutdownsystem.md) + - *Restart* + - Shuts down the device immediately and restarts, even if the overlay is full or near full. Administrator-level permissions are required to use this command. + - [UWF_Filter.RestartSystem](uwf-filterrestartsystem.md) +- **Volume** + - Configures settings for volumes protected by UWF. If the *<volume>* argument is needed, you can specify a drive letter (for example, `uwfmgr.exe volume protect C:`), or else you can specify all volumes (for example, `uwfmgr.exe volume get-config all`). + - [UWF_Volume](uwf-volume.md) + - *Help | ?* + - Displays command-line help for the `uwfmgr.exe volume` command. + - *Get-Config* {*<volume>* | all} + - Displays configuration settings and file exclusions for the specified volume, or all volumes if **all** is specified. Displays information for both the current and the next session. + - [UWF_Volume](uwf-volume.md) + - *Protect* {*<volume>* | all} + - Adds the specified volume to the list of volumes that are protected by UWF. UWF starts protecting the volume after the next system restart if UWF filtering is enabled. + - [UWF_Volume.Protect](uwf-volumeprotect.md) + - *Unprotect* *<volume>* + - Removes the specified volume from the list of volumes that are protected by UWF. UWF stops protecting the volume after the next system restart. + - [UWF_Volume.Unprotect](uwf-volumeunprotect.md) +- **File** + - Configures file exclusion settings for UWF. If you use the *<file>* argument, it must be fully qualified, including the volume and path. **uwfmgr.exe** uses the volume specified in the *<file>* argument to determine which volume contains the file exclusion list for the file. + - [UWF_Volume](uwf-volume.md) + - *Help | ?* + - Displays command-line help for the `uwfmgr.exe file` command. + - *Get-Exclusions* {*<volume>* | all} + - Displays all files and directories in the exclusion list for the specified volume (for example, `uwfmgr.exe file Get-Exclusions C:`), or all volumes if **all** is specified. Displays information for both the current and the next session. + - [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md) + - *Add-Exclusion* *<file>* + - Adds the specified file to the file exclusion list of the volume protected by UWF. UWF starts excluding the file from filtering after the next system restart. + - [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) + - *Remove-Exclusion* *<file>* + - Removes the specified file from the file exclusion list of the volume protected by UWF. UWF stops excluding the file from filtering after the next system restart. + - [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) + - *Commit* *<file>* + - Commits changes to a specified file to overlay for a UWF-protected volume. Administrator-level permissions are required to use this command. + - [UWF_Volume.CommitFile](uwf-volumecommitfile.md) + - *Commit-Delete* *<file>* + - Deletes the specified file from both the overlay and the physical volume. Administrator-level permissions are required to use this command. + - [UWF_Volume.CommitFileDeletion](uwf-volumecommitfiledeletion.md) +- **Registry** + - Configures registry key exclusion settings for UWF. + - [UWF_RegistryFilter](uwf-registryfilter.md) + - *Help | ?* + - Displays command-line help for the `uwfmgr.exe registry` command. + - *Get-Exclusions* + - Displays all registry keys in the registry exclusion list. Displays information for both the current and the next session. + - [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) + - *Add-Exclusion<key>* + - Adds the specified registry key to the registry exclusion list for UWF. UWF starts excluding the registry key from filtering after the next system restart. + - [UWF_RegistryFilter.AddExclusion](uwf-registryfilteraddexclusion.md) + - *Remove-Exclusion* *<key>* + - Removes the specified registry key from the registry exclusion list for UWF. UWF stops excluding the registry key from filtering after the next system restart. + - [UWF_RegistryFilter.RemoveExclusion](uwf-registryfilterremoveexclusion.md) + - *Commit* *<key> <value>* + - Commits changes to the specified key and value. Administrator-level permissions are required to use this command. + - [UWF_RegistryFilter.CommitRegistry](uwf-registryfiltercommitregistry.md) + - *Commit-Delete* *<key> \[<value>\]* + - Deletes the specified registry key and value and commits the deletion. Deletes all values and subkeys if the value is empty, and commits the deletion. Administrator-level permissions are required to use this command. + - [UWF_RegistryFilter.CommitRegistryDeletion](uwf-registryfiltercommitregistrydeletion.md) +- **Overlay** + - Configures settings for the UWF overlay. + - [UWF_Overlay](uwf-overlay.md) and [UWF_OverlayConfig](uwf-overlayconfig.md) + - *Help | ?* + - Displays command-line help for the `uwfmgr.exe overlay` command. + - *Get-Config* + - Displays configuration settings for the UWF overlay. Displays information for both the current and the next session. + - [UWF_Overlay](uwf-overlay.md) and [UWF_OverlayConfig](uwf-overlayconfig.md) + - *Get-AvailableSpace* + - Displays the amount of space remaining that is available for the UWF overlay. + - [UWF_Overlay](uwf-overlay.md) + - *Get-Consumption* + - Displays the amount of space currently used by the UWF overlay. + - [UWF_Overlay](uwf-overlay.md) + - *Set-Size* *<size>* + - Sets the maximum size of the UWF overlay, in megabytes, for the next session after a system restart. + - [UWF_OverlayConfig.SetMaximumSize](uwf-overlayconfigsetmaximumsize.md) + - *Set-Type* {*RAM | DISK*} + - Sets the type of the overlay storage to RAM-based or disk-based. UWF must be disabled in the current session to set the overlay type to disk-based. + - [UWF_OverlayConfig.SetType](uwf-overlayconfigsettype.md) + - *Set-WarningThreshold* *<size>* + - Sets the overlay size, in megabytes, at which the driver issues warning notifications for the current session. + - [UWF_Overlay.SetWarningThreshold](uwf-overlaysetwarningthreshold.md) + - *Set-CriticalThreshold* *<size>* + - Sets the overlay size, in megabytes, at which the driver issues critical notifications for the current session. + - [UWF_Overlay.SetCriticalThreshold](uwf-overlaysetcriticalthreshold.md) + - *Set-Passthrough* ** + - Turns the [free space passthrough](uwfoverlay.md#freespace-passthrough-recommended) on or off, allowing UWF to use free space outside of the reserved space when available. + - *Set-Persistent* ** + - Sets the overlay as a [persistent overlay](uwfoverlay.md#persistent-overlay), allowing users to keep using their data after a reboot. + - *Reset-PersistentState* ** + - Clears a persistent overlay on the next boot (on/off). + +- **Servicing** + - Configures settings for UWF servicing mode. + - [UWF_Servicing](uwf-servicing.md) + - *Enable* + - Enables servicing mode in the next session after a restart. Administrator-level permissions are required to use this command. + - [UWF_Servicing.Enable](uwf-servicingenable.md) + - *Disable* + - Disables UWF servicing mode in the next session after a restart. Administrator-level permissions are required to use this command. + - [UWF_Servicing.Disable](uwf-servicingdisable.md) + - *Update-Windows* + - Stand-alone command to apply Windows updates to a device. Called by the master servicing script that is called by the `uwfmgr.exe servicing enable` command. We recommend that you use the `uwfmgr.exe servicing enable` command to service your UWF–protected device whenever possible. Administrator-level permissions are required to use this command. + - [UWF_Servicing.UpdateWindows](uwf-servicingupdatewindows.md) + - *Get-Config* + - Displays UWF servicing mode information for the current session and the next session. + - [UWF_Servicing](uwf-servicing.md) + - *Help* + - Displays command-line help for the `uwfmgr.exe servicing` command. + +## Unsupported WMI methods + +The following list contains the UWF WMI provider methods that are not currently supported by the **uwfmgr.exe** tool: + +- [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) +- [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) +- [UWF_Volume.FindExclusion](uwf-volumefindexclusion.md) +- [UWF_Volume.RemoveAllExclusions](uwf-volumeremoveallexclusions.md) +- [UWF_Volume.SetBindByDriveLetter](uwf-volumesetbindbydriveletter.md) + +## Related articles + +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwfoverlay.md b/windows/configuration/unified-write-filter/uwfoverlay.md new file mode 100644 index 00000000000..01c2c8cb3b5 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwfoverlay.md @@ -0,0 +1,133 @@ +--- +title: Overlay for Unified Write Filter (UWF) +description: Overlay for Unified Write Filter (UWF) +ms.date: 10/02/2018 +ms.topic: reference +--- + +# Unified Write Filter (UWF) overlay location and size + +The Unified Write Filter (UWF) protects the contents of a volume by intercepting write attempts to a protected volume and redirects those write attempts to a virtual overlay. + +You can choose where the overlay is stored (RAM or disk), how much space is reserved, and what happens when the overlay fills up. + +To increase uptime, set up monitoring to check if your overlay is filling up. At certain levels, your device can warn users and/or reboot the device. + +## RAM overlay vs. disk overlay + +- **RAM overlay (default)**: The virtual overlay is stored in RAM, and is cleared after a reboot. + + - By writing to RAM, you can reduce the wear on write-sensitive media like solid-state drives. + - RAM is often more limited than drive space. As the drive overlay fills up the available RAM, device performance could be reduced, and users will eventually be prompted to reboot the device. If your users are expected to make many large writes to the overlay, consider using a disk overlay instead. + +- **Disk overlay**: The virtual overlay is stored in a temporary location on the drive. By default, the overlay is cleared on reboot. + + - You can use [freespace passthrough](#freespace-passthrough-recommended) to use additional free space on the drive beyond the reserved virtual overlay space. + - On Windows 10, version 1803, you can use [persistent overlay](#persistent-overlay) to allow users to save work in the virtual overlay even after a reboot. + +## Overlay size + +- Default=1024MB. Set with: + - [CMD](uwfmgrexe.md): `uwfmgr overlay set-size` + - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/MaximumOverlaySize` + - [WMI](uwf-overlayconfigsetmaximumsize.md): `UWF\Overlay.SetMaximumSize` + +When planning device rollouts, we recommend optimizing the overlay size to fit your needs. + +For RAM overlays, you'll need to budget some RAM for the system. For example, if the OS requires 2 GB of RAM, and your device has 4 GB of RAM, set the maximum size of the overlay to 2048MB (2 GB) or less. + +We recommend enabling UWF on a test device, installing the necessary apps, and putting the device through usage simulations. You can use this Powershell script to find out which files are consuming space: + +```powershell +$wmiobject = get-wmiobject -Namespace "root\standardcimv2\embedded" -Class UWF_Overlay +$files = $wmiobject.GetOverlayFiles("c:") +$files.OverlayFiles | select-object -Property FileName,FileSize | export-csv -Path D:\output.csv +``` + +The amount of overlay used will depend on: + +- Device usage patterns. +- Apps that can be accessed. (Some apps have high write volumes and will fill up the overlay faster.) +- Time between resets. +- When files are deleted, UWF removes them from the overlay and returns the freed resources to the available pool. + +### Warnings and critical events + +As the drive overlay fills up the available space, you can warn your users that they're running out of space, and prompt them to reboot the device or to run a script to clear the overlay. + +1. Set warning levels and critical levels (optional). When the overlay is filled to this value, UWF writes an Event Tracing for Windows (ETW) message. + + - **Warning level**: Default=512MB. Set with: + - [CMD](uwfmgrexe.md): `uwfmgr overlay set-warningthreshold` + - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/WarningOverlayThreshold` + - [WMI](uwf-overlaysetwarningthreshold.md): `UWF_Overlay.SetWarningThreshold` + - **Critical level**: Default=1024MB. Set with: + - [CMD](uwfmgrexe.md): `uwfmgr overlay set-criticalthreshold` + - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/CriticalOverlayThreshold` + - [WMI](uwf-overlaysetcriticalthreshold.md): `UWF_Overlay.SetCriticalThreshold` + + Note, these settings will take affect after the next reboot. + +1. Use Task Scheduler to detect the ETW message and to warn users to wrap up their work on the device so they do not lose their content before the overlay is cleared. You can also provide a link to script to clear the contents of the overlay. + + Create tasks that trigger on the event that the **System** log receives an event ID from **uwfvol**: + + | Overlay usage | Source | Level | Event ID | + |---------------------|---------|-------------|----------| + | Warning threshold | uwfvol | Warning | 1 | + | Critical threshold | uwfvol | Error | 2 | + | Back to normal | uwfvol | Information | 3 | + +1. Reboot the device. + +### Freespace passthrough (recommended) + +On devices with a disk overlay, you can use freespace passthrough to access your drive's additional free space. + +You'll still need to reserve some space on the disk for the overlay. This space is used to manage the overlay, and to store overwrites, such as system updates. All other writes are sent to free space on disk. Over time, the reserved overlay will grow slower and slower, because overwrites will just keep replacing one another. + +On devices with a RAM overlay, you can also use freespace passthrough to access your drive's additional free space to reduce overlay usage. +However, freespace passthrough is not recommended for use with a RAM overlay because it does not reduce wear on write-sensitive media like solid-state drives. + +- [CMD](uwfmgrexe.md): uwfmgr overlay set-passthrough (on|off) + +### Persistent overlay + +> [!NOTE] +> This mode is experimental, and we recommend thoroughly testing it before deploying to multiple devices. This option is not used by default. + +On devices with a disk overlay, you can choose to keep working using the overlay data, even after a reboot. This can be helpful in situations where your guest users may need to access for longer periods, and may need to power off the device between uses. + +This option gives your IT department more control over when the overlay is reset. You can also provide your users with scripts that will help them reset the overlay on demand. + +To turn persistent overlay on or off: + +- [CMD](uwfmgrexe.md): uwfmgr overlay set-persistent (on|off) + +To reset the overlay: + +- [CMD](uwfmgrexe.md): `uwfmgr overlay reset-persistentstate on` + +### Overlay exhaustion + +If the size of the overlay is close to or equal to the maximum overlay size, any write attempts will fail, returning an error indicating that there is not enough space to complete the operation. If the overlay on your device reaches this state, your device may become unresponsive and sluggish, and you may need to restart your device. + +When Windows shuts down, it attempts to write a number of files to the disk. If the overlay is full, these write attempts fail, causing Windows to attempt to rewrite the files repeatedly until UWF can determine that the device is trying to shut down and resolve the issue. Attempting to shut down by using normal methods when the overlay is full or near to full can result in the device taking a long time, in some cases up to an hour or longer, to shut down. + +You can often avoid this issue by using UWF to automatically initiate the shut down or restart: + +- **Shut down**: + - [CMD](uwfmgrexe.md): `uwfmgr shutdown` + - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `ShutdownSystem` + - [WMI](uwf-filtershutdownsystem.md): `UWF\Filter.ShutdownSystem` + +- **Restart**: + - [CMD](uwfmgrexe.md): `uwfmgr restart` + - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `RestartSystem` + - [WMI](uwf-filterrestartsystem.md): `UWF\Filter.RestartSystem` + +Windows 10 19H1 and later will automatically restart if the maximum size of the overlay is exceeded. + +## Related articles + +- [Unified Write Filter]( index.md) diff --git a/windows/configuration/unified-write-filter/uwftroubleshooting.md b/windows/configuration/unified-write-filter/uwftroubleshooting.md new file mode 100644 index 00000000000..b2b14654448 --- /dev/null +++ b/windows/configuration/unified-write-filter/uwftroubleshooting.md @@ -0,0 +1,33 @@ +--- +title: Troubleshooting Unified Write Filter (UWF) +description: Troubleshooting Unified Write Filter (UWF) +ms.date: 05/02/2017 +ms.topic: reference +--- + +# Troubleshooting Unified Write Filter (UWF) + +Review the log files and error message information locations for Unified Write Filter (UWF) on your Windows 10 Enterprise device. + +If you are having difficulties configuring Unified Write Filter (UWF) on your device, see the following information about how to find event log and error message information for troubleshooting problems with UWF. + +## Event logs + +UWF uses Windows Event Log to log events, errors and messages. + +* Events related to overlay consumption are sent by UWF kernel mode components and are logged in the **Windows Logs\\System** event log. +* Event related to configuration changes and servicing logs are sent by UWF user mode components: + * Error messages are logged in the **Applications and Services Logs\\Microsoft\\Windows\\UnifiedWriteFilter\\Admin** event log. + * Informational messages are logged in the **Applications and Services Logs\\Microsoft\\Windows\\UnifiedWriteFilter\\Operational** event log. + +## Related articles + +[Unified Write Filter]( index.md) + +[Common write filter exclusions](uwfexclusions.md) + +[Service UWF-protected devices](service-uwf-protected-devices.md) + +[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md) + +[uwfmgr.exe](uwfmgrexe.md) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 9a2ac25742f..26e30724a94 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -47,7 +47,7 @@ sections: The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching. - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). + When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/how-it-works#biometric-data-storage) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md index 2e2dc3b4579..2bf77557b9e 100644 --- a/windows/security/licensing-and-edition-requirements.md +++ b/windows/security/licensing-and-edition-requirements.md @@ -1,7 +1,7 @@ --- title: Windows Security Features Licensing And Edition Requirements description: Learn about Windows licensing and edition requirements for the features included in Windows. -ms.topic: conceptual +ms.topic: reference ms.date: 12/02/2024 appliesto: - ✅ Windows 11