Windows 10 Unified Write Filter

Windows 10 comes with a new feature called Unified Write Filter. This puts a write filter in place that writes all changes to the operating system to an area that gets wiped at every reboot. With every reboot, you will have a pristine Windows environment.

Windows 10 UWF is only included in the Enterprise and Education SKUs.

Enabling UWF

First, you have to enable the UWF feature by going to Control Panel > Programs and Features > Turn Windows Features On or Off and selecting Unified Write Filter under the Device Lockdown node.

After you have enabled the feature, configuration is done via PowerShell or by using uwfmgr.exe. To turn on the filter, run this command, then restart your computer:

uwfmgr.exe filter enable

To protect the volume, run this command after the restart:

uwfmgr.exe volume protect c:

Now the filter is enabled and protecting your C: drive. You can run “uwfmgr.exe get-config” to see the details. At the bottom, you should see the volume details.


You can set file or folder exclusions using UWF. These are locations, individual files, or registry keys that you want to allow to change. There are several folders and registry keys that you cannot exclude (see this Microsoft post for a full list).

To exclude a file or folder, run this command:

Uwfmgr.exe file add-exclusion <path to folder or file>

Ex: uwfmgr.exe file add-exclusion “c:\new folder”

To exclude a registry key, run this command:

Uwfmgr.exe registry add-exclusion <path to registry key>

Ex: uwfmgr.exe registry add-exclusion “HKLM\Software\newkey”

You again are required to restart the computer for the changes to take affect.


Servicing includes installing Windows updates, virus definitions, etc. to a device. Fortunately, this part is easy and well documented. To service the machine, run this command:

uwfmgr.exe servicing enable

The machine restarts into a local account called UWF-Servicing and run all pending updates. After they’re complete, the machine will automatically restart back into normal mode with UWF enabled.

You can enable a standard servicing schedule by using a scheduled task to run this command.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.