StateLocker: Configuring the Unified Write Filter from within ConfigMgr

Locking down devices can be a difficult task.  Even when we take administrator permissions away, our users still find ways to defeat our best intentions. When we restrict things too much, we run the risk of making the device unusable.  One way we could prevent configuration drift is by reverting the device to a known-good state at every reboot.  There are many solutions that take this approach, but often times they fall short with ConfigMgr managed devices.  When combining ConfigMgr with state reset software, administrators need to take extra precautions to ensure their devices are patched, have the latest malware definitions, and maintain healthy ConfigMgr clients.  Often ConfigMgr administrators are forced to schedule unlock intervals to allow their workstations to receive these updates.

Challenges faced by ConfigMgr Admins:

ConfigMgr is not designed to support technologies that revert devices to a specific snapshot, which forces administrators to specify exceptions manually.  Even if the correct exceptions are specified, the client is still not aware that it’s in a locked state, so admins need to make sure the clients don’t take unwanted actions (like updates or software installations) before the device is unlocked.  If the ConfigMgr client acts on data while locked, all changes it makes are wiped out on the next reboot and it will be forced to try them again.  This becomes especially problematic if the ConfigMgr is trying to install something that requires a reboot, such as Windows updates.

A Solution to work with ConfigMgr

With StateLocker, your devices can be locked down by utilizing the Unified Write Filter (UWF), which is fully supported in ConfigMgr.  The Unified Write Filter provides an overlay on your device that changes are written to.  When the device reboots, the changes made to the overlay are wiped out reverting it back into a known good state.  Because ConfigMgr has full UWF support, your devices will avoid unproductive software installations or reboots while the device is in a locked state.

UWF-Image

By controlling your write filters with StateLocker, the relevant ConfigMgr, antivirus, and Windows exceptions are added for you to ensure your devices are configured optimally.  StateLocker goes a step further with ConfigMgr integration by adding console extensions to the device and device collection menus, allowing you to quickly lock, unlock, add new exceptions, or schedule when to lock and unlock devices.  StateLocker utilizes the same technology as in the Recast Lab Manager tools.  When a StateLocker policy is applied to a machine, an executable is started on the remote device that loads the policy from disk and applies it.  This policy is reapplied at every reboot to ensure your devices remain in the desired state.  The ability to quickly roll back to a known good state will save you time when locking down your labs.