Manage Windows Embedded 8 devices with System Center 2012 Configuration Manager



June 2013

Describes how to use System Center Configuration Manager Service Pack 1 to manage the write filters of devices running Windows Embedded 8 Standard or Windows Embedded 8 Industry. This includes:

  • Types of write filters
  • Update challenges with write filters enabled
  • Configuration Manager write filter awareness for some filters
  • Task sequences for device management

You should be familiar with System Center 2012 Configuration Manager Service Pack 1 and Windows Embedded 8 Standard or Windows Embedded 8 Industry.

  • Windows Embedded 8 Standard
  • Windows Embedded 8 Industry
  • System Center 2012 Configuration Manager Service Pack 1

Microsoft System Center 2012 Configuration Manager helps you to empower people to use the devices and applications they need to be productive, while maintaining corporate compliance and control. It accomplishes this with a unified infrastructure that gives a single pane of glass to manage physical, virtual, and mobile clients. It also provides tools and improvements that make it easier for IT administrators to do their jobs.

With Configuration Manager 2012 Service Pack 1, devices running Windows Embedded 8 Standard or Industry can be managed like any other IT asset. However, when a write filter is enabled on the device, there are a few different issues to be aware of when managing the device..

First, let's take a brief look at what a write filter is and why it is used. A write filter intercepts writes to protected volumes, and redirects the writes to a different location called an overlay, which is discarded upon restart. By redirecting attempted writes to an overlay, write filters can make a write-protected volume appear to function as a writeable volume. This functionality enables building of stateless (or semi-stateless) devices, ensuring they are returned to the same known state on a restart for a predictable and reliable user experience. An additional benefit is the reduced wear on write-sensitive media such as compact USB flash devices.

Types of Write Filters

Enhanced Write Filter (EWF)

EWF intercepts writes to protected volumes at the sector level. Operating at the sector level means that EWF fully supports the NTFS file system. EWF does not allow file exclusions. You can enable registry exclusions by using Registry Filter. If a volume is protected by EWF, the entire volume is considered write-protected.

File-Based Write Filter (FBWF)

FBWF intercepts writes to protected volumes at the file level. This allows you to specify files or directories that are excluded from being filtered.

Unified Write Filter (UWF)

UWF operates at the sector level, intercepting all writes to a protected volume. However, you can specify that certain files, directories, or registry keys are excluded from being filtered. Excluded files and directories are tracked in a file exclusion list and excluded registry entries are tracked in a registry exclusion list. Writes to items in an exclusion list are written directly to the protected volume.

Registry Filter

The Registry Filter enables you to persist specific registry keys or values when a device is shut down.

The following diagram shows the functionality available in the different write filters:

Write filter summary
Write Filter Summary Diagram

As you can see, there are different types of write filters providing a variety of functionality. The benefits that come along with this, like ensuring the device starts into the same known state, come at a cost of adding complexity when managing and deploying your device. You must consider your management, update, and deployment scenarios when you consider using write filters in your devices, in addition to the requirements and restrictions of each write filter. When write filters are not enabled on Windows Embedded 8 Standard or Windows Embedded 8 Industry, then Configuration Manager 2012 SP1 can manage the device like any other IT asset, including a Windows 8 client or Windows Embedded 8 Professional.

Now that we know a little more about how write filters are used on devices running Windows Embedded 8, let's take a look at how to manage devices by using System Center Configuration Manager. Both Windows Embedded 8 Standard and Windows Embedded 8 Industry have dependencies for Configuration Manager built into the core operating system. Combined with the Configuration Manager client, device builders and administrators have access to the following capabilities:

  • Operating system deployment
  • Software update management
  • Application management
  • Settings/configuration management
  • Monitoring/reporting
  • System Center Endpoint Protection

For more information on these capabilities, see System Center 2012 Configuration Manager Capabilities.

The main challenge when managing devices that use write filters is that changes that are written to the overlay and not otherwise persisted will be lost upon restart. In most cases, that's why you use a write filter, but with some changes, such as software updates or virus signature updates, you really would like to keep those changes past the restart. By not persisting the changes, you could end up with anything from performance issues as the server tries to download the changes again to overall system instability. The key to managing write filtered devices is to plan for what you want to persist and how you want to persist it.

There are a couple of ways to persist changes on devices that use write filters. One is to disable the write filter, make the changes, and then re-enable the write filter. Another way is to use the exclusion capability that FBWF and UWF write filters have. Exclusions allow you to specify files, folders, or registry keys that you want to persist through the write filter. Too many exclusions would defeat the purpose of the write filter, but targeted exclusions can be very useful in helping to persist the changes you need.

Configuration Manager 2012 SP1 is "write filter aware" for EWF and FBWF. What that means is that Configuration Manager has the ability to turn off the write filter on a device before any updates are downloaded, apply the updates, and then turn the write filter back on again. This functionality applies only to a subset of the Configuration Manager features, summarized in the following table:

Windows Embedded 8 Standard with Write Filter Enabled

Windows Embedded 8 Standard with Write Filter Enabled
Windows Embedded 8 Standard with Write Filter

With write filter awareness, restarts and network traffic are minimized. For example, by using maintenance windows, Configuration Manager will only download updates during the maintenance window, while the write filter is off, rather than downloading them immediately into the overlay, then having to download them again after a restart. Note that write filter awareness applies to the Enhanced Write Filter (EWF) and File-Based Write Filter (FBWF). We will cover Unified Write Filter (UWF) in the next section.

The following figure is an example of the UI experience in Configuration Manager for a feature that is write filter aware. In this case, when deploying software using the Deploy Software Wizard in Configuration Manager, the user sees a section called Embedded Devices. There they have an option to persist the software update (that is, restart, disable the write filter, and apply the update). The update will be processed as soon as the policy is ready for evaluation on the client device.

Write filter aware example
Deploy Software Wizard with Embedded Devices

Configuration Manager 2012 SP1 has native support for the key embedded scenarios listed in the preceding table. No additional software or licensing is required to manage the device running Windows Embedded 8, which has all the dependencies for Configuration Manager included in the Embedded Core module, the minimum functionality required for a Standard 8 operating system.

The Configuration Manager client is not included in the Embedded Core module. It can be deployed using various methods, including being installed automatically to assigned resources, plus added to the image for Windows Embedded 8 Standard devices. See Introduction to Client Deployment in Configuration Manager: Deploying the Configuration Manager Client to Windows Embedded Devices for more information.

Configuration Manager 2012 SP1 supports write filter (FBWF and EWF) orchestration for Software Update Management, Application Management, Packages and Programs, and Task Sequences. System Center Endpoint Protection client installation and Endpoint Protection updates are also write filter aware.

Additional client improvements:

  • Standard users cannot log on while the device is being serviced.
  • Software Center blocks installation if write filters are enabled.
  • Users cannot change their business hours.
  • Users cannot postpone deployments to non-business hours.

Operating system deployment improvements:

  • "Apply operating system" from a distribution point instead of running locally.
  • New task sequence variable (SMSTSPostAction) that specifies a command line action to run after the task sequence completes.

"Write Filter Aware" System Center Endpoint Protection Use Case Example

System Center Endpoint Protection installs are write filter aware for FBWF and EWF. This means that when a System Center administrator pushes an System Center Endpoint Protection install to client devices that have write filters, he can tell System Center to persist that installation through the write filter. Selecting the following option will cause the target devices to disable the write filter, restart, install the System Center Endpoint Protection client, re-enable the write filter, and restart again when the administrator pushes the System Center Endpoint Protection client out to the devices.

Endpoint Protection Example

Configuration Manager 2012 SP1 does not natively support UWF. This doesn’t mean that a System Center administrator cannot manage devices that use UWF, but it does mean that a little more planning is required in order to correctly manage the persistence of changes to devices.Here’s a brief example of deploying software updates to illustrate the difference:

With FBWF:

  • The admin selects the updates to install.
  • The admin selects the option in Configuration Manager to force-persist the changes.
  • The admin selects the target devices and pushes the updates. Configuration Manager handles turning the write filters off/on and all associated restarts, in addition to applying the updates.

With UWF:

  • The admin creates a task sequence that will turn off the write filter, restart, and install the updates. The task sequence uses a combination of native task sequence functions (for restarting and installing updates) and the uwfmgr.exe tool.
  • The admin selects the task sequence and deploys it to the target devices.
  • The devices are updated.

The following table illustrates the approach to managing Configuration Manager capabilities on a UWF device. The good news is that you can use task sequences to handle any of the management functions yourself. For example, settings management in Configuration Manager is also not write filter aware. You could use a similar approach with task sequences to handle settings changes on write filter devices.

Configuration Manager capabilities and UWF

UWF ships with a command line utility known as uwfmgr.exe, which is a powerful tool for managing the configuration and state of the write filter. In the following exercise, we will show you how easy it is to use uwfmgr.exe and tasks sequences in Configuration Manager to apply software updates to your operating system.

UWF servicing mode makes it easy to apply software updates to your operating system. See Apply Windows Updates to UWF-Protected Devices (Standard 8) for details on how you would apply software updates to a stand-alone device.

To manage the process with Configuration Manager, all you need to do is include uwfmgr.exe in a task sequence and then deploy that task sequence to the devices you want to manage.

  1. In Configuration Manager, create a new, custom task sequence.

    Create a new task sequence.
  2. Name the task sequence something you can remember, like "UWF Software Updates." When it finishes, you'll see the following dialog box.

    Task Sequence Created

    Creating a task sequence simply creates an empty placeholder. Now you need to edit the task sequence to tell it what to do. In this case, it's really simple:

    • Turn on UWF servicing mode.
    • Restart the device.
  3. Find your new task sequence in the list, right-click your new task sequence, then click Edit. You will add the two tasks to the list now. Both tasks are "general" tasks: a command line task and a restart task.

    Edit the Task Sequences

    In the following screenshot, you can see the final product. We've added a command line task called "uwfmgr servicing" and in it you can see the command line syntax used to set the device up for servicing. Notice that you can specify the account under which to run the command, which should be the admin account on your device. There are a number of advanced options available for more sophisticated setup and control.

    Task Sequences Created

    Restart Computer is a standard task available within a task sequence. You don't need to write your own restart script or send another command line task. You just pick the Restart Computer task and add it to the task sequence, and your setup is complete.

  4. All you have to do now is deploy this task sequence to the target devices. The task sequence will turn on UWF servicing mode and restart the device, which will then be in servicing mode. The UWF servicing mode will handle the available updates and then it will do a final restart after that to turn off servicing mode and return the device to normal operations. All of that work is handled by the UWF servicing mode, so you don't need to include it in the task sequence.

Additionally, UWF can be configured outside of Configuration Manager with the Embedded Lockdown Manager (ELM) and the UWF servicing mode. This can be used for individual or a small number of embedded devices.

Embedded Lockdown Manager

ELM is a snap-in to the Microsoft Management Console (MMC). You can use ELM remotely to connect to one or many devices. ELM automatically detects which lockdown features are installed on the device and displays configuration options for those features. ELM uses Windows Management Instrumentation (WMI) to detect and change configuration settings. After modifying and testing settings on an embedded device, the new settings can be exported to a Windows PowerShell script.

Write filters provide key functionality for devices running Windows Embedded 8 Standard and Windows Embedded 8 Industry. Management of those write filter-enabled devices is not significantly more complex than managing other IT assets. Many Configuration Manager features are already write filter aware. Plan for persistence and use maintenance windows to optimize network utilization. Make deployments required instead of available. Use exclusions when you can to minimize restarts. Using the WMI provider, you can manage the rest of the embedded-specific features (for example, Keyboard Filter) via Configuration Manager as well. Windows Embedded will continue to work closely with the Configuration Manager team to provide even richer integration between the products in the future.

See Introduction to Client Deployment in Configuration Manager for more information on deploying the Configuration Manager Client to Windows-based computers.

See Using System Center Endpoint Protection 2012 SP1 on Windows Embedded Standard 7 and POSReady 7 with File Based Write Filters for more information on System Center Endpoint Protection exceptions.