Showing results for 
Show  only  | Search instead for 
Did you mean: 

Antivirus support for Thin Clients running Windows 10 Embedded OS in UWF mode

Hello Team,

We would like to know if McAfee VirusScan Enterprise supports Thin Clients running Windows 10 Embedded OS with Unified Write Filter(UWF) enabled.

Windows 10 embedded OS has some inherent challenges as mentioned below

UWF (unified write filter) in Win 10 IoT is a hard block from Microsoft and there is no work around that Microsoft allows for it. In detail as per our analysis:

  1. 1.       The UWF RAM overlay works at the NTFS-block level
  2. 2.       The overlay will never release a block once allocated in the overlay, even if the write is mirrored onto the disk via exclusion or commit
  3. 3.       When the fixed-size overlay fills up, writes fail

So, we feel that definition update will crash when writes fails, which means that if the definitions reside on a drive that is protected by UWF it *will* crash the system, even if we fix the other issues around exclusions and registry keys.

STAR does not, at present, provide a way for us to change which drive is used for definitions  to the drive in which CommonAppData,  and natïve attempts fail on MSI restrictions imposed by Ding2MSI

Due to the above restriction posed by Microsoft,  please suggest if McAfee has enabled support for Win 10 embedded OS.



1 Reply
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Antivirus support for Thin Clients running Windows 10 Embedded OS in UWF mode


See KB82761 for current updates

Expand Section:
Supported Microsoft Windows client operating systems

4  Enhanced Write Filtering (EWF) or File Based Write Filtering (FBWF) technology is not supported.

Vote for Support

Update: 05/03/2019

I was recently asked about Windows 10 IoT and reminded how this is an ever-living topic. Below I will provide some disambiguation around embedded systems and how to approach protecting the endpoint. Here is a link to our Solution Brief

Windows "Embedded" is often thought of as being a separate OS but really is only a Microsoft terms of distribution and licensing option. Treating it as its own OS however is for good reason, this licensing option is used by Solution Providers and Original Equipment Manufacturers (OEMs) for the distribution of tailored solutions such as (POS) Point of Sale systems. This flavor of OS distribution is also called FES - Windows for Embedded Systems

On its face any Embedded version could be no different than the normal Operating System… so Windows 8 “embedded” could be the equivalent of Windows 8.
But that is rarely the case, and the vendor will have created a Frankenstein. The Embedded OS will typically be stripped-down to the bare minimum features and drivers needed. (doing so helps lower system requirements and therefore cost)

How do I know how to protect my Embedded \ Windows 10 IoT device?
The best approach is to look at the prerequisites of the security solution and confirm these prerequisites are met on device running Windows Embedded (Windows 10 IoT).  
(the topic initiator on this community post was doing just that*)

To see prerequisites, consult the McAfee Knowledge Base for the specific product.

For ENS:
KB82761 - Supported platforms, environments, and operating systems for Endpoint Security

Along with other embedded versions KB82761 provides a support metrics for Windows 10 IoT Enterprise
The KB at the time of this community posting states Windows 10 IoT Enterprise is Supported with two notes:

  • Enhanced Write Filtering (EWF), Unified Write Filter (UWF), and File-Based Write Filtering (FBWF) technology is not supported
  • Supports the following Windows 10 branches:
    • Semi-Annual Channel (SAC - The previous names for this branch were Current Branch (CB) and Current Branch for Business (CBB).)

    • Long-Term Servicing Channel (LTSC - The previous name for this branch was Long-Term Servicing Branch (LTSB).)



With this support statement, the best way to know is by testing on the device in question and asking the vendor about what they have tested.

In this original Poster stated that “UWF (unified write filter) in Win 10 IoT is a hard block from Microsoft and there is no work around that Microsoft allows for it.” *

 This does not seem to be the case.  UWF is an optional component and is not enabled by default in Windows 10.

UWF is not present on Windows 10 IoT by default and has to be installed by the solution provider using Microsoft guidance provided here .

"Unified Write Filter (UWF) is an optional Windows 10 feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location that is usually cleared during a reboot or when a guest user logs off."

With that said. IoT devices have a specific use and will often have UWF enabled to revert the system after use.

Excellent Resource: Windows Embedded Version Overview.pdf (from Microsoft)
(this link might break – search for “Windows Embedded Version Overview”

*The post mentions “STAR does not, at present, provide a way…” –  this may be a reference to star POS systems.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community