I came across an issue today which is one of those “Microsoft, WTF and why have you done this?”
On a current Windows 10 Deployment I am doing we are using the Unified Write Filter to ensure that the Operating System is secure as possible. We had tested all the features and were nearly ready to hand over to the customer for testing and they came back with some early testing and they saw lots of interaction with some external hosts. Upon further investigation this is due to the wonderful Telemetry where Microsoft tracks what you are doing and kindly uploads if for you with you asking them to.
Now for secure Enterprise environments this is not really ideal, they don’t really want their usage information tracked by Microsoft and also wasting bandwitht. We disable this using the following commands:
sc delete DiagTrack >NUL
sc delete dmwappushservice >NUL
echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
The problem was after doing this we found we were unable to use the Unified Write Filter. When we tried to enable it we got the following Error:
“Could not enable the Unified Write Filter (There are no more endpoints available from the endpoint mapper).
After a bit of digging around the Unified Write Filter functionality seems to be reliant upon the dmwappushservice. Why this is I am not sure yet but I cannot see any logical reason as there functionality is complete separate. Anyway, after leaving this service enabled the Write Filter functionality was back again
Lesson learnt – do not disable this service if you require the unified write filter functionality