I am looking for a way to check the Unified Write Filter on workstations and have data populated in a LS asset.
From an asset in LS, I would like to see if the UWF filter is installed and (as of last scan) what its current protection status is.
For those unaware, UWF is a feature available on Windows 10/11 Enterprise. (https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/unified-write-filter)
This feature allows you to lock a machine down where it will revert to a saved state on reboot.
We use UWF to protect our public access workstations. When a user session ends (either when the installed time management software on the workstation says time is up or the user initiate a logoff/reboot) the workstation reboots and is restored to a pristine state without changes/data from previous users.
We currently use NAGIOS for real-time monitoring and we have NAGIOS checking the UWF status using WMI.
We would love to have the UWF status viewable as a field on asset pages and/or on reports.
From there we could schedule a report that runs shortly before computer access to the public becomes available each day so we can take action if needed to lock something down.
One can get the UWF status using cmd, wmi, or powershell. Unfortunately there is not a specific file or registry key that we can look for or monitor to feed LS the status.
I have made several attempts to setup a custom action that would run a cmd/wmi/ps command/script with no success. I have also tried these steps using a deployment package.
Any thoughts or suggestions? Thank you in advance.
