Immutable operating systems are great for creating an iron curtain between the user data and the core functionality of an operating system. Windows is perhaps one of the most mutable operating systems out there, constantly changing with updates and user-level changes.
While I’ll definitely never get it quite as immutable as something like NixOS or Fedora Silverblue, I wanted to see just how far I could push the envelope, and as it turns out, you can make Windows mostly immutable if you want to.
What does “mostly immutable” mean?
Let’s be practical about this
Let’s address the huge elephant in the room first: true immutability just isn’t possible with Windows, at least not without heavy kernel-level modification. Immutability basically means that the core components, meaning everything from libraries to configuration files, are read-only, and cannot be changed. This is useful in environments where stability and security are paramount. On Windows, we can make a few practical changes that can immediately make a difference to immutability.
Separating system files from user files
A core tenet of an immutable OS
An easy way to ensure your core system files remain untouched, is to keep C: strictly for Windows, and then install apps and user data on a secondary drive. Windows is pretty notorious for letting programs cache their files and pile them up on the primary drive, so shifting away from C: completely is an easy win. You can also mitigate this pretty much entirely by using virtual machines to test software before installing it on your main machine, if you want to do so at all. WSL2 is also something I used, since they can be spun up and deleted basically at will, and only access what you allow them to. This allowed me to work with heavier containerized services like Docker without polluting my main host.
Permissions are a large part of ensuring unwanted changes don’t happen. You can’t tweak things as well as you could with Linux, but NTFS permissions do give most of the tools required to lock things down somewhat. I also created restore points, which are a sort of roundabout way of achieving immutability. It is necessary to do when you’re making these kinds of changes anyway.
Along with these permissions comes user accounts, and in order to have an experience as close to immutable as possible, you can’t use an admin account day-to-day. Running with admin privileges can cause unwanted changes to the registry or background installs and updates you might not want or explicitly authorize. Using a normal account combined with Group Policy tweaks means that Windows as a whole becomes way more predictable.
It is worth it?
It’s noticeable, but not really worth the hassle
After poking around with this setup for a while, I realized it’s a lot of work for benefits that aren’t worth it in a consumer environment like mine. Yes, my system feels cleaner and more resilient, but I paid for that with hours of tweaking, redirecting, and setting up backup schemes. Most things were locked behind UAC, which is a good thing, but some applications just flat out refused to cooperate when they couldn’t write wherever they wanted. And while I gained some peace of mind, Windows still isn’t truly immutable; Windows Update still looms large.
You could disable updates entirely, but this itself can pose a pretty serious security risk. We’ve seen many exploits crop up time and time again, and if you do choose to leave Windows Update on, one slightly buggy update is all it takes to ruin any amount of immutability you’ve built up. It’s possible to use third-party applications like Deep Freeze that allow for reverting all changes made to a file system upon restart, but even that comes with its own set of headaches.
“Mostly immutable” probably isn’t enough for those looking for a solution like this