The Mutable OS: Why Isn't Windows Immutable in 2025?

Posted by ndegruchy 4/9/2025

The Mutable OS: Why Isn't Windows Immutable in 2025?(degruchy.org)

23 points | 24 comments

mystified5016 4/9/2025|

Probably because third party vendors want to push malvertising to un-consenting users through windows update. Windows will just install shit for no reason, like the "Dell delivery service" I've uninstalled six times, or any printer driver

ndegruchy 4/9/2025|

Well, putting the idea of malvertising aside, I don't think this would even prevent it. An app 'layer' would be separate from the OS. Though they wouldn't be able to taint the OS, so that's a plus.

I don't agree with the idea of installing extra apps, especially to paying customers, but that's a separate discussion.

cedws 4/10/2025||

Windows kind of has this in the form of UFW. You can have either a RAM or disk based overlay for your C: partition and all writes will go to the overlay, which can be wiped. Except there are specific paths which must be excluded otherwise Windows craps itself. You also have to set up the overlay after the sysprep phase which inits drivers and stuff.

https://cedwards.xyz/messing-around-with-windows-unified-wri...

ndegruchy 4/9/2025||

Hey all—this is something I’ve been thinking about for a while in my day-to-day as a desktop support tech. We’ve made huge strides in OS security, but immutability is still seen as exotic, and I don’t think it should be. Curious to hear thoughts or counterpoints from folks who’ve wrestled with these same issues.

westurner 4/9/2025||

I'm working with rpm-ostree distros on workstations. The Universal Blue (Fedora Atomic (CoreOS)) project has OCI images that install as immutable host images.

We were able to install programs as admin on Windows in our university computer lab because of DeepFreeze, almost 20 years ago

"Is DeepFreeze worth it?" https://www.reddit.com/r/sysadmin/comments/18zn3jn/is_deepfr...

TIL Windows has UWF built-in:

"Unified Write Filter (UWF) feature" https://learn.microsoft.com/en-us/windows/configuration/unif...

Re: ~immutable NixOS and SELinux and Flatpaks' chroot filesystems not having SELinux labels like WSL2 either: https://news.ycombinator.com/item?id=43617363

ndegruchy 4/9/2025|||

Huh, I had no idea that UFW was a feature of Windows and I'm kind of surprised to not see more widespread adoption for workstation rollouts. DeepFreeze was great (excepting updates and other minor issues) and actively reduced a lot of nuisance issues that we might otherwise have to deal with when I worked for a school.

EvanAnderson 4/9/2025|||

UFW has a nicer admin automation "story" than Deep Freeze (for which I have a decent amount of experience), in my opinion. "Unfreezing" UFW volumes for updates (known as "Servicing Mode") via script isn't hateful.

westurner 4/9/2025|||

> On September 20, 2024, Microsoft announced that Windows Server Update Service would no longer be developed starting with Windows Server 2025.[4] Microsoft encourages business to adopt cloud-based solution for client and server updates, such as Windows Autopatch, Microsoft Intune, and Azure Update Manager. [5]

WSUS Offline installer is also deprecated now.

And then to keep userspace updated too, a package manager like Chocolatey NuGet and this power shell script: https://github.com/westurner/dotfiles/blob/develop/scripts/s...

EvanAnderson 4/9/2025||||

Unfortunately Unified Write Filter is SKU-limited. It has been a feature of the produce since the Windows NT Embedded 4.0 days but nobody knows about it and, if you do, you can't use it because you don't have an eligible SKU.

westurner 4/9/2025|||

Universal Blue immutable OCI images;

ublue-os/main: https://github.com/ublue-os/main :

> OCI base images of Fedora with batteries included

ublue-os/image-template: https://github.com/ublue-os/image-template :

> Build your own custom Universal Blue Image!

Microsoft took Torvalds, who also devs on Fedora FWIU.

westurner 6 days ago||

systemd/particleos is an immutable Linux distribution built with mkosi:

"systemd ParticleOS" (2025) https://news.ycombinator.com/item?id=43649088

bsder 4/9/2025|||

> immutability is still seen as exotic, and I don’t think it should be.

Two big problems:

1) Because Linux filesystems still suck. You need efficient copy-on-write overlays (and the ability to handle lots of them!) with some level of deduplication to make immutable operating systems not suck.

2) Because the Linux linker sucks. Take a look at the reasons why Nix has to patch binaries and prepare to feel sick in your stomach.

The "UNIX Architecture" is increasingly creaky for the things we want to do on modern machines (see: io_uring because the old select/poll stuff doesn't cut it, for example). We're going to have to sweep a bunch of that underbrush away.

ChocolateGod 4/10/2025||

> 1) Because Linux filesystems still suck. You need efficient copy-on-write overlays (and the ability to handle lots of them!) with some level of deduplication to make immutable operating systems not suck.

OStree copied Git and used hardlinks with a content addressable object store for years and it didn't "suck". This method is reliable enough that it ended up in a shipped Red Hat product.

It recently gained support for something known as composefs, which is kinda like mounting a manifest of hard links, but the system just needs the one, not "lots of them".

bsder 7 days ago||

That's okay for the base OS that doesn't change all that often.

However, that falls apart when you start trying to have lots of "toolbox"/"containers"/"docker" things that people want to use for development.

The DNFs you need inside the container pile up very quickly when trying to do development. Those want to be deduplicated between containers. There is a reason why Nix gets grief about how large its store becomes.

In addition, lots of people also want to containerize their working/home directory. That requires really good overlay support, and nobody has this right now.

There are LOTS of issues filed against "toolbox" for this, for example: https://github.com/containers/toolbox/issues/183 https://github.com/containers/toolbox/issues/348 https://github.com/containers/toolbox/issues/1470

This is something that should be straightforward to implement. However, because the filesystem support sucks, it is not.

ChocolateGod 6 days ago||

There was work on making docker/podman use an object store which would deduplicate things and improve performance (far more likely a file the same between images is in memory already) but I haven't checked to see what the status was of late.

Flatpak already does this, if two Flatpak apps ship the same file, it's deduped by default

I do agree the layering part of OCI images is horrible and a waste of disk space, but I don't think this is the fault of immutable distros.

theamk 4/9/2025|||

if you are willing to break backwards compatibility, why even bother with Windows anymore?

As you correctly say, Windows is all about backwards compatibility. It would be unreasonable to expect any innovations from it, expect innovations in putting ads in more and more places.

westurner 4/9/2025||

Immutable:

Idempotent:

Ansible is designed for idempotent tasks; that do not further change state if re-run.

Windows Containers are relatively immutable. Docker Desktop and Podman Desktop include a copy of k8s kubernetes and also kubectl IIRC

Do GUI apps run in Windows containers?

ndegruchy 4/9/2025||

The MSIX apps can opt to run in a sandbox. It's not perfect, but it's _something_. Plus MSIX helps ensure clean install/uninstall as well as delta updates.

Again, not perfect, but serviceable.

westurner 7 days ago||

fedora/toolbox and distrobox create containers that can access the X socket and /dev/dri/ to run GUI apps from containers.

Flatpaks share (GNOME,KDE,NVIDIA,podman,) runtimes, by comparison.

Re: MSIX https://news.ycombinator.com/item?id=23394302 :

> MSIX only enforces a sandbox if an application doesn’t elect to use the restricted capabilities that allow it to run without. File system and registry virtualization can be disabled quite easily with a few lines in the package manifest, as well as a host of other isolation features.

Flatseal and KDE and Gnome can modify per-flatpak permissions. IDK if there's a way to do per-flatpak-instance permissions, like containers.

  MOUNT --type=cache

emchammer 4/9/2025||

An operating system should be self-hosting. You should be able to compile it and reinstall it on the same machine. Obviously, Windows and macOS are closed-source, but I would if I could.

Tajnymag 4/10/2025|

So... like any Linux distro?

fsflover 4/9/2025|

If you care about security, consider Qubes OS, https://qubes-os.org, which achieves security through compartmentalization based on strong, hardware isolation. My daily driver, can't recommend enough.

ndegruchy 4/9/2025|

I am actually interested in Qubes, it seems to take security very seriously. Probably too seriously for my own daily driver needs :D

fsflover 4/9/2025||

Unless your workflows heavily rely on GPU acceleration (and you can't make a GPU passthrough), Qubes is much easier to use than people think. It runs Debian and/or Fedora in VMs, so all software works fine.