What most IT Admins don’t know about Deep

Freeze (and other disk restoration solutions)...

And why they need PolicyPak.

Deep Freeze and similar disk restoration solutions are a really powerful way of ensuring you can restore
your system in case of trouble. And they’re great at what they do. The problem is, they can’t handle
everything, and they aren’t enough by themselves to give you a well-managed desktop. For that, you’ll
need some additional help, like PolicyPak.

This whitepaper will take you through some of the limitations of disk restoration products such as Deep
Freeze, and shows you how adding PolicyPak can ensure you’re properly managing end-user experiences
on your network.

WHY IT ADMI NS NEED POLIC Y PA K

1
 POLICYPAK TECHNICAL WHITEPAPER SERIES

ABOUT THE SERIES

This whitepaper is a part of an ongoing series of papers showing how your existing investment, technology
and workflow can be even better when PolicyPak is added to it.

You’ll learn where PolicyPak can save time and effort by delivering extra functionality just where you
need it, with your existing technology investments in place.

This guide is for IT Admins who use, or are interested in using, disk restoration solutions like Deep Freeze.
You’ll also find guides in this series entitled:

What most Office 2010 & 2013 Admins don’t know about application management

What most Group Policy Admins don’t know about application management

What most SCCM Admins don’t know about application management

What most Internet Explorer Admins don’t know about application management

WHY IT ADMI NS NEED POLIC Y PA K

I
 TABLE OF CONTENTS
Executive Summary 1

What Most IT Admins Don’t Know about Deep Freeze (and

other Disk Restoration Solutions) 2

Dynamically managing the End-User’s Experience even with

disk protection products 4

Better Together: Disk Protection plus PolicyPak 5

Final Thoughts 7

What does a Smart IT Admin do Next? 8

About the Authors 9

About PolicyPak Software 9

WHY IT ADMI NS NEED POLIC Y PA K

II
 EXECUTIVE SUMMARY
Disk restoration solutions such as Deep Freeze are great solutions to a wide range of problems which can
regularly occur on networks, like user modifications and deletions, desktop and config changes, registry
hacks, or other security risks – even viruses and malware. Just hit restore, and the problem disappears as
the previous state of the disk is delivered to the user.

But disk protection products are not meant to correct for all kinds of problems – because they are
designed to protect the disk, but not the user session. And while they correct problems, they don’t
prevent them.

If you’re smart, you’ll also use the following tools to dynamically manage the end-user experience:

Antivirus & Antimalware

Whitelisting

Automated deployment methods

Windows settings management

And that last one is where PolicyPak comes in.

PolicyPak goes further than the standard Microsoft Group Policy tools to ensure that the user-settings
you enforce across a network are properly locked down, every time, and redelivered when necessary –
giving you the required protection for your user sessions.

If you use them correctly, and know their limitations, disk protection products like Deep Freeze are
excellent tools for an IT admin. And a smart IT admin will want PolicyPak alongside this to deliver, set and
control their settings management policy across their network.

WHY IT ADMI NS NEED POLIC Y PA K

1
 WHAT MOST IT ADMINS DON’T KNOW ABOUT DEEP
FREEZE (AND OTHER DISK RESTORATION SOLUTIONS)
Disk restoration solutions, such as Faronics Deep Freeze TM, can seem like the “Be all, end all” solution
to protect the user desktop and its applications. Theoretically, you’re protected against almost anything.
Like, for example:

No matter what files the user modifies or deletes

No matter what changes they make to the desktop

No matter what configuration changes the user makes to an application

No matter what hacks the user makes to the registry

No matter what viruses or malware the user downloads and unknowingly installs

No matter what security risks the user creates by their actions

When users call the help desk, you simply just say “Reboot!” and the user’s PC is instantly restored to the
time before the problem happened.

The idea is simple. Deep Freeze (and products like them) will “trap” disk writes. The user can then do
anything they wish to the desktop (good, bad or ugly), as well as trash applications and its volumes,
registry and its file structure. Then, at reboot time, all the changes are thrown out, and a clean desktop
is given back to the user.

Just reboot, and it’s all restored.

It sounds ridiculously easy doesn’t it? After all:

Why bother with antivirus software if malware and viruses vanish on a simple reboot?
Why bother with Group Policy and protect the system volume if it is effectively read only
anyway?
Why bother with enforcing configuration settings of your applications if they will always
come back on reboot?
Why protect your users from making configuration changes at all if they are simply
negated upon reboot?

Yes, it sounds so straight forward doesn’t it?

Until you understand that disk protection products are not meant to correct for all kinds of problems.

WHY IT ADMI NS NEED POLIC Y PA K

2
 Here’s a story that was told to me by a school IT administrator who relied (too heavily) upon a disk
protection product:

We had bought and rolled out the “disk protection” product, and seemed like it was going to be great for
us. It worked exactly as expected: students would mess up the machines and one reboot later, everything
was back to normal.

But, we also had no malware protection on their desktops. We didn’t use Group Policy or SCCM because
we couldn’t see how it was even necessary.

And to be honest, things worked pretty well. Users would call the helpdesk when their applications didn’t
work as expected, and our helpdesk staff would simply say “Reboot” and problems magically went away.
In some ways it worked better than we expected!

We even put up with the occasional annoyed teacher who complained it disrupted the classroom to
reboot. Overall, everyone got used to it.

Well, one day someone downloaded a traffic generating virus. It quickly spread from machine to machine
throughout our entire school system. It was like all of our switches were in a loop fighting to the death,
and our PCs were getting hammered.

Rebooting any particular machine to restore back to normal didn’t work. As soon as it was restored,
boom! It was infected again!

We even tried coordinating: turning off every PC and rebooting all of them at once, to bring the
computers back to their usual pristine condition. The problem was that as long as one infected computer
wasn’t shut down, the entire network would simply become infected again within seconds.

We kept at it for about week. We were supposed to be protected by a simple reboot! But we were
basically down – for an entire week. That’s right: an entire week of lost productivity. No Internet, no email,
no network applications. Students laughed at us, teachers rolled their eyes, and even the superintendent
of the schools had to get involved. The whole situation made us look like fools.

We cut our losses and purchased an enterprise A/V solution and started using Group Policy to better
manage our desktops.

We still love our disk protection product. It helps in a huge variety of situations, but we realized it simply
couldn’t help us here. We vowed to always better manage our applications and computers so this
wouldn’t happen again.

While this is an extreme example, it illustrates the major shortcoming of disk protection applications.

Disk protection programs protect the disk, but they don’t protect the user session and they don’t prevent
all problems.

WHY IT ADMI NS NEED POLIC Y PA K

3
 DYNAMICALLY MANAGING THE END-USER’S EXPERIENCE
EVEN WITH DISK PROTECTION PRODUCTS
As we learned from the unfortunate IT administrator in the story, it takes more than just a disk protection
product to create a well-managed desktop. A well-managed desktop might be composed of at least some
the following pieces:

Antivirus & Antimalware to protect from the bad guys. Microsoft’s free version is
Microsoft Security Essentials, but there are countless paid products in this category.

Whitelisting products which ensure only properly sanctioned applications can run at
all. Microsoft’s built in solutions for this are Software Restriction Policies and AppLocker.

Automated deployment method: Microsoft’s System Center Configuration Manager,

LanDesk, KACE, and others fit in this category.

Windows settings management. Microsoft’s Group Policy can deploy and ensure that
operating system settings are well maintained.

Only after you have these components does having a simple “reboot to restore” make sense.

It’s really a terrific combination:

Use Group Policy to ensure operating system look & feel, system settings and security
settings are always up to date. Just keep this maintained as needed.
Also, when needed “Pause” your disk protection to:
Deploy any new software and updates.
Update antivirus and antimalware updates.
“Resume” your disk protection product to re-enable protection from end-users.

Once normal activity continues, only Group Policy settings are dynamically applied during reboot and
login.

So while in this way, you’re able to achieve a flexible delivery of security and operating system settings
(which cannot be worked around by users), there’s simply nothing Microsoft provides to flexibly deliver
security settings for your end-user applications.

And that’s where PolicyPak comes in to help you.

WHY IT ADMI NS NEED POLIC Y PA K

4
 BETTER TOGETHER:
DISK PROTECTION PLUS POLICYPAK
PolicyPak’s job is to deliver settings to just about any application and then ensure those settings are
locked down and maintained, even when the computer goes offline. Applications settings (we call them
Paks) are simply snapped in to Microsoft’s Group Policy editor as seen in Figure 1.

Figure 1 is simply a small sample of almost 100 applications for which Paks are pre-included with PolicyPak. And the list grows continually.

Let’s see how quickly you can manage applications’ updates behavior, like Acrobat Reader as seen in
Figure 2.

WHY IT ADMI NS NEED POLIC Y PA K

5
 Figure 2

Here, you can see nearly all of the settings for Acrobat Reader are available, settable, and can be fully
locked down – dynamically.

PolicyPak works alongside Group Policy (or your own systems management tool, like SCCM, KACE,
LanDesk, etc.) When users log on, PolicyPak dynamically delivers (or retracts) their application settings.

PolicyPak is simply always quietly ensuring that settings are maintained – even if users try to work around
them. Because of this, there’s no need to “reboot to restore” to get settings back to normal. And, even if
you did, there would be nothing preventing users from simply working around your settings – again and
again – each day, and each reboot.

WHY IT ADMI NS NEED POLIC Y PA K

6
 FINAL THOUGHTS

As you can see, the comparison between disk restoration applications such as Deep Freeze and PolicyPak
is no comparison at all.

It’s not a question of “one or the other.”

Deep Freeze and other disk protection products do a great job of bringing things back to normal when
things go horribly wrong. But these products do nothing to protect the active session itself, nor to
prevent bad things from happening in the first place. That’s just not their job.

By contrast, PolicyPak actively protects the user active session, delivering application settings and locking
them down so that things don’t go bad in the first place.

Together, with your disk protection product and PolicyPak, you’ll have a safer, more predictable computing
environment for your end users.

Isn’t this what your end users have come to expect?

WHY IT ADMI NS NEED POLIC Y PA K

7
 WHAT DOES A SMART IT ADMIN DO NEXT?
If you’d like to see PolicyPak enhance your reach using Group Policy, we’re ready for you. PolicyPak has a
full, free trial mode which can enable you to perform a full end-to-end test drive and see if it’s right for
you and your goals.

It costs nothing to try out, and most administrators can have PolicyPak fully deployed to an OU or their
whole domain in under an hour (backing out is as simple as removing an MSI file).

So, to get a hold of PolicyPak, just sign up for one of our webinars by clicking on the Webinar/Download
button on the right hand side of www.PolicyPak.com.

Or, make contact with us by calling 800-883-8002.

POLICYPAK: WHAT YOU SET IS WHAT THEY GET.

Here are some of our clients: you’ll be in good company!

WHY IT ADMI NS NEED POLIC Y PA K

8
 ABOUT THE AUTHORS
Jeremy Moskowitz is one of less than a dozen Group
Policy MVPs worldwide, is the most-published author
on Group Policy, and a prolific Group Policy speaker
worldwide. He’s also the founder of PolicyPak software.

Since becoming one of the world's first MCSEs, he has

performed Active Directory desktop implementations for
some of the nation's largest organizations.

His books and articles have been read by millions and

translated into multiple languages. Jeremy has written for
Windows IT Pro Magazine, REDMOND Magazine, Microsoft
Technet Magazine, Inside Technology Training Magazine, PC
Magazine, and Ziff-Davis' Windows Professional Journals,
among others.

Jeremy has spoken at just about every existing Windows conference about Group Policy, including Microsoft
TechEd, Microsoft Management Summit, WinConnections, and TechMentor.

Brad Rudisail is a technical specialist at PolicyPak software. He has been an MCSE since 1999 and has
served as a network engineer and manager in both the financial and education fields. He has been a leader
in K12 education technology and has spoken at the national K12 Technology Conference in Washington DC
and has been quoted in magazines such as T.H.E. Journal and ESchool News. He was formerly a university
instructor and continues to serve as an IT Trainer on a number of subjects. He is a professional blogger and
syndicated columnist.

A B O U T POLICY PAK
PolicyPak, now part of Netwrix, is a modern desktop management platform for the “anywhere” workforce. PolicyPak
provides a powerful policy creation, management, and deployment framework that extends the policy management,
security, automation, and reporting capabilities found within Windows Active Directory, Unified Endpoint Management
Solutions, MDM providers, virtualization platforms, and cloud services. PolicyPak comes with Paks, each with its own
set of customizable policies that enable IT and teams to solve today’s most-significant desktop management challenges
like remote work, Windows 10 management, GPO sprawl, ransomware, Group Policy management, and more. PolicyPak
lowers IT costs, increases security, improves compliance, reduces GPOs, and puts the IT admin back in charge. PolicyPak
has hundreds of customers, over a million deployed seats, is an Inc. 5000 recognized company, and a G2 Crowd High
Performer. For more information, visit www.PolicyPak.com or follow us on Twitter @policypak.

WHY IT ADMI NS NEED POLIC Y PA K

9