Professional Documents
Culture Documents
Deep Freeze and similar disk restoration solutions are a really powerful way of ensuring you can restore
your system in case of trouble. And they’re great at what they do. The problem is, they can’t handle
everything, and they aren’t enough by themselves to give you a well-managed desktop. For that, you’ll
need some additional help, like PolicyPak.
This whitepaper will take you through some of the limitations of disk restoration products such as Deep
Freeze, and shows you how adding PolicyPak can ensure you’re properly managing end-user experiences
on your network.
This whitepaper is a part of an ongoing series of papers showing how your existing investment, technology
and workflow can be even better when PolicyPak is added to it.
You’ll learn where PolicyPak can save time and effort by delivering extra functionality just where you
need it, with your existing technology investments in place.
This guide is for IT Admins who use, or are interested in using, disk restoration solutions like Deep Freeze.
You’ll also find guides in this series entitled:
What most Office 2010 & 2013 Admins don’t know about application management
What most Group Policy Admins don’t know about application management
What most Internet Explorer Admins don’t know about application management
Final Thoughts 7
But disk protection products are not meant to correct for all kinds of problems – because they are
designed to protect the disk, but not the user session. And while they correct problems, they don’t
prevent them.
If you’re smart, you’ll also use the following tools to dynamically manage the end-user experience:
Whitelisting
PolicyPak goes further than the standard Microsoft Group Policy tools to ensure that the user-settings
you enforce across a network are properly locked down, every time, and redelivered when necessary –
giving you the required protection for your user sessions.
If you use them correctly, and know their limitations, disk protection products like Deep Freeze are
excellent tools for an IT admin. And a smart IT admin will want PolicyPak alongside this to deliver, set and
control their settings management policy across their network.
No matter what viruses or malware the user downloads and unknowingly installs
When users call the help desk, you simply just say “Reboot!” and the user’s PC is instantly restored to the
time before the problem happened.
The idea is simple. Deep Freeze (and products like them) will “trap” disk writes. The user can then do
anything they wish to the desktop (good, bad or ugly), as well as trash applications and its volumes,
registry and its file structure. Then, at reboot time, all the changes are thrown out, and a clean desktop
is given back to the user.
Why bother with antivirus software if malware and viruses vanish on a simple reboot?
Why bother with Group Policy and protect the system volume if it is effectively read only
anyway?
Why bother with enforcing configuration settings of your applications if they will always
come back on reboot?
Why protect your users from making configuration changes at all if they are simply
negated upon reboot?
Until you understand that disk protection products are not meant to correct for all kinds of problems.
We had bought and rolled out the “disk protection” product, and seemed like it was going to be great for
us. It worked exactly as expected: students would mess up the machines and one reboot later, everything
was back to normal.
But, we also had no malware protection on their desktops. We didn’t use Group Policy or SCCM because
we couldn’t see how it was even necessary.
And to be honest, things worked pretty well. Users would call the helpdesk when their applications didn’t
work as expected, and our helpdesk staff would simply say “Reboot” and problems magically went away.
In some ways it worked better than we expected!
We even put up with the occasional annoyed teacher who complained it disrupted the classroom to
reboot. Overall, everyone got used to it.
Well, one day someone downloaded a traffic generating virus. It quickly spread from machine to machine
throughout our entire school system. It was like all of our switches were in a loop fighting to the death,
and our PCs were getting hammered.
Rebooting any particular machine to restore back to normal didn’t work. As soon as it was restored,
boom! It was infected again!
We even tried coordinating: turning off every PC and rebooting all of them at once, to bring the
computers back to their usual pristine condition. The problem was that as long as one infected computer
wasn’t shut down, the entire network would simply become infected again within seconds.
We kept at it for about week. We were supposed to be protected by a simple reboot! But we were
basically down – for an entire week. That’s right: an entire week of lost productivity. No Internet, no email,
no network applications. Students laughed at us, teachers rolled their eyes, and even the superintendent
of the schools had to get involved. The whole situation made us look like fools.
We cut our losses and purchased an enterprise A/V solution and started using Group Policy to better
manage our desktops.
We still love our disk protection product. It helps in a huge variety of situations, but we realized it simply
couldn’t help us here. We vowed to always better manage our applications and computers so this
wouldn’t happen again.
While this is an extreme example, it illustrates the major shortcoming of disk protection applications.
Disk protection programs protect the disk, but they don’t protect the user session and they don’t prevent
all problems.
Antivirus & Antimalware to protect from the bad guys. Microsoft’s free version is
Microsoft Security Essentials, but there are countless paid products in this category.
Whitelisting products which ensure only properly sanctioned applications can run at
all. Microsoft’s built in solutions for this are Software Restriction Policies and AppLocker.
Windows settings management. Microsoft’s Group Policy can deploy and ensure that
operating system settings are well maintained.
Only after you have these components does having a simple “reboot to restore” make sense.
Use Group Policy to ensure operating system look & feel, system settings and security
settings are always up to date. Just keep this maintained as needed.
Also, when needed “Pause” your disk protection to:
Deploy any new software and updates.
Update antivirus and antimalware updates.
“Resume” your disk protection product to re-enable protection from end-users.
Once normal activity continues, only Group Policy settings are dynamically applied during reboot and
login.
So while in this way, you’re able to achieve a flexible delivery of security and operating system settings
(which cannot be worked around by users), there’s simply nothing Microsoft provides to flexibly deliver
security settings for your end-user applications.
Figure 1 is simply a small sample of almost 100 applications for which Paks are pre-included with PolicyPak. And the list grows continually.
Let’s see how quickly you can manage applications’ updates behavior, like Acrobat Reader as seen in
Figure 2.
Here, you can see nearly all of the settings for Acrobat Reader are available, settable, and can be fully
locked down – dynamically.
PolicyPak works alongside Group Policy (or your own systems management tool, like SCCM, KACE,
LanDesk, etc.) When users log on, PolicyPak dynamically delivers (or retracts) their application settings.
PolicyPak is simply always quietly ensuring that settings are maintained – even if users try to work around
them. Because of this, there’s no need to “reboot to restore” to get settings back to normal. And, even if
you did, there would be nothing preventing users from simply working around your settings – again and
again – each day, and each reboot.
As you can see, the comparison between disk restoration applications such as Deep Freeze and PolicyPak
is no comparison at all.
Deep Freeze and other disk protection products do a great job of bringing things back to normal when
things go horribly wrong. But these products do nothing to protect the active session itself, nor to
prevent bad things from happening in the first place. That’s just not their job.
By contrast, PolicyPak actively protects the user active session, delivering application settings and locking
them down so that things don’t go bad in the first place.
Together, with your disk protection product and PolicyPak, you’ll have a safer, more predictable computing
environment for your end users.
It costs nothing to try out, and most administrators can have PolicyPak fully deployed to an OU or their
whole domain in under an hour (backing out is as simple as removing an MSI file).
So, to get a hold of PolicyPak, just sign up for one of our webinars by clicking on the Webinar/Download
button on the right hand side of www.PolicyPak.com.
Jeremy has spoken at just about every existing Windows conference about Group Policy, including Microsoft
TechEd, Microsoft Management Summit, WinConnections, and TechMentor.
Brad Rudisail is a technical specialist at PolicyPak software. He has been an MCSE since 1999 and has
served as a network engineer and manager in both the financial and education fields. He has been a leader
in K12 education technology and has spoken at the national K12 Technology Conference in Washington DC
and has been quoted in magazines such as T.H.E. Journal and ESchool News. He was formerly a university
instructor and continues to serve as an IT Trainer on a number of subjects. He is a professional blogger and
syndicated columnist.
A B O U T POLICY PAK
PolicyPak, now part of Netwrix, is a modern desktop management platform for the “anywhere” workforce. PolicyPak
provides a powerful policy creation, management, and deployment framework that extends the policy management,
security, automation, and reporting capabilities found within Windows Active Directory, Unified Endpoint Management
Solutions, MDM providers, virtualization platforms, and cloud services. PolicyPak comes with Paks, each with its own
set of customizable policies that enable IT and teams to solve today’s most-significant desktop management challenges
like remote work, Windows 10 management, GPO sprawl, ransomware, Group Policy management, and more. PolicyPak
lowers IT costs, increases security, improves compliance, reduces GPOs, and puts the IT admin back in charge. PolicyPak
has hundreds of customers, over a million deployed seats, is an Inc. 5000 recognized company, and a G2 Crowd High
Performer. For more information, visit www.PolicyPak.com or follow us on Twitter @policypak.