none
How to make "steady state" work just like "deep freeze"? RRS feed

  • Question

  •  We have been using the “deep freeze” product at our public library in the past, but want to start using “steady state” on new Vista computers to save our taxpayer’s dollars.

     The old “deep freeze” product would all patrons to do anything they wanted: save files to “my documents”, install plugins, programs, games, etc. and when we re-booted, the system was clean.

     With “steady state” and disk protection, things are great for general use but when a “power user” wants to install plugins, programs, games, etc. they can’t do it. We thought that making giving the patron account admin rights, having disk protection on and reboot on logout would solve the problem BUT when the patron logs out, they get the option of “save changes and restart” when seems to turn off disk protection, save the changes and then turn it back on. What is the point of that?

     Can anyone advise us what we need to do to make “steady state” work like “deep freeze”?

     We have spent days reading the manuals and help forums and trying different things, but seem to be missing something.

     

    Thanks for any help.

     

    Eric Pierce

    www.peclibrary.org

    Wednesday, April 8, 2009 8:46 PM

Answers

  • Ah, I see.  You can create a user with admin privileges using the standard Windows control panel tools, then apply any restrictions you want to that user using SteadyState.  It's important to realize, though, that since the user is an administrator, he will always be able to defeat any security settings if he's clever enough, so this is not a recommended configuration.

    There is a section on creating restricted users with admin privileges in the SteadyState Handbook.  I'd recommend reading through that first.

    If you do end up going this route, Sean's suggestions will work to get rid of the prompt to save changes when the user logs off.  I'd also recommend blocking the user from executing SteadyState itself (sctui.exe). 
    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Sunday, April 12, 2009 7:03 AM

All replies

  • Hi Eric, thanks for the post. Currently, the only issue is that you want to disable the "save changes" notification for those users with administrator permission, right? We can use the following steps to disable this notification:

     

    This message comes from bubble.exe.  You can choose a method below to disable the message:

     

    (Note: That this is not recommended.  Bubble.exe is responsible for alerting users that the WDP cache is filling up and the system will reboot soon.  If the user is an admin and WDP is in discard mode, bubble.exe is also responsible for showing the message at shutdown/restart/logoff asking if the admin wants to commit to current changes. )

     

    Method 1: You can remove bubble.exe from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . If you follow this method, it’s recommended to ADD bubble.exe to the admin’s HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key so that you still receive the shutdown/restart/logoff commit dialog.

     

    Method 2: Use SteadyState administrator to log on, choose a restricted account and add bubble.exe  to blocked program list.

     

    Hope this helps!


    Sean Zhu - MSFT
    Friday, April 10, 2009 3:39 AM
    Moderator
  •  With “steady state” and disk protection, things are great for general use but when a “power user” wants to install plugins, programs, games, etc. they can’t do it.
    Hi,

    Was Power User sufficient to install software before SteadyState was installed? 

    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Saturday, April 11, 2009 3:15 AM



  • > Method 2: Use SteadyState administrator to log on, choose a restricted account and add bubble.exe  to blocked program list.
     
    By restriected account, I assume that you mean the user account that has admin privs, right?

    It doing this "supported". Does it create any security holes?


    > Was Power User sufficient to install software before SteadyState was installed?  

    I did not mean "power user" in a technical sense, just a user that wanted to install something. With "deep feeze" the user account had all admin rights.

    With "deep freeze" this is REALLY easy: just give the user Admin privs, freeze the system, they can log in and do anything they want BUT when you re-boot, the computer goes back to the state when last frozen. 

    "Steady State" is very effective in completely locking things down so that the user can do nothing, but I can't get it to behave like "deep freeze". This seems so obvious a desired behavior that I can't see what I am missing in getting "Steady State" to do this. 



    Thanks for the answers.


    Eric

    Saturday, April 11, 2009 9:46 PM
  • Ah, I see.  You can create a user with admin privileges using the standard Windows control panel tools, then apply any restrictions you want to that user using SteadyState.  It's important to realize, though, that since the user is an administrator, he will always be able to defeat any security settings if he's clever enough, so this is not a recommended configuration.

    There is a section on creating restricted users with admin privileges in the SteadyState Handbook.  I'd recommend reading through that first.

    If you do end up going this route, Sean's suggestions will work to get rid of the prompt to save changes when the user logs off.  I'd also recommend blocking the user from executing SteadyState itself (sctui.exe). 
    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Sunday, April 12, 2009 7:03 AM
  • Thanks again for the responses.

    "... since the user is an administrator, he will always be able to defeat any security settings"
    " ... not a recommended configuration."

    Those words give me pause for concern. I think we will go with a standard Steady State config that uses a locked down normal user and disk protection. We will have to live with a very few patrons not having what they had before. 

    It looks like Steady State does do what it is advertised to to, lock the system down, but there is a subtle difference between how it works and how "deep freeze" works.


    Eric

    Wednesday, April 15, 2009 2:40 PM
  • Hi all,

    We are in a similar situation and are looking to steady state to provide a similar function to deep freeze. We are not overly concerned about the restriction policies in SS as we use group policy for this. We simply want to use SS for the disk protection features. In our school environment we are finding that when kids log on (they have standard accounts), they have the ability to apply the changes when they end their session !!

    Is there some setting to avoid this ?

    We can work aound this by turning off the notification  and blocking access to the SS UI but that is kind of besides the point !

    Help would be very much appreciated !!

    Mark
    Tuesday, May 5, 2009 10:59 AM