Knowledgebase

Faronics provides toll free technical support via phone at the following numbers;

  • Telephone (USA/Canada): 1-800-943-6422 x 1
  • Telephone (International): +1-604-637-3333 x 1

Support can be reached via email to;

  • support@faronics.com

Additionally FAQ's and the status of current support tickets can be checked on the Faronics Portal at:

The support department is avaliable from 7am - 5pm Pacific Time, Monday through Friday.

Overview

This document will detail the installation and use of the WIFI Backup script provided at the link below;

https://faronics-support.s3.amazonaws.com/wifi-backup-script.zip

Background

Deep Freeze is a reboot to restore application that will remove any change made to a client machine when the system is rebooted. While effective at removing any unwanted changes customers may find that there are some pieces of information that need to be retained between sessions to ensure that the systems operate in a way that is acceptable to their end users.

One of the comments that we frequently hear from clients is that they would like to retain the information required to connect to WIFI Networks when the devices that their users are taking home are removed from the network. This information is not retained in the users profile if the customer maps the data in the profile to a thawed volume. In some versions of Windows (XP) this information was saved in the system registry, however later versions of Windows started saving this information in an alternative location preventing us from using Data Igloo to map this information to a thawed location.

The Script

In response a script has been developed that will export the existing wireless network settings to a XML file in a directory that the user specifies. A second script has been developed that will import all the wireless profiles in a given directory into the system making them ready for use.

Additionally a pair of template scheduled tasks and an installation script have been provided that allow the user to quickly configure the script based on a set of default settings that we have implemented.

Once implemented the system will run the backup script any time that an event is seen in the system logs indicating that the system has successfully connected to a wireless network. This ensures that the account information is captured as soon as we know that it works. 

The second task will execute the script to restore the wireless network settings at system startup and at user logon.  For some reason in testing we were unable to get the script to properly function at system startup - this may be something specific to the test environment that the author is working with so we have left both triggers into the script to ensure that it works as quickly as possible in the widest number of use cases.

Installation

The installation of the script can be automated using the INSTALL.BAT file. This will automatically copy the scripts into the pre-configured location and import the appropriate scheduled tasks for the script to trigger. This installation assumes the use of the D:\ volume as a thawed partition / ThawSpace and will use the directory “WLAN” as a folder for storage of the script and the profiles.

This installation folder can be changed by editing the installation script so that the folders are created in the right location, and by editing the scheduled task templates to allow them to execute the script from the correct location.

Removal

To uninstall the script remove the scheduled tasks from the Faronics folder in the Task Scheduler;



Once these triggers are removed the script, backup files, and directory can be deleted.

Limitations / Constraints

Error Checking

In the current state this script does not implement any error checking or handling. Any problems with the script will require modification to test out and determine the cause of any problem on a manual basis. 

Security of Exported Profiles

At this time no security regarding the export of the existing wireless profiles has been implemented. As the export of the profiles is being done to an XML format this will leave the passphrases for the wireless networks in a human readable format on the system. If customers have devices connected to wireless networks where the passphrase needs to be kept secure this script should not be implemented as it will make this information more easily accessible to someone who may wish to do so.

In reality an attacker can simply run the same commands used in this script to export the wireless network details manually, but this does place the files in a centralized location automatically.

While it may be possible to restrict access to this folder using security options in the file system we have not tested this internally at this time.

Security of Imported Profiles

At this time we do not validate that the profiles being imported are ones that should be imported. Any valid XML file will be imported into the system - even if the user places the XML file there manually or edits the existing file to reflect alternative settings. This may allow the user to import wireless networks that the system administrator does not want them to have access to. 

At this time we have not investigated what happens if you attempt to export a invalid profile, or one that has been specifically crafted for malicious purposes.

Types of Networks

At the time of writing this document we have only tested this script with WPA2 type networks configured with a passphrase for the purpose of authentication.

No testing has been done in situations where more advanced network configurations are implemented. No provision has been made to backup security certificates associated with some types of network connections. 

Removing Networks

At this time the script does not have a provision for removing wireless networks from the system. If users forget (remove) a wireless network on the system that we have already backed up, that wireless network will be added to the system again after the computer reboots.

To remove the wireless network the corresponding XML file will need to be manually deleted from the backup location.

In some cases, Faronics may request that you configure your computer to produce a full memory dump. In order to do so follow the instructions below;

  1. Right-Click on the start menu and select the System option.

  2. In the About window that is shown scroll down and select "Advanced System Settings".
  3. In the System Properties window click on the Settings button under Startup and Recovery.
  4. In the startup and Recovery dialog select the option for a Complete Memory Dump.
  5. Reboot the computer.

Update

This issue was resolved with the release of Deep Freeze 8.62 on December 9, 2020. Faronics recommends that customers update to the latest release to address this specific problem. Updated versions of the Deep Freeze product can be downloaded either through Faronics Labs, for customers in North America, or through Faronics Customer Center, for customers in the rest of the world.

Problem

In some cases, customers may experience issues with the installation of Deep Freeze on client machines running the 2004 release of Windows 10. Customers who have successfully installed Deep Freeze may also see problems with freezing the computer after performing updates or other tasks that required the system thawed.

Cause

This issue is caused by cumulative updates delivered with the Windows 2004 build and being incorrectly flagged as "in progress". This results in Deep Freeze seeing updates as "in progress" on client workstations when the update process has completed successfully. Deep Freeze has a failsafe logic in place to ensure the workstation is not rebooted Frozen if there are ongoing updates to avoid boot loop issues. 

Faronics has contacted Microsoft regarding this issue and is working with them towards a resolution of this issue. 

Workaround

At this time there are a few options to address these issues;

For problems with the install of Deep Freeze removing the contents of the %SYSTEMDRIVE%\Windows\SoftwareDistribution folder will clear the flags that are preventing the installation of the software.

To ensure that the contents of this folder can be removed you will need to ensure that the Background Intelligent Transfer Agent and the Windows Update services are stopped on the client machine, and then restarted once the folder is cleared.

For systems that have Deep Freeze installed and are unable to re-freeze;

1 - Leave the computer alone.

Deep Freeze incorporates a number of checks to determine if it is safe to return a machine to a protected state. Those checks are subject to a series of timeouts that will eventually, if left alone, return the computer to a protected state. 

Depending on the state of the system and what check is involved this may take between 2 to 12 hours to complete the process of returning the system to a protected state.

During this time the system must be left alone - rebooting the system manually or through the console will cause the failsafe and extend how long it will take for the systems to resolve the issue on their own.

2 - Reinstall Deep Freeze

In cases where the machine needs to be returned to service quickly removing Deep Freeze and reinstalling the product after removing the contents of the %SYSTEMDRIVE%\Windows\SoftwareDistribution folder will clear the flags that are preventing the installation of the software.

As Antivirus and AntiMalware production evolves security vendors are implementing features that allow the software to be run in isolation before running on a live system to ensure that they can properly analyze the actions taken by each product on a system.

This feature may be described as “Sandboxing”, or may make reference to using Virtualization technology to evaluate and review suspicious software.

In some cases, the security product will use the sandbox in a way that makes it impossible to differentiate between the sandbox and a real computer. This is being done to prevent the application from changing its behavior due to it being evaluated in a Sandbox.

In the event that the Sandbox has access to the internet, there is a possibility that a duplicate entry can be created in the Deep Freeze Cloud or Faronics Deploy console while the sandbox is executing the agent software.

These machines may appear in several ways;

  • Machines with random names that do not match the customers existing naming scheme.
  • Machines that appear to be duplicates of existing systems that only report once.
  • Machines that appear to be partially installed or in an invalid state.
  • Machines that will never appear to respond to tasks, commands, or other actions taken on them.



The existence of these machines will not impact the performance of the cloud-based platform or other systems being managed. They will however potentially consume a license from the customer’s pool of available licenses until removed from the console.

At this time there is no way to reliability identify these machines and filter them out automatically due to security vendors taking steps to avoid the software from realizing that is is in a sandbox. If customers are using security software with features that use sandboxing they may need to manually remove rouge machines from time to time to ensure licenses are not consumed by these sandboxed installs.




Problem;

Customers have reported issues running reports using Power Save and Faronics Core when the reporting period is later than June 23, 2019.

Solution;

A fix for this issue has been posted here;

https://faronics-support.s3.amazonaws.com/Power+Save+fix+for+Reports+issue.zip

To implement this patch 

1. Login to the Faronics Core Console and stop Faronics Core Server Service
2. Copy the dlls in the download link into "C:\Program Files (x86)\Faronics\Faronics Core 3\Loadins\Power Save" folder. 
3. Copy the dlls in the download link into  "C:\ProgramData\Faronics\Faronics Core 3\Console\loadins\PowerSave-4.70.3220.883" folder.
4. Start Faronics Core Server
5. Start Faronics Core Console

Problem
In some cases the Deep Freeze Enterprise Console will open minimized and will not be able to be maximized.

Issue
This was an issue in  Deep Freeze 8.32 that was subsequently resolved with a updated version of the Enterprise Console. Customers should update to the latest release to resolve this issue. 

To restore the console to proper functionality prior to the upgrade follow the steps below;
1. Stop the Deep Freeze Server Service
Capture558.PNG
2. Open Regedit (from the Admin Account)
regedit.PNG
3.  Open HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Faronics\DeepFreezeRemoteAdministrator\FormMain\WindowState
 
Capture559.PNG
 
 
4. Change the WindowState Value to 2
Capture560.PNG
5. Close the Registry Editor and Launch the Enterprise Console
With the release of Deep Freeze Mac 7.x we Deep Freeze Mac is currently able to support Fusion Drives on systems that are running Mohave and have the APFS file system configured on the Fusion Drive.

Due to the way that Fusion Drive equipped systems worked prior to macOS Mohave we are unable to support Fusion drives on systems prior to 10.14.x and cannot support them if the Fusion Drive is running the HFS+ file system.
Customers using WINSelect to protect client machines may experience issues where the LogMein application cannot start properly while WINSelect is enabled.

This occurs due to the way that the LogMein application elevates privileges on the client machine. Due to the way that WINSelect protects the operating system the operations required for LogMein to function are blocked resulting in a failure of the LogMein application to load.

Customers can use the LogMein application when WINSelect is disabled, customers needing to remotely access systems running WINSelect should ensure that the software is disabled through the Core Console or the Deep Freeze Cloud prior to connecting.

Customers upgrading systems running macOS to High Sierra or Mohave with Deep Freeze Mac installed may run into issues after the installation process as the installation process. Due to the potential for the disk to convert from the existing file system to APFS we strongly recommend that customers remove Deep Freeze Mac prior to installing the updated version of macOS.

NOTE: This document was originally published by Sasafrass Software. The URL for the original document is linked below;

https://www.sassafras.com/hrl/7.4/tns/tn3704.html


The K2 client, KeyAccess, writes data to local private files in order to remember important state information such as Offline Usage Events. If Deep Freeze is used on the same computer as KeyAccess, it must be configured to avoid overwriting this private data.

The essential idea in avoiding interference between Deep Freeze and KeyAccess is to make sure that KeyAccess stores its "Application Data" in a location that will never be "frozen" by Deep Freeze (e.g. will never be periodically restored to an initial state). This will require client computers to be set up with a second "thawed" volume in addition to the main "frozen" system volume.

First, with KeyAccess installed as usual on the System volume, set up its initial state:

  1. Stop KeyAccess
  2. With Deep Freeze, thaw the system volume
  3. Start KeyAccess and let it run for 30 seconds or so
  4. Stop KeyAccess again

KeyAccess private data is stored in the file:

C:\Documents and Settings\All Users\Application Data\KeyAccess
or on Mac, in the file:
/Library/Preferences/KeyAccess

This file must be moved to the second thawed drive and replaced in the original location by a junction or link.

Follow the platform specific instructions below, after which you can freeze the system volume and start KeyAccess.

Win XP:

On Win XP, the System volume must be formated as NTFS in order to create a junction:

  1. Download Junction from Microsoft.
  2. Copy
    C:\Documents and Settings\All Users\Application Data\KeyAccess
    to a directory on a thawed drive where you will store the KeyAccess data - e.g.
    E:\Data\KeyAccess
  3. Delete
    C:\Documents and Settings\All Users\Application Data\KeyAccess
  4. In a DOS prompt, do:
    junction "C:\Documents and Settings\All Users\Application Data\KeyAccess" "E:\Data\KeyAccess"

Win 7 (and higher):

  1. Copy
    C:\Documents and Settings\All Users\Application Data\KeyAccess
    to a directory on a thawed drive where you will store the KeyAccess data - e.g.
    E:\Data\KeyAccess
  2. Delete
    C:\Documents and Settings\All Users\Application Data\KeyAccess
  3. In a DOS prompt, do:
    mklink /J "C:\ProgramData\KeyAccess" "E:\Data\KeyAccess"

OS X:

  1. Create a directory on a thawed drive where you will store the KeyAccess data - e.g.
    /Volumes/Thawed/Data
  2. sudo mv  /Library/Preferences/KeyAccess /Volumes/Thawed/Data/KeyAccess
  3. sudo ln -s   /Volumes/Thawed/Data/KeyAccess /Library/Preferences/KeyAccess
Microsoft has released a patch on January 3rd 2018 to implement mitigation steps for the vulnerabilities described in CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (otherwise known as the Spectre and Meltdown Vulnerabilities).

This update patch implemented a check that required a specific registry key to be set by Antivirus Vendors to ensure that issues would not occur due to the interaction between the antivirus software and the January 3rd patches. Faronics has completed testing and has released a utility to quickly set this registry key on client machines.

This patch can be downloaded here.

This utility will need to be executed on the client machine and can be pushed and launched through the Faronics Core Console, Deep Freeze Enterprise Console, or any other 3rd party management tool. This utility will need to be run while Deep Freeze (if installed) is in a Thawed state so that the update can be retained on the client workstation. Once complete administrators can run Windows Updates through the scheduled workstation tasks in Deep Freeze, or through the "Run Windows Updates" feature of the Enterprise Console.

Deep Freeze cloud customers will see changes rolled out to the client machines through the Deep Freeze Cloud Agent to automatically set this value on protected machines. This change is rolling out as of January 9th, 2017 and will be applied the next time that the system boots, and is in a thawed state (if Deep Freeze is installed).
Workstations failing to display in the console can have a number of underlying causes.  This document outlines a basic troubleshooting step by step you can use to self-diagnose the cause.  If at any point, you are unclear of what to do next, please contact Faronics Technical Support for further assistance.  

1)Deep Freeze Client Service Timeout

The DFServ service will stop attempting to attempting to contact the management Console after approximately 2 hours if it's unable to reach the background service.  Start by rebooting the machine when you are able to confirm the Deep Freeze Enterprise Console is up and running on the network.  


2)Network Communication Issues

a)Windows clients may have the firewall turned on 

Deep Freeze could require either TCP or UDP protocols; either the firewall can be turned off, or an exception should be added for each protocol type for the Deep Freeze communication port being used (default is 7725). In Windows Vista or higher, it may be necessary to set outbound port exceptions if there are outbound restrictions set in the firewall. 

Note, that Windows updates can enable the firewall even when it was previously disabled.  Both inbound and outbound exceptions can be set under the firewall 'Advanced Settings' in Windows Vista and higher.

b)The Console and clients do not have the correct network settings


Login to the Deep Freeze client, and check the network tab.  

i)Confirm that the client and console are using the same port number.  This port must be available on the Deep Freeze Enterprise Console under 'Tools>Network Configuration'. 
ii)Confirm what communication mode is configured on the client itself:  LAN vs LAN/WAN

LAN mode broadcasts on the configured Deep Freeze port within the local subnet to find what IP address the console has.  There are many things that might block this type of communication: firewalls, logical segmentation of the network (VLANs) to name a few reasons.  If you are configured for LAN mode, switch a machine to use LAN/WAN mode by:
  • Selecting WAN mode radial button
  • Fill in the hostname or IP address of the console 
  • Hit 'Apply and Restart' once completed to apply the changes
c)Something on the network is blocking the communication between the Console and the clients

Try to connect to the Deep Freeze Console by using the built-in Windows Telnet client. This is installed by default in Windows XP, but will needs to be added through 'Programs and Features>Turn Windows features on or off' in Windows Vista and higher.  Please note, the command requires elevated privileges in Windows Vista and higher.
  • Click on the start menu
  • Type 'cmd' in the search bar
  • Right click on 'Command Prompt' to find the 'Run as Administrator' option and select it
In the Command Prompt window, type:

Telnet <IP or Hostname of Console Machine from the 'Network' tab in Deep Freeze> 7725
Note: 7725 is the default port, but please make the appropriate substitution if you're using an alternate port number

If it connects properly, you will see a random splash of ASCII characters since the communication is encrypted.  If you are unable to connect, you will need to verify things on the Deep Freeze Enterprise server.


3)Deep Freeze Enterprise Server Service Issues

a)Verify the port exists on the console

The port is configured in the Deep Freeze Enterprise Console under the 'Tools>Network Configuration' menu.  Verify the port your client is attempting to connect to is configured in the Deep Freeze Console.

b)The Deep Freeze Console is unable to connect to the background service

This is indicated by a lack of polar bear icon in the console.  You will see a polar bear with C beside 'localhost:7725' if there are no connection issues. If this is an icon of two computer monitors:
  • Go under the 'Tools' menu, and enter the 'Network Configuration'
  • Uncheck 'Enable Local Service' and select 'Ok'
  • Once more, enter the 'Tools>Network Configuration' dialog
  • Check the option to 'Enable the local service' and select 'Ok'
The service will restart.  You can determine success or failure if the icon changes to the familiar Polar Bear with a small red 'C' in the bottom left corner within 30-60 seconds.  If it still persists, something is preventing the service from communicating on the port you are using.  Typically, this is a port conflict.  You can test by:
  • Search 'cmd' in the search bar, right click on 'Command Prompt' to find the 'Run as Administrator' option and select it
  • Run 'netstat -vonba > log.txt' to export the current list of ports in use on the system
  • Search the file for your Deep Freeze port (ex. 7725) 
  • If any other programs aside from 'DFConsole.exe', or 'DFServerservice.exe' are using this port, there is a conflict and will prevent correct Deep Freeze Console functions

4)Verify the Customization Code Matches Between the Client and Server

What is the customization code and why is it important?
https://faronics.kayako.com/Knowledgebase/Article/View/4/0/what-is-the-customization-code-and-why-is-it-important

How do I test if I have the right Customization Code?
https://faronics.kayako.com/Knowledgebase/Article/View/187/0/how-do-i-test-if-i-have-the-right-customization-code

When upgrading to certain versions of Deep Freeze, you may be prompted to re-enter your customization code.  Additionally, in some rare instances, if the Deep Freeze Console or Administrator applications were still running in memory when Deep Freeze was re-initialized, they may be configured with different codes.  You can test this by:

  • On the client, hold the 'Shift' key and double click on the Polar Bear icon (alternatively you can use the hotkey combination of Ctrl-Alt-Shift-F6)
  • On lower left side of the the login screen, the OTP token will be listed - note down this token number (XXXXXXXX:XXXXXXXX)
  • There will be options to generate a temporary access password based off this provided token using either the Deep Freeze Enterprise Console or Administrator
    • In the Deep Freeze Console, go to 'Tools>One Time Passwords'
    • In the Deep Freeze Configuration Administrator, go to 'File>One Time Passwords'
  • Enter the token provided into the dialog box, and press the button to 'Generate Password' 
  • Note the provided password and attempt to login to the Deep Freeze workstation
If the Customization Code matches between the client and server, this will allow you to access Deep Freeze controls.  Otherwise, the password space will blank itself and you will be forced to re-enter a password.  If this fails, the steps below will allow you to reset the Customization Code on the Console/Server only:
 
  • Close all Deep Freeze management applications (ensure the network services are shut down): Deep Freeze Enterprise Console (DFConsole.exe), Configuration Administrator (DFAdmin.exe), and the Console Communication Service (Dfserverservice.exe).  Double check they are not running using Windows Task Manager (taskmgr.exe) by checking under 'Processes' or 'Details'
  • Run the following utility to initialize all Deep Freeze components with the appropriate Customization Code:
    • "C:\Program Files\Faronics\Deep Freeze Enterprise\DFInit.exe"   (32-bit)
    • "C:\Program Files (x86)\Faronics\Deep Freeze Enterprise\DFInit.exe"  (64-bit)

This should give you some points to check on.  If you are unable to resolve the issue, please contact Faronics Technical Support for further assistance.  
You've been visited by some generous technology elves and now have a new server setup.  The process for migrating your existing Deep Freeze Enterprise Console to the new server will depend on what method your workstations use to connect to the Enterprise Console.

If your workstations are configured to use LAN mode under the 'Advanced Options':
  1. Install the Deep Freeze Enterprise software on the new server with the same customization code (recall this code is an unrecoverable encryption key set by your organization at the time of install).
  2. Shutdown the old Deep Freeze console and close down the network connections. This will force the machines to check into the new server (a reboot of the workstation may be needed).
If your workstations are configured to use LAN/WAN mode under the 'Advanced Options' with a hostname or IP address configured:

  1. Install the Deep Freeze Enterprise software on the new server with the same customization code (recall this code is an unrecoverable encryption key set by your organization at the time of install).
  2. Open the Deep Freeze Administrator on the current server.
  3. Open the most recently deployed Deep Freeze workstation installation or configuration (.rdx) file.
  4. Under the 'Advanced Options' tab, modify the 'Console IP' value where the machines report into.
  5. Hit 'Save As' to create a new configuration file. Name it so it is easily recognized without opening the file (depfrz-<today's date>-new server.rdx as an example).
  6. When you are ready to cut the machines over, open the Deep Freeze Enterprise console.
  7. Select the machines you wish to move to the new server, and right click on the group. Select 'Update configuration'.
  8. Once the configuration has been applied successfully, reboot to apply the network change when the machines are available to do so.
  9. The machines should now begin to report into the new console (There will still be entries for the workstations in the old console, but they will have an '!' in front indicating a lack of communication).
Optional - Reconnecting your Deep Freeze Enterprise Console to the Cloud Connector

Once you have the machines reporting to your Deep Freeze console, you'll need to connect the Enterprise Console to the cloud. Ensure your old console is no longer connected to Deep Freeze Cloud before you connect the newly installed Enterprise Console.
  1. Hit the cloud button in the new console (this only appears if you have a license key applied), at which point you'll need to enter your customization code, and cloud credentials.
  2. When you connect the to the Deep Freeze Cloud, you'll be prompted to create a new site, or connect to an existing one. Select your existing site from the list.  A new site will not display any of your existing policies, or deployed Cloud Agents, even if it has a similar name.
Please note, as of version 8.5, we no longer support running the console on Windows Server 2003/R2, and 2008.  Windows Server 2008 R2 or higher are supported.

With the release of Deep Freeze Mac 7.0 this process is no longer required to support a system running macOS High Sierra, or Mohave. Customers wishing to run Deep Freeze on a system running macOS with a APFS formatted volume should upgrade to Deep Freeze Mac 7.0.



As of macOS 10.13 Apple systems running Solid State disks are, by default, being converted to use an updated file system called APFS on the boot disk. Deep Freeze does not support installation on a APFS based system and cannot be used on systems that have been upgraded to macOS High Sierra and converted to APFS at this time.

While Faronics does intend to support AFPS in a future release of the Deep Freeze product we at this time cannot provide a timeframe for support. For customers who wish to upgrade to High Sierra, and run Deep Freeze this document will detail a process for performing the macOS upgrade and suppressing the conversion of the file system to APFS

It is important to note that while converting to APFS is the default during the High Sierra install process not all machines are converted during the upgrade. Systems running a magnetic disk, or systems configured as a Fusion Drive are not automatically converted and continue to use the existing HPFS+ based file system on the boot volumes.

The attached document will detail the process of installing High Sierra and suppressing the conversion of the system to APFS in order to continue to be able to use Deep Freeze on the client system without interruption.

If the client system has already updated to High Sierra and has converted to APFS the only way to revert this setting will require a reformat of the disk and a reinstall of the operating system.

Issue: When installed Deep Freeze does not properly freeze a Hyper-V virtual machine running a Generation 2 virtual disk.

To determine if your virtual machines are running as a Generation 1 or a Generation 2 machine run the following command in Power Shell;

Get-VM | Format-List Name,Generation

The output will list your virtual machines showing output similar to the following indicating the generation of the virtual machine.

Name       : server-01

Generation : 1

Name       : server-02

Generation : 2

This issue stems from changes made in the configuration of the Generation 2 Hyper-V virtual machines. Currently Faronics recommends using a Generation 1 virtual machine for applications where Deep Freeze needs to be installed on a Hyper-V Virtual Machine.

Attempting to install Deep Freeze Mac on SSD devices manufactured by Other World Computing results in machines that cannot be configured in a way that allows the internal device to be frozen.

This stems from the OWC devices identifying themselves as an external device, and Deep Freeze Mac does not support use on a disk device that reports as a external device.
Customers may have difficulties installing updated versions of the Deep Freeze Enterprise Console on servers running 32bit versions of Windows Server 2008 or Windows Vista.

During the install process systems running the 32bit version of Windows Server 2008 and Windows Vista will attempt to launch the utility to embed the customers customization code on the client machines. This process will fail, resulting in an enterprise console and configuration administrator that is not functional.

At this time Faronics recommends moving the Configuration Administrator and Enterprise Console to a 64bit operating system to address this issue.
Customers attempting to install Deep Freeze on systems configured with Dell Data Protection Disk Encryption enabled may encounter issues with systems being unable to properly boot after the install process. This occurs due to a conflict between the encryption package and the Deep Freeze software. To resolve this the exceptions outlined in the document below must be configured in the Dell Data Protection management console.
Faronics has noted a behavior in the current version of Faronics Antivirus (4.x) that can result in the log files filling up the disk space allocated for the storage of Antivirus Definition updates on client machines.

When this occurs, the system may behave in an unexpected manner including;
• Being unable to update virus definition files either locally or remotely.
• Being unable to update license details on the client machine.
• Being unable to alter policy settings on the client machines.

Faronics has released a utility that can correct this issue by clearing older log files from the system and allowing the updates to resume. This utility can be downloaded here.

If after running the utility the issues persist please contact Faronics support via email to support@faronics.com to open a support ticket on this issue.

Problem

After installing Deep Freeze the Windows Store cannot be accessed to download updated applications.

Cause

After installing Deep Freeze the Windows Update service is suppressed to prevent the install of updates and other changes while Deep Freeze is managing the update process. This is done to prevent the system from attempting to install updates while the computer is in a protected state. If Deep Freeze is configured to control the Windows Update process this will occur if the computer is thawed or if the computer is frozen.

Workaround

Enabling the Windows Update Services in the Services Control Panel will allow the Windows Store to install applications while the machine is in the thawed state. If access to the Windows Store is required while the system is protected the option to control the Windows Update process will need to be disabled in the Deep Freeze configuration.
In Deep Freeze 8.35 and higher a change in behaviours was introduced to better allow for the control of the Windows Update process on protected machines. Due to this change machines running Deep Freeze may see the Windows Update Service and the Background Intelligent Transfer Service (BITS) disabled while Deep Freeze is installed.

This will impact the ability to run updates on client systems manually as these services are required for the update process to run. To allow for updates to be manually installed the Windows Update and BITS services must be enabled prior to starting the update process.

To start these services users can open the Services control panel applet by running the SERVICES.MSC command from a elevated command prompt and changing the Status of the services to Manual and then right clicking on those services to start them.

Alternatively the following commands can be run from an elevated command prompt;

SC CONFIG bits START=auto
SC START bits
SC CONFIG wuauserv START=auto
SC START wuauserv

In some instances customers have reported issues with the Insight 8.0 release that manifest as crashes in the Teacher Console when attempting to interact with the Student workstations. These crashes commonly occur when trying to show the student or teacher screens or when attempting to otherwise interact directly with the client workstations.

Workaround

At this time this issue can be worked around by setting the following registry keys on the Teacher and Student workstations;

64bit Windows OS

HKEY_LOCAL_MACHINE\Software\Wow6423Node\Insight
DWORD32 Value: UseLegacyRemoteControl (Set to 1)
DWORD32 Value: UseLegacyShow (Set to 1)

32bit Windows OS

HKEY_LOCAL_MACHINE\Software\Insight
DWORD32 Value: UseLegacyRemoteControl (Set to 1)
DWORD32 Value: UseLegacyShow (Set to 1)

For customers using Mac OS the following command sets the same options;

sudo ./lstconfig UseLegacyScreenGrabber true

The lstconfig application can be found in the Insight Installer package in the Installs\Mac\Utilities folder.

Customers setting these options should contact the Faronics Support team and open a technical support case so that they can be notified when a solution to this issue is released in a updated build of Insight.

Currently at this time WINSelect does not support the Microsoft Edge browser.

  • Control of the browser including, but not limited to, network control and the ability to restrict access to portions of the application itself are not currently able to be applied. To work around this administrators can use Internet Explorer or Firefox.

    In some instances WINSelect will actively block the Edge browser from running specifically;

    If Network Restrictions are Enabled, Microsoft Edge will be automatically blocked.
    In Application > Internet Browser: If any of the check-boxes (including menu items) are selected, OR a Home Page is entered, Microsoft Edge will be automatically blocked.

Overview

Customers running Anti-Executable Enterprise or WINSelect Enterprise on Windows 10 may experience issues with using the keyboard or mouse on the client workstations after upgrading to the Windows 10 Anniversary Edition (Build 1607).

Workaround

Customers experiencing this issue can download and run the hotfix linked below to resolve the issue on affected machines.

This utility is available under following link:
https://s3-us-west-2.amazonaws.com/faronics-techsupport-utilities/Download/Core_Win10_Anniversary.exe

This utility can be launched either by running the command from a RDP session on the client machine or by using the Remote Launch feature of the Faronics Core Console. Once completed the workstation will need to be rebooted for changes to take affect. Any machine running Deep Freeze must first be placed into a thawed state.

For assistance in using this utility please contact the support team via email to support@faronics.com, via phone to 604-637-3333 x 1, or by opening a ticket at http://support.faronics.com

In testing Faronics has found that the installation of the Anniversary Update on machines running Anti-Executable can result in a workstations being unable to be accessed once the upgrade process is complete.

The upgrade process results in a number of key pieces of information that control the install of Anti-Executable not being properly preserved. In this case the most common outcome is that the workstation will no longer respond to keyboard or mouse input resulting in a computer that cannot be used.

Faronics Recommends that Anti-Executable be uninstalled prior to performing the upgrade to the Anniversary edition of Windows 10.

In the event that you have a workstation that has been upgraded you should be able to access the system via remote access tools to remove Ant-Executable from the system to restore access. Once access is restored Anti-Executable can be reinstalled on client machines running the Anniversary edition without issue.

This issue will be addressed in future builds of Anti-Executable. If you would like to be updated on when this happens please contact the support team to open a ticket on this issue.

Deep Freeze 8.31 made several enhancements to license activation to curb piracy and over-deployment issues. Moving forward, the workstation must connect either via the local console or directly to the Faronics Activation server to authenticate the license as and when an Internet connection is available. Failure to activate the license for more than 30 days will expire the product and prevent the workstation from rebooting into a Frozen state.

The workstation will attempt to automatically activate the license if an activation is pending or if it has previously failed to activate. However, both the Deep Freeze Enterprise Console and the workstation has the ability to manually activate the workstation license via an online or offline options.

Once the activation process is completed on a given workstation the workstation will not require further activation unless re-imaged, or the machine is subject to significant hardware changes.

Automatic Activation

The license is automatically activated on all workstations communicating with the Enterprise Console. If a workstation is offline (shut down or disconnected from the network), the license is activated when the workstation communicates with the Enterprise Console. The workstation will connect automatically to Faronics Activation Server if the Enterprise Console does not activate the workstation within 24 hours after the license key is applied.

Manual Activation

If automatic activation does not activate the workstation license, the Deep Freeze administrator can use the manual activation option by navigating to the Licensing dialogue in the console or client interface.

Two options are available:

  • Activate Online - activate Deep Freeze workstation license over the Internet. The computer must be connected to the Internet to Activate Online.
  • Activate Offline - activate the Deep Freeze workstation license by contacting Faronics Activation Support via email or phone. Create an Offline Activation Request File and send the file to activation@faronics.com to receive an Activation Response File.

For more information, refer to the Licensing section of the Deep Freeze Enterprise User Guide available at www.faronics.com/assets/DFE_Manual.pdf 

Imaging and Product Activation

When computers are imaged the workstations may be required to contact the Faronics Activation servers to validate the activation. This will only result in a new activation if the image is activated on a new piece of hardware for the first time. Re-imaging a machine that was previously activated will not represent a new activation against your license count.

Proxy Servers / Content Filters

In some cases Proxy Servers, content filters, and other tools intended to filter network access may result in problems contacting the Faronics Activation Servers. You should ensure that all HTTP / HTTPS traffic to api.faronics.com is whitelisted to ensure that machines can freely communicate with our activation services.

Resolving Activation Problems

If your activation is failing or if you believe you have been a victim of licensing piracy, please contact Faronics Activation Support at 604-637-8271 or 1-800-943-6422 in North America or send us an email to activation@faronics.com <mailto:activation@faronics.com> .

 

 

Overview

This document will detail guidelines for configuring Microsoft's BgInfo to display Deep Freeze client information.



Introduction

Deep Freeze provides administrators with a solution to protect endpoints from changes by removing all changes on protected areas on a system restart.

By design, Deep Freeze does not make any distinction between changes that are malicious, or changes that are desired on a workstation; This may pose some challenges in managing dynamic resources which you may want to retain after a system restart.

With new customers of Deep Freeze, we sometimes see system administrators applying changes which they'd like to apply on a target workstation which is in a Frozen state, only to have these changes removed after a workstation restart.

Although Deep Freeze's status can be viewed (by default) by reviewing the local system notification area (near the Window clock), there are some limitations which Windows may introduce: Small, 16 by 16 pixel, icons or icons not being displayed in the system notification area.

In this document, we're going to walkthrough leveraging a third party utility to announce the status of a Deep Freeze workstation.

 

Overview


Details about Deep Freeze can be polled using several resources. Here are some examples on a 64-bit deployment with modern Deep Freeze deployments.

Deep Freeze's (Frozen | Thawed | Seeded) status?
"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Faronics\Deep Freeze 6\DF Status"

Deep Freeze's version information (in the form of 0.00.000.0000)?
"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Faronics\Deep Freeze 6\DF Version"

 

Configuring BgInfo

BgInfo can be configured to display workstation information as a part of customized wallpaper.

BgInfo also includes details to add custom fields, to analyze resources available on local workstations to display custom information.

Using details listed above in the overview, BgInfo can display information on Deep Freeze and other Faronics resources.

Usage Stats is a component of the Deep Freeze Cloud product suite that can track the use of managed computers and can provide reporting indicating;

  • What applications are being used, including time, number of users, and number of computers that the applications are in use on.
  • Statistics indicating how many users are logging into a given computer, how long the machine has been used for over the reporting period and the average length of time that a user logs on for.
  • Reports indicating what machines a given user account is logging into, including the time spent on the systems and the average duration of the sessions.

With the version of Usage Stats included in the Deep Freeze Ultimate bundles the product adds the ability to monitor and track software usage on managed workstations.

Further details on the Usage Stats application can be found on the Faronics home page here;

http://www.faronics.com/deep-freeze-cloud-software-compliance/

 

Overview

When running Windows 8 users who have configured the operating sytstem to be protected  by Deep  Freeze may find that the operating system will not allow them to boot an operating system other than the default one. This occurs due to changes in the Windows 8 boot loader that effectively require Deep Freeze to protect the operating system at this stage preventing users from changing the boot device.

 

Solution

This can be resolved by setting the computer to use the older style of boot loader by running the following commnad;

 

 bcdedit /set {default} bootmenupolicy legacy

 

To revert this change run the command below;

 

    bcdedit /set {default} bootmenupolicy standard

 

 

Overview

This document describes design aspects of User Defined Groups filtering enhancement, which was introduced in version 8.20 of Deep Freeze Enterprise Console.

Introduction

In Deep Freeze Console versions below 8.20 there was a User Defined Group filter option, that was solely based on Workstation name, where “?’ and “*” wildcards could be used. In version 8.20 User Defined Groups have been enhanced, allowing to use filters based on workstation statuses shown in other columns on Deep Freeze Console. When workstation status in specific column(s) changes, the filter dynamically adds or removes workstations from filtered Groups based on the filter criteria.

Group filters description

Group filters can be created based on following values appeared in the Enterprise Console columns:

  • Workstation

  • Workgroup

  • IP Address

  • Status

  • Configuration

  • Configuration date

  • Installation File

  • Version

  • Operating System

  • MAC Address

  • Login Name

 

Depending on the Column, the filter can use various types of comparisons:

  • Equals

  • Not Equal To

  • Less Than

  • Less Then or Equal To

  • Greater Than

  • Greater Then or Equal To

  • Regular Expression

 

Group filter now allows the addition of a second filtering rule combined with first rule using OR/AND logic.

Filter Column types and values

Internally Column values split into following types:

String type. In this case the Group filter compares against the plain string value entered in tje User Group Add/Edit dialog. The following columns have string type values:

  • Workstation

  • Workgroup

  • IP Address

  • Status

  • Configuration

  • Installation File

  • Operating System

  • MAC Address

  • Login Name

The comparison type can be “Equal”, “Not Equal To” or “Regular Expression”. For “Equal”, “Not Equal To” comparisons the value string can use “?” and “*” wildcards the same as in previous versions. The status column filter has only “Equals” and “Not Equal To” comparisons and cannot use wildcards since the value string is selected from a drop-down list of pre-defined Status values specific to the current UI language set in the Deep Freeze Console. When switching Console UI language, the “Status” Column filter does not update with values in corresponding language. In this case the filer must be re-created or edited with new corresponding values of a given language.

Numeric type. The version column is of a numeric type. The comparison type can be “Equals”, “Not Equal To”, “Less Than”, “Less Then or Equal To”, “Greater Than” or “Greater Then or Equal To”. Since a higher version always has higher build number, internally the filter compares just against the build number (last four digits in the version number) and ignores the rest of digits which includes major/minor version number and product code. Therefore, it is not necessary to provide the full version number in a value string, but a four digits build number only – it will have same effect as providing full version. As for a numeric type the filter will not recognize wildcards.

Date type. The Configuration Date column is of a date type. The comparison type can be “Equals”, “Not Equal To”, “Less Than”, “Less Then or Equal To”, “Greater Than” or “Greater Then or Equal To”. The filter value is entered using a date picker and internally stored as a numeric value counting a number of days since 1900. Since the Configuration Date filter is internally represented with numeric value, it is not affected by changing Console UI language or system date format.

Blank values in Group filters

In some cases the specific column may show blank for the given workstation. This may happen, for example, when the older version of workstation does not support a specific status, since it was introduced in later versions (eg. Operating System, Login Name). For Group filters the blank column is treated as a “blank” value. If it is required to use a filter based of the blank value criteria, the value field in the Group Add/Edit dialog must be left blank and Comparison type must be set to “Equals” or “Not Equal To”.  Other comparison types are not applicable to a blank value.

Console Upgrade and Exporting User Defined Group

During an upgrade from previous versions of Deep Freeze Console to version 8.20 onwards, User Defined Groups will be converted to the new format. Filtered groups from previous versions will be represented with a new filter based on Workstation column with “Equals” comparison and the same string value as it was in old Group including wildcards. Therefore the behavior of converted filtered Groups of previous versions remains the same.

Similarly, importing Groups of previous versions will correctly convert them into the new format of version 8.20.

However, Groups are not backwards compatible. Therefore, when user would downgrade Console to previous version or import Groups into older version of Console, the Group structure will not be shown in Deep Freeze Console.

Remote Console setup

When remotely connecting Console of version 8.20 onwards to Deep Freeze Server Service of version 8.12 and below, it will correctly pull the Group structure from Server Service and convert to new format similarly to Group importing.

However, when remotely connecting Console of version 8.12 and below to Deep Freeze Server Service of version 8.20 onwards, it will not show Groups due to backwards incompatibility mentioned above.

  



 Below is a table outlining the system requirements for Faronics Core for deployments of specific size ranges.

 

Core Console Server

Deployment Size

0 - 500

2000 -5000

10,000 +

Processor

P4 2.8 GHZ +

Core 2 Duo 2.4 + / Core 2 Quad 2.4 +

Dual Processor Xenon 3 GHZ

Dual Processor

Recommended

Required

Required

Memory

2GB / 4GB Recommended

3gb Required / 6gb Recommended 

8gb + Recommended

Operating System

64bit Windows Operating System.

Server Operating System (64bit)

Server Operating System (64bit)

SQL Express

OK

NO

NO

SQL Standard

OK

Recommended

NO

SQL Enterprise

OK

Recommended

Recommended

Dedicated SQL

Not Required

Recommended

Required

Disk Space

80Gb

120GB

200GB

Database Server

Item

 

2000 -5000

10,000 +

Processor

 

Core 2 Duo 2.4 + / Core 2 Quad 2.4 +

Dual Processor Xenon 3 GHZ

Dual Processor

 

Required

Required

Memory

 

3gb Required / 6gb Recommended 

8gb + Recommended 

Operating System

 

64bit Server 2008 or Higher

64bit Server 2008 or Higher

SQL Express

 

NO

NO

SQL Standard

 

Recommended

OK

SQL Enterprise

 

Recommended

Recommended

Dedicated SQL

 

Recommended

Required

Disk Space GB (Database Only)

 

120gb or more.

500

 

The video below contains a brief overview of the Deep Freeze Connector, including how to install the software and how to manage your workstations from the Deep Freeze Cloud.

 

Overview

The whitepaper attached to this KB article details how to configure SCCM and Deep Freeze Enterprise to work in conjunction with each other. The document details:

  • Creating Collections in SCCM using information provided by Deep Freeze.
  • Deployment of Deep Freeze via SCCM.
  • Controlling Deep Freeze through SCCM.

 

Overview

This document provides solutions and recommendations for redirecting Microsoft account user profile with OneDrive on Windows 8.1 using Faronics Data Igloo 2.1.

 

Introduction

Windows 8.1 makes it easier to save and work with files on the OneDrive cloud storage by introducing a special kind of OneDrive file -  smart files, also called Online-only files. Online-only files look like normal files, so they can be browsed on the PC, but the file contents are really in OneDrive. When opening Online-only files from File Explorer and most apps, the file contents are downloaded automatically.

Whenever signing in with Microsoft account to a PC running Windows 8.1 the files on OneDrive are avialable immediately. Even if PC is not connected to the Internet, it is still possible to rename and delete those files. However, opening and editing files is possible only if they're available offline. Making a file available offline saves a synced version of the file on the PC in OneDrive folder located within user profile.

 

Problem Description

OneDrive becomes a built-in feature for Microsoft user accounts on Windows 8.1, where it stores smart files or their offline copies in dedicated OneDrive folder inside the user profile folder. When Data Igloo attempts to redirect the user profile or OneDrive folder, it may fail, if  the local offline copy of smart file is not be available or OneDrive service locks the file during synchronization.

 

Solution

In order Data Igloo to successfully redirect OneDrive folder content, all files in this folder must be available offline, so their content must be physically present on the PC.  This can be achieved by making entire OneDrive available offline:

  • While in OneDrive App, swipe in from the right edge of the screen, and then tap Settings. (If you're using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Settings.)
  • Tap or click Options, and then turn on Access all files offline.

    Note: enabling offline access may take some time, since smart files content must be physically downloaded to the PC, especially if those files were previously marked as online-only. This also might take some certain physical space on the local drive.

 

Also, to eliminate the possibility of OneDrive service locking the files during periodic synchronization, file synchronization must be paused:

  • While in OneDrive App, swipe in from the right edge of the screen, and then tap Settings. (If you're using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Settings.)
  • Tap or click Options, and then turn off Sync Files

After successful redirection of the user profile or OneDrive folder these settings can be restored back to thier original values. 

Problem:

On machine with freshly installed or upgraded Windows 8.1 IE 11 does not respect network restrictions setup in Faronics WINSelect.

Solution:

To make the WINSelect network restriction feature compatible with IE 11 on Windows 8.1 following Windows updates need to be installed:

  • Update for Microsoft Windows (KB2887595)
  • Security Update for Microsoft Windows (KB2909921)

Note: WINSelect should be disabled during Windows updates installation.

Problem

When accessing Deep Freeze cloud a message is shown indicating that a updated version of Internet Explorer should be used to access the site.

Resolution

This issue will occur if you are accessing Deep Freeze Cloud with Compatibility mode enabled in your copy of Internet Explorer. Compatibility mode reports the browser's user-agent string using a older version of the browser in order to allow sites that do not support the newer versions of Internet Explorer to function. This causes our web console to incorrectly identify the browser as an outdated version of Internet Explorer, prompting the warning that you are seeing.

To disable compatibility mode select Tools --> Compatibility View Settings from the menu bar and ensure that deepfreeze.com is not listed in the list of sites added to compatibility mode in the dialog shown.

 

 

Overview

This document details the process of creating a Custom Action in Deep Freeze Enterprise Console using Windows PowerShell scripting technology

Introduction

A Deep Freeze Action File is an XML file that allows end users to define additional functionality in the Deep Freeze Enterprise Console. An Action File defines a method for calling an external command or program file and passing some workstation-specific information (e.g. machine IP addresses, computer names).

This document describes an example of using PowerShell script to initiate a remote command or run a process remotely on selected workstation(s) using Deep Freeze Enterprise Console.  It is assumed the user has some knowledge of PowerShell scripting, XML language, as well as Deep Freeze Custom Action XML syntax. For more information about Custom Action scripting please refer to Deep Freeze user’s guide and Technical Papers.

Configuring the environment and testing PowerShell script

To be able to use Windows PowerShell remote commands, PowerShell must be installed on the target Windows workstations and enabled. Recent Windows OS already have PowerShell installed, but those systems still may be shipped in a locked down configuration, where PowerShell is disabled.

The easiest way to enable Windows PowerShell remoting is to use the Enable-PSRemoting cmdlet on target workstation. To do this, launch Windows PowerShell with Admin rights and run following command:

PS C:\> Enable-PSRemoting -Force

This enables Windows Remoting service (WinRM) and configures the Windows Firewall so that it can accept incoming commands within same Domain. Mixed Domain environments require some additional configuration to get remote execution working, which is not in the scope of this document.

Testing PowerShell script

Before implementing PowerShell script as a Custom Action, it is a good practice to run the script on its own to insure it works correctly. In that case it makes it easier troubleshoot the script.

For the purpose of this document we will use a “Invoke-Command” which runs a script remotely. It has following syntax:

Invoke-Command -computername [COMPUTER] -ScriptBlock { [COMMAND] }

where [COMPUTER] is the target workstation Computer name, and [COMMAND] is the series of PoweShell commands.

In order to run PowerShell command without initiating PowerShell session we will use following command:

powershell -Command "& { <list of PowerShell commands> ;}"

In a following example it shows a command which uses PowerShell script for running IpConfig remotely against the target workstation with the name "Workstation1":

powershell -Command "& {Invoke-Command -computername Workstation1} -ScriptBlock {ipconfig /all; Start-Sleep -s 10};}"

This command can be launched from Windows Command Prompt window and will bring up a full IPConfig report for the target workstation and keep the Command Prompt window open for 10 seconds.

Implementing Custom Action for running a remote command

Once the above script has been successfully tested, it now can be embedded into Custom Action inside <EXECUTE> tag, where computer name will be parameterized with %%WKSNAME%% parameter, which is contextual to the selected workstation. Upon launching Custom Action Deep Freeze Console will build the actual command by replacing %%WKSNAME%% parameter with the currently selected workstation name:

<EXECUTE>powershell -Command & "{Invoke-Command -omputername %%WKSNAME%% -ScriptBlock {ipconfig /all; Start-Sleep -s 10};}"</EXECUTE>

Some other Custom Action properties tags can be implemented accordingly to the user's requirements. Following is the complete Custom Action XML code:

<ACTION#>

    <CAPTION>

        <ENGLISH>Get ipconfig info</ENGLISH>

        <GERMAN>Get ipconfig info</GERMAN>

        <JAPANESE>Get ipconfig info</JAPANESE>

        <SPANISH>Get ipconfig info</SPANISH>

        <FRENCH>Get ipconfig info</FRENCH>

        <CHINESE>Get ipconfig info</CHINESE>

        <PORTUGUESE>Get ipconfig info</PORTUGUESE>

    </CAPTION>

    <FILEMENU>Y</FILEMENU>

    <POPUPMENU>Y</POPUPMENU>

    <SILENT>Y</SILENT>

    <SUBITEMS/>

    <PARAMS/>

    <SYNC/>

    <LOG/>

    <EXECUTE>powershell -Command &amp; &quot;{Invoke-Command -computername %%WKSNAME%% -ScriptBlock {ipconfig /all; Start-Sleep -s 10};}&quot;</EXECUTE>

    <WORKDIR>C:\Windows\system32\</WORKDIR>

</ACTION#>

This code snippet can be added into existing CustomActions.xml file, where <ACTION#> tag must be edited with actual number of action as it would show in Console Custom Action menus.

Note: in XML code some of the special characters must be replaced with character entities, as seen in above code sample.

In order the newly created Custom Action take effect, the Deep Freeze Console must be restarted.

 

Implementing Custom Action which prompts user to enter a remote command

In previous example we have created a specific custom action for running IPCconfig. This way user can create an unlimited number of predefined Custom Actions for each specific command as per user requirements.

However, it may give more flexibility, if the Custom Action would prompt the user to enter a command or program to be run on selected workstation. In order to achieve this, the command must parameterized inside the XML file similarly to workstation name described above.

In the below XML code sample we have reworked the previous PowerShell command, which now remotely runs cmd command, which in its turn launches any command, script or executable represented by %CMD% parameter, entered by user.

 

<ACTION#>

  <CAPTION>

                                <ENGLISH>Push remote command using Powershell</ENGLISH>

                                <GERMAN>Push remote command using Powershell</GERMAN>

                                <JAPANESE>Push remote command using Powershell</JAPANESE>

                                <SPANISH>Push remote command using Powershell</SPANISH>

                                <FRENCH>Push remote command using Powershell</FRENCH>

                                <CHINESE>Push remote command using Powershell</CHINESE>

                                <PORTUGUESE>Push remote command using Powershell</PORTUGUESE>

                                </CAPTION>

                                <FILEMENU>Y</FILEMENU>

                                <POPUPMENU>Y</POPUPMENU>

                                <SILENT>Y</SILENT>

                                <SUBITEMS/>

                                <PARAMS><CMD><VAR>%CMD%</VAR><CAPTION><ENGLISH>Command</ENGLISH><GERMAN>Befehl</GERMAN><JAPANESE>ƒRƒ}ƒ“ƒh</JAPANESE><SPANISH>Comando</SPANISH><FRENCH>Commande</FRENCH><CHINESE>ÃüÁî</CHINESE><PORTUGUESE>Comando</PORTUGUESE></CAPTION></CMD></PARAMS>

                                <SYNC>N</SYNC>

                                <LOG/>

                                <EXECUTE>powershell -Command &quot;&amp; {Invoke-Command -computername %%WKSNAME%% -ScriptBlock {cmd /c %CMD%}&quot;</EXECUTE>

                                <WORKDIR>C:\Windows\system32\</WORKDIR>

                </ACTION#>

Problem Steps recorder is a utility built into Windows 7 and Windows 8 that allows the user to record the steps they are taking on a workstation when a problem occurs. This allows the user to clearly communicate what steps are being taken to replicate a specific problem that they are seeing on their computer.

The problem Steps Recorder can be started by running the PSR.EXE utility on the workstation, this can be done by pressing the Windows Key+R and entering PSR.EXE in the run dialog, or by entering PSR.EXE in the search dialog for the Windows 7 Start Menu and Windows 8 search dialog.

Once launched the Problem Steps Recorder will show a small window with a button labeled Start Record. Once you are ready to start recording the issue click on the Start Record button. Once recording has started all the actions taken on the computer will be recorded with screen shots and descriptions of what the user is doing on the workstation.

Keyboard input is not captured by the problem steps recorder. This is done to prevent a user from accidentally sending over sensitive information or a password. If the information that you are entering is relevant to the problem that you are recording please make note of the information by clicking on the Add Comment button in the Problem Steps Recorder. This will pause the recording and will allow you to highlight the problem location and enter a note into the steps recorded.

Once you have finished recording the steps to replicate your problem click on the Stop Recording button, this will stop the recording and prompt you for a location to save the file. Provide a filename and a location to save the file. The steps will be saved in a HTML document and placed into a ZIP file so that the file can be sent for review.

 

 

This document describes how to redirect Bitdefender Endpoint Security Antivirus on XP, Vista, Windows 7, Windows 8 workstations using Data Igloo.

Problem Description

Folder redirection requires a physical relocation of the folder onto Thawed location. In many cases relocating Anti-Virus data folders may be not possible, since most of the AntiVirus software have some sort of self-protection mechanism, which prevents moving the AntiVirus components.

Solution

One of the solutions would be creating new empty Anti-Virus data folders before installing AntiVirus software, which will allow redirecting them successfully using Data Igloo. Then the AntiVirus software can be installed into its already existing and redirected folders. In this case, those folder names can be figured out on any other reference computer, where the specific Anti-Virus software is already installed.

Redirecting Bitdefender using Data Igloo user interface

This solution provides steps for redirecting Bitdefender Endpoint Security Anti-Virus data on the workstation using the mentioned approach of creating Bitdefender’s folders before installing Bitdefender itself.

Preconditions:

  • Faronics Data Igloo must be installed on the workstation
  • Bitdefender must not be installed on the workstation
  • Deep Freeze workstation must have ThawSpace or Thawed partition with minimum 1.5 GB of free space

Use following procedure for redirecting BitDefender:

 1. Reboot workstation into Thawed state.

 2. On the computer where Bitdefender is not installed create following new folders, which will be used by Bitdefender:

%ProgramFiles%\Bitdefender\Endpoint\Signatures

%ProgramFiles%\Bitdefender\Endpoint\ThreatScanner

3. Using Data Igloo folder redirection feature, redirect newly created folders onto Thawed location.

HKEY_LOCAL_MACHINE\Software\Bitdefender

5. Using Data Igloo registry redirection feature redirect newly created key onto Thawed location

6. Install Bitdefender Endpoint Security on the workstation

7. Reboot workstation into Frozen state. Now all new virus and spyware definitions, history of detected items, as well as Bitdefender’s settings will be retained across reboots.

Redirecting Bitdefender using Data Igloo scripting

This solution is based on the mentioned above steps, but utilizes a scripting functionality of Data Igloo (it is supported starting from Data Igloo version 2.0).

1. Reboot workstation into Thawed state

2. Download the attachment and rename Bitdefender_redirection_script.txt to Bitdefender_redirection_script.vbs or any other name with .vbs file extension.

3.  Run the script with elevated privileges. It will prompt for the Thawed location path and automatically create all required folders, registry keys, as well as perform all redirections described above. Alternatively, the Thawed location path can be passed to the script as a command line parameter which allows to use the script in silent mode (with Deep Freeze Custom Action or any third party remote deployment tool). For example:

msse_redirection_script.vbs  T:\redirection_target

In this example the script will redirect the Bitdefender folders into "T:\redirection_target" folder.  In case of registry redirection feature of Data Igloo is turned off, it will be automatically turned on by the script and same location "T:\redirection_target" will be used as a Thawed location for the registry keys.

4. Install Bitdefender Endpoint Security

5. Reboot workstation into Frozen state

Note: this procedure applies only to Endpoint Security Editions of Bitdefender.

Cause

There are few reasons why this message could appear: 
  1. Workstation had an antivirus program installed on machine and after uninstalling it, components are left behind preventing VBScripts from running. 
  2. Vbscript.dll is not registered properly.
  3. Vbscript.dll is corrupted

Resolution / Workaround

Solution #1: For workstations with a 3rd party antivirus installed :

  1. Check to see if there are any extra DLL's registered for the VBSCRIPT runtime.
    1. Run search in registry for “{B54F3741-5B07-11CF-A4B0-00AA004A55E8}” 
    2. Check if vbscript.dll path is "c:\windows\system32\vbscript.dll" 
    3. If somehow path is not correct it should be changed to proper one. 
    4. To change it to the proper one you will need to get ownership over the registry, otherwise it will show "access denied" message.
    5. To take ownership:
      • Click on key and select Permission. 
      • Click on Advance. 
      • Switch to the Owner tab.
      • Under Owner select Administrators or the admin user you currently login. 
      • Check the checkbox "Replace owner on subcontainers and objects" and click Apply. Now you should be able to modify registry itself.

Solution for #2: Vbscript.dll is not registered in the proper way
The VBScript engine can be registered by following these steps:

  • Run Command Prompt as administrator:
            Start Menu -> All Programs -> Accessories
  • Right click on Command Prompt and select Run as administrator
  • Navigate to the folder that contains the DLL:
    • If you are using 32-bit version of Windows:
Type cd %windir%\system32 into the Command Prompt and press ENTER
  • If you are using 64-bit version of Windows:
Type cd %windir%\syswow64 into the Command Prompt and press ENTER
  • Run the command that registers the DLL:
Type regsvr32 vbscript.dll into the Command Prompt and press ENTER

Solution for #3: Vbscript.dll is corrupted
Run the sfc /scannow System File Checker command to replace a missing or corrupt copy of the vbscript.dll file. If this DLL file is provided my Microsoft, the System File Checker tool should restore it.

On the teacher or student machine, you can edit a registry key to specify the IP Subnet to use.

32-Bit Windows
HKEY_LOCAL_MACHINE\Software\Insight\IPSubnet
HKEY_LOCAL_MACHINE\Software\Insight\IPSubnetMask

64-Bit Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Insight\IPSubnet
HKEY_LOCAL_MACHINE\ SOFTWARE\Wow6432Node \Insight\IPSubnetMask

If these value are not already present, you will have to create them with RegEdit.exe. "Edit -> New -> String Value" will allow for the creation of new values. These need to be of type "REG_SZ".

If you wished Insight to use the NIC assigned to the subnet 192.168.1.0, you would edit the IPSubnet to “192.168.1.0” and the IPSubnetMask to “255.255.255.0”. After inserting the proper values with RegEdit, the computer will need to be rebooted before these values will take effect.

Overview

The installation of Microsoft Update KB2840628 results in the Core Server no longer being able to start.

Details

The recent Microsoft patch KB2840628 has been identified as causing an issue when Faronics Core attempts to access it's database, in the Core Server an exception will be thrown as shown below:

 

00001194 12:20:52.038 PM [3884] EXCEPTION MESSAGE: A .NET Framework error occurred during execution of user-defined routine or aggregate "GetODBCache": 

 

This issue is related directly to problems with the patch and at this time it appears that Microsoft intends to address this issue in a future patch:

 

https://connect.microsoft.com/VisualStudio/feedback/details/793500/sqlclr-typeinitializationexception-in-sqlconnection-since-kb2840628

 

Workaround

Users should not install KB2840628 on machines running Faronics Core or Faronics Core Server. If you have installed the update removing it and rebooting the affected machines should resolve the issue.

Overview

Recently Apple has been shipping computers with Core Storage enabled on them, this results in an error being shown when the users attempt to install Deep Freeze Mac on the workstation. Core Storage is shipping enabled by default on many new Macs, specifically iMacs with Fusion Drives and hard disks 3tb and larger.

What is Core Storage?

Core Storage is a volume manager added to OSX in version 10.7 (Lion) and later. This volume manager provide apple with more flexibility in how they manage storage on systems running OSX, and is the basis of the Fusion Drive technology, and the File Vault full disk encryption software that included as part of the operating system.

Why is this a problem for Deep Freeze?

Most applications will not have a problem with an OSX machine running a volume managed by Core Storage as most applications interact with the operating system at the file system level. At the file system level the underlying volume manager is not a huge concern as the operating system takes care of the task of getting the data requested to the applications. Deep Freeze however works with the disks at a physical level and Core Storage completely changes how disks are visible to applications like Deep Freeze.

To check to see if you have a Core Storage volume enabled on your machine follow the instructions linked below:

https://faronics.kayako.com/Knowledgebase/Article/View/398/36/problems-installing-deep-freeze-mac-on-core-storage-volumes

What can be done?

At the current time the only option that we can provide to our customers is to disable Core Storage on any system that you would like to run Deep Freeze on. This does however have some disadvantages;

  • File Vault cannot be enabled if Deep Freeze is to be installed.
  • Once Core Storage is disabled the ability to use a Fusion Drive will be lost.
  • On hard disks 3tb and larger this may cause problems with dual booting OSX and Windows.

If you would like to be informed of updates on this issue please contact Faronics Support via email to support@faronics.com explaining the situation. We will open a ticket on this issue and provide updates as they become available.

Summary

In some cases workstations running Deep Freeze may lose connection to the domain and be unable to logon until re-joined to the domain. 

This issue was resolved with the release of Deep Freeze 5.91 and the information below will be appplicable to versions before 5.91 only. Any customers running older versions are reccomended to upgrade to the latest version of the software to resolve this issue.

Background

When computers are configured to use Active Directory a computer account and password are created in the Active Directory database that allow that workstation to communicate securely with the domain. This computer account will by default have its password updated on a periodic basis depending on how the users have configured the domain. In the case of a computer running Deep Freeze changes to this password cannot be retained on the local machine and after a reboot the computer may not be able to authenticate against the domain. This will commonly show up as an error that the Trust Relationship between the domain controller and the workstation has failed.

Solutions

There are two approaches to this issue,

Allow Deep Freeze to manage password changes.

Deep Freeze 7.6 and higher have provisions to manage the changes to the secure channel passwords on the workstations. The software will suppress the password changes on the workstation side until the workstation enters a thawed state, once the computer is thawed the password will be changed and cached on the local workstation.

This feature will require that workstations be thawed on a periodic basis to ensure that the changes can be retained across future reboots. This can be done as part of the normal scheduled update cycle for Windows updates or other 3rd party product updates and will happen in the background provided that the option to manage secure channel password updates is selected.

This option is found in the Configuration Administrator on the Advanced Options tab as “Manage Secure Channel Password” and is enabled by default.’

Please Note: This setting may not be effective if you have a policy on your domain controller that forces the passwords to expire after a set period of time. If this is the case machines must be thawed frequently enough to ensure that passwords can update before they become invalid.

Disable the machine account password changes.

It is possible to configure the domain controllers and the workstations to not change the passwords on the machine accounts. As the password changes can be called for on both the domain controller or the client these settings will have to be changed on both the client computers and the domain controller.

Hive: HKEY_LOCAL_MACHINE

Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Name: RefusePasswordChange

Type: REG_DWORD

Value: 1

 

You can also extend the number of days between changes by applying to domain controllers and workstations.

Hive: HKEY_LOCAL_MACHINE

Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Name: MaximumPasswordAge

Type: REG_DWORD

Value: #days up to 1,000,000

 

These can also be configured in the group policy editor (local or domain) under;

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

  • Domain member: Disable machine account password changes
  • Domain Member: Maximum age for machine account password

 

While these settings may resolve the issues with workstations falling off the domain they will effectively make the workstations account passwords static. This approach is not recommended if the machine accounts in Active Directory are being used to assign rights to network resources or to restrict access to systems as this may allow a malicious user to impersonate a workstation on the network to gain access to those resources.

 

OSX Workstations

Workstations running OSX that are configured to authenticate against Active Directory can experience the same type of issue. To resolve this issue the OSX workstations will need to be configured to not update the secure channel password. The process for changing this setting is below:

 

1)      If the client is bound to Active Directory, un-bind it before continuing.

2)      Log into the client Mac as an administrator.

3)      Open Terminal (located in /Applications/Utilities).

4)      Execute the following command to require a password change after X days (where X is the number of days, such as 30):

dsconfigad -passinterval X

5)      Enter your administrator password to confirm the change.

6)      Bind the client to Active Directory.

 

Taken from: http://support.apple.com/kb/HT3422

Overview

 

This document describes Deep Freeze compatibility issues in nComputing environments.

 

Problem Description

 

On some models of nComputing devices Faronics Products such as Deep Freeze may not be able to mount ThawSpaces or StorageSpaces when the VSpace is installed. ThawSpaces and StorageSpaces are used as containers to hold data across multiple reboots when Deep Freeze is enabled. This issue can show as a number of installation errors or problems with data being lost after reboots.

 

This issue affects all Faronics Products that are used in conjunction with Deep Freeze, as well as affecting the ability of Deep Freeze to cache Windows Updates on a frozen machine for future installation.

 

Workaround

 

In order to successfully install Faronics products on a machine that will be running the nComputing VSpace software it is recommended that the VSpace software be removed from the machine temporarily while that Faronics Products are being installed.

Summary:
When Automatic Login is enabled for a user, and the user is mapped to user ThawSpace, the OS may create user's home folder.

Product:
Deep Freeze Mac 5.7 and earlier versions.

Description:
If Automatic Login is enabled for a specific user and the user is mapped to the user ThawSpace, at times the ThawSpaces are not mounted before the user is logged in. This causes the system to assume the user's home directory is missing and proceeds to create one in /Volumes, resulting in two /Volumes/user (one is a ThawSpace and the other is a folder).

Furthermore, the Finder may not launch and menu bar is missing.

Workaround:
Disable Automatic Login.

Note: logout and logging back in will temporarily fix the issue, however it will still leave the folder.

Problem

When WINSelect is installed some applications refuse to allow multiple copies to be printed.

 

Issue

This is a known issue with WINSelect at this time that prevents some applications such as Microsoft Office from being able to print multiple copies while the print restrictions are enabled. Allowing multiple copies would allow users to potentially bypass the printer restrictions and gain unrestricted access to the printer. To Prevent this from happening the ability to print multiple copies of a document may be disabled in many applications.

 

Workaround

Customers can print the document multiple times without issue.

 

Resolution

At this time there is no resolution for this issue.

In some cases administrators may wish to retain the event logs on a Windows computer running Deep Freeze for diagnostic or auditing purposes. On a frozen machine the event logs can be retained by creating a second partition and instructing the operating system to save the log files in that second partition.

This can be done with the following process:

  1. Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
  2. Open the subkey that contains the event log you want to redirect, such as Application.
  3. On the right pane, you will find a value named File (type REG_EXPAND_SZ), which contains the pathname and filename to the log file. You can provide a new pathname and filename here, but you should use the .EVT file extension.
  4. Close the Registry and restart the computer.

 

In some cases it may be possible to configure the domain to forward event log data to a central repository. Details on this process can be found at the link below:

http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx

Full disk encryption utilities are often transparent and generally will work with Deep Freeze without an issue.
We do not recommend using file-based encryption utilities as their misconfiguration may restrict a resource which Deep Freeze needs to properly function.


When planning a Deep Freeze deployment onto systems, we recommend that Deep Freeze is installed first and then changes, such as software installations are applied.
If the Deep Freeze installation or the workstation is unstable after the installation of the encryption utility, installing the encryption utility and then installing Deep Freeze on the client system may provide better results.

The following utilities have been tested with Deep Freeze:

  • TrueCrypt
  • SecureDoc (from WinMagic)
  • SafeBoot (from McAfee)
  • SafeGuard (from Sophos)
  • PGP (from PGP)
  • PointSec (from PointSec)

 

In some cases reports run in Anti-Executable 5.1 may show blank data when they are run. This issue occurs in some cases when upgrading from Anti-Executable 5.0.

Workaround

  1. Close All Faronics Core Consoles connected to the Faronics Core Server, including remote connections.
  2. Delete “C:\ProgramData\Faronics\Faronics Core 3\Loadins\Anti-Executable” from the Core Server. 
    Note: For XP and 2k3 the path is “C:\Documents and Settings\All Users\Application Data\Faronics\Faronics Core 3\Loadins\ Anti-Executable”
  3. Start the Faronics Core Console and login to the Core Server again.

This will cause the folder to be re-created and reports will run properly.

 Insight requires that the licensed version of the software be installed over top of the demo version.

  1. Update the teacher console by installing the licensed version of the software over top of the demo version.
  2. Change the teacher channel to channel “0”, this will allow the student computers running the demo to become visible to the teacher console. To change the teacher channel the “EnableChannelSelect Utility will need to be run first.
  3. Copy the appropriate Student Remote Update files to the application folder (Mac Students: mupdate.zip  or PC Students: PCUpdate.zip & Student.msi).  Select all Students and then choose Administer->Update Insight on Selected Students.

Insight has the same 30 day evaluation limit that other Faronics products do. There are however some features of the product that are limited in the demo version in addition to the 30 day time limit.

  • The channel for the Insight Demo is limited to the “Demo” channel and cannot be changed.
  • The limitation to the Demo channel also prevents the Class List features from working as students cannot change channels to join other classes.
  • The utilities folder mentioned in the Insight users guide is not included with the Demo version of the software.

The Deep Freeze MSI Converter allows the user to convert the Deep Freeze Workstation Install Program (DFWks.exe) executable file into a Windows Installer (.MSI) file format. The Windows Installer executable program that interprets packages and installs products is Msiexec.exe. 

To use the Deep Freeze MSI Converter, please follow the steps below.

  1. Create a Deep Freeze Workstation Install Program (also known as the Deep Freeze Client) using the Deep Freeze Configuration Administrator, or use an existing file.
  2. Once the Deep Freeze Workstation Install Program (also known as the Deep Freeze Client) has been generated, open the Deep Freeze MSI Converter and browse to the file location.
  3. Specify a name and a location for the MSI package to be created.
  4. Then accept the EULA and click on Generate MSI file. This will save the Deep Freeze Workstation Install Program (also known as the Deep Freeze Client) to the location as specified in Step #3.

The generated MSI file can be used for installing Deep Freeze through the Windows Active Directory environment and through Silent Install (Command Line Interface).

NOTE: This generated MSI file CANNOT be used for uninstalling Deep Freeze from any of the workstations that have Deep Freeze installed.

The following procedure was provided by Bloomberg, for support and assitance in implementing this process please contact Bloomberg support at HTTP://WWW.BLOOMBERG.COM/NOW/CONTACTS/

  1. Reboot the system Thawed
  2. Log into the computer using a profile/login that you are not trying to redirect or Data Igloo cannot redirect any registry keys. (For example. Don’t log in as you if you are trying to redirect your user profile)
  3. Open Data Igloo
  4. Go to User Profile (to redirect the enter profile) and then Registry Key redirection
  5. The following keys are to be redirected in order for Bloomberg software to update and retain information including licenses while the system is Frozen. And the registry keys that need to be saved/stored/kept are:
    • 32-bit Operating System
      • HKEY_LOCAL_MACHINE\SOFTWARE\Bloomberg L.P. (and all keys created under this key)
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • 64-bit Operating System
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Bloomberg L.P. (and all keys created under thiskey)
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    • Users can have the rights listed below instead of Uninstall.
    • 32-bit Bloomberg Office Tools in 32-bit Operating System.
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
        Bloomberg Office Tools (32-bit) 32-bit Bloomberg Office Tools in 64-bit Operating System
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
        Uninstall\Bloomberg Office Tools (32-bit)
    • 64-bit Bloomberg Office Tools in 64-bit Operating System
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
        Uninstall\Bloomberg Office Tools (64-bit)
  6. 6. Reboot the system Frozen and test the Bloomberg software

Overview

This document will detail the recommended practice for configuring a 3rd party antivirus solution to update properly when Deep Freeze is protecting a workstation.

Introduction

Deep Freeze provides administrators with a way to protect workstations from changes by rolling back any change made to the computer at reboot. Deep Freeze does not make any distinction between changes that are malicious, or changes that are desired on a workstation and this can pose some challenges in managing 3rd party products that require updates to occur on a periodic basis.

The most common interaction that we find on customers workstations is between antivirus software and Deep Freeze. Antivirus software by design requires periodic updates to maintain it’s effectiveness on a client workstation, and problems may arise unless steps are taken to ensure that the antivirus software can perform updates in a timely manner.

Scheduled are used to configure the antivirus software to update in a timeframe where Deep Freeze will not be protecting the workstations. This has the advantage of being one of the less difficult methods to configure but does require that the workstations have a period of time where they will not be used and can be configured to update automatically. 

Configuring Sophos Endpoint Security clients to update with Deep Freeze

Sophos Endpoint Security supports the use of a command line function that can be used to trigger antivirus updates when the workstations enter into maintenance mode. To configure Deep Freeze to trigger Sophos definitions to update when maintenance mode starts follow the process below. Instructions on triggering a Sophos update on a client workstation can be found here;

 

https://www.sophos.com/en-us/support/knowledgebase/36262.aspx

 

Deep Freeze 7.5 or Higher

1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Workstation Tasks tab.

4. Select Batch File in the Task Type drop down and click Add.

5. Name the event “Sophos Antivirus” in the Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

8. Click on the Batch File tab.

9. Enter the commands to update Sophos in the Batch File Contents field on the tab:

10. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

11. Install the updated workstation install file on your workstations.

 


Deep Freeze Version 7.4 or Lower
1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Embedded Events tab.

4. Select Maintenance in the Event Type drop down dialog and click Add.

5. Name the event “Sophos Antivirus” in the Event Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. Select the Batch File option in the Run drop down.

8. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

9. Click on the Maintenance tab.

10. Enter the commands to update Sophos in the Batch File field on the Maintenance tab.

11. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

12. Install the updated workstation install file on your workstations.

Overview

This document will detail the recommended practice for configuring a 3rd party antivirus solution to update properly when Deep Freeze is protecting a workstation.

Introduction

Deep Freeze provides administrators with a way to protect workstations from changes by rolling back any change made to the computer at reboot. Deep Freeze does not make any distinction between changes that are malicious, or changes that are desired on a workstation and this can pose some challenges in managing 3rd party products that require updates to occur on a periodic basis.

The most common interaction that we find on customers workstations is between antivirus software and Deep Freeze. Antivirus software by design requires periodic updates to maintain it’s effectiveness on a client workstation, and problems may arise unless steps are taken to ensure that the antivirus software can perform updates in a timely manner.

Scheduled are used to configure the antivirus software to update in a timeframe where Deep Freeze will not be protecting the workstations. This has the advantage of being one of the less difficult methods to configure but does require that the workstations have a period of time where they will not be used and can be configured to update automatically.

Configuring VIPRE Antivirus Business to update with Deep Freeze

VIPRE Antivirus Business supports the use of a command line function that can be used to trigger antivirus updates when the workstations enter into maintenance mode. To configure Deep Freeze to trigger Vipre Antivirus to update when maintenance mode starts follow the process below:

Deep Freeze 7.5 or Higher

1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Workstation Tasks tab.

4. Select Batch File in the Task Type drop down and click Add.

5. Name the event “Vipre Antivirus” in the Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

8. Click on the Batch File tab.

9. Enter the following in the Batch File Contents field on the tab:
@ECHO OFF
IF EXIST C:\Program Files\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" "C:\Program Files\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" /UpdateDefs
IF EXIST "C:\Program Files (x86)\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" "C:\Program Files (x86)\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" /UpdateDefs
10. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

11. Install the updated workstation install file on your workstations.

 


Deep Freeze Version 7.4 or Lower
1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Embedded Events tab.

4. Select Maintenance in the Event Type drop down dialog and click Add.

5. Name the event “Vipre Antivirus” in the Event Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. Select the Batch File option in the Run drop down.

8. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

9. Click on the Maintenance tab.

10. Enter the following in the Batch File field on the Maintenance tab:
@ECHO OFF
IF EXIST C:\Program Files\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" "C:\Program Files\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" /UpdateDefs
IF EXIST "C:\Program Files (x86)\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" "C:\Program Files (x86)\GFI Software\GFIAgent\SBAMCommandLineScanner.exe" /UpdateDefs

11. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

12. Install the updated workstation install file on your workstations.

Overview

This document will detail the recommended practice for configuring a 3rd party antivirus solution to update properly when Deep Freeze is protecting a workstation.

Introduction

Deep Freeze provides administrators with a way to protect workstations from changes by rolling back any change made to the computer at reboot. Deep Freeze does not make any distinction between changes that are malicious, or changes that are desired on a workstation and this can pose some challenges in managing 3rd party products that require updates to occur on a periodic basis.

The most common interaction that we find on customers workstations is between antivirus software and Deep Freeze. Antivirus software by design requires periodic updates to maintain it’s effectiveness on a client workstation, and problems may arise unless steps are taken to ensure that the antivirus software can perform updates in a timely manner.

Scheduled are used to configure the antivirus software to update in a timeframe where Deep Freeze will not be protecting the workstations. This has the advantage of being one of the less difficult methods to configure but does require that the workstations have a period of time where they will not be used and can be configured to update automatically.


Configuring Symantec Enterprise Protection to update with Deep Freeze

Symantec Enterprise Protection supports the use of a command line function that can be used to trigger antivirus updates when the workstations enter into maintenance mode. To configure Deep Freeze to trigger Symantec Enterprise Protection to update when maintenance mode starts follow the process below:

Deep Freeze 7.5 or Higher

1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Workstation Tasks tab.

4. Select Batch File in the Task Type drop down and click Add.

5. Name the event “Symantec Antivirus” in the Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

8. Click on the Batch File tab.

9. Enter the following in the Batch File Contents field on the tab:
@ECHO OFF
IF EXIST "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" /S
IF EXIST "C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.EXE" "C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.EXE" /S

10. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

11. Install the updated workstation install file on your workstations.

 

Deep Freeze Version 7.4 or Lower
1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Embedded Events tab.

4. Select Maintenance in the Event Type drop down dialog and click Add.

5. Name the event “Symantec Antivirus” in the Event Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. Select the Batch File option in the Run drop down.

8. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

9. Click on the Maintenance tab.

10. Enter the following in the Batch File field on the Maintenance tab:
@ECHO OFF
IF EXIST "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" /S
IF EXIST "C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.EXE" "C:\Program Files (x86)\Symantec\LiveUpdate\LUALL.EXE" /S

11. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

12. Install the updated workstation install file on your workstations.

 

Overview

This document will detail the recommended practice for configuring a 3rd party antivirus solution to update properly when Deep Freeze is protecting a workstation.

Introduction

Deep Freeze provides administrators with a way to protect workstations from changes by rolling back any change made to the computer at reboot. Deep Freeze does not make any distinction between changes that are malicious, or changes that are desired on a workstation and this can pose some challenges in managing 3rd party products that require updates to occur on a periodic basis.

The most common interaction that we find on customers workstations is between antivirus software and Deep Freeze. Antivirus software by design requires periodic updates to maintain it’s effectiveness on a client workstation, and problems may arise unless steps are taken to ensure that the antivirus software can perform updates in a timely manner.

Scheduled are used to configure the antivirus software to update in a timeframe where Deep Freeze will not be protecting the workstations. This has the advantage of being one of the less difficult methods to configure but does require that the workstations have a period of time where they will not be used and can be configured to update automatically.

Configuring McAfee VirusScan to update with Deep Freeze

McAfee VirusScan supports the use of a command line function that can be used to trigger antivirus updates when the workstations enter into maintenance mode. To configure Deep Freeze to trigger McAfee VirusScan to update when maintenance mode starts follow the process below:

Deep Freeze 7.5 or Higher

1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Workstation Tasks tab.

4. Select Batch File in the Task Type drop down and click Add.

5. Name the event “McAfee Antivirus” in the Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

8. Click on the Batch File tab.

9. Enter the following in the Batch File Contents field on the tab:
@ECHO OFF
IF EXIST "C:\Program Files\McAfee\VirusScan Enterprise\mcupdate.exe" "C:\Program Files\McAfee\VirusScan Enterprise\mcupdate.exe"
IF EXIST "C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe" "C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe"

10. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

11. Install the updated workstation install file on your workstations.

 


Deep Freeze Version 7.4 or Lower
1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Embedded Events tab.

4. Select Maintenance in the Event Type drop down dialog and click Add.

5. Name the event “McAfee Antivirus” in the Event Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. Select the Batch File option in the Run drop down.

8. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

9. Click on the Maintenance tab.

10. Enter the following in the Batch File field on the Maintenance tab:
@ECHO OFF
IF EXIST "C:\Program Files\McAfee\VirusScan Enterprise\mcupdate.exe" "C:\Program Files\McAfee\VirusScan Enterprise\mcupdate.exe"
IF EXIST "C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe" "C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe"

11. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

12. Install the updated workstation install file on your workstations.

ns.

Overview

This document will detail the recommended practice for configuring a 3rd party antivirus solution to update properly when Deep Freeze is protecting a workstation.

Introduction

Deep Freeze provides administrators with a way to protect workstations from changes by rolling back any change made to the computer at reboot. Deep Freeze does not make any distinction between changes that are malicious, or changes that are desired on a workstation and this can pose some challenges in managing 3rd party products that require updates to occur on a periodic basis.

The most common interaction that we find on customers workstations is between antivirus software and Deep Freeze. Antivirus software by design requires periodic updates to maintain it’s effectiveness on a client workstation, and problems may arise unless steps are taken to ensure that the antivirus software can perform updates in a timely manner.

Scheduled are used to configure the antivirus software to update in a timeframe where Deep Freeze will not be protecting the workstations. This has the advantage of being one of the less difficult methods to configure but does require that the workstations have a period of time where they will not be used and can be configured to update automatically. 

Configuring AVG to update with Deep Freeze

AVG supports the use of a command line function that can be used to trigger antivirus updates when the workstations enter into maintenance mode. To configure Deep Freeze to trigger AVG to update when maintenance mode starts follow the process below:

Deep Freeze 7.5 or Higher

1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Workstation Tasks tab.

4. Select Batch File in the Task Type drop down and click Add.

5. Name the event “AVG Antivirus” in the Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

8. Click on the Batch File tab.

9. Enter the following in the Batch File Contents field on the tab:
@ECHO OFF
IF EXIST "C:\Program Files\AVG\AVG2012\avgmfapx.exe" "C:\Program Files\AVG\AVG2012\avgmfaps.exe" /AppMode=UPDATE /source=inet
IF EXIST "C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe" "C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe" /AppMode=UPDATE /source=inet

10. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

11. Install the updated workstation install file on your workstations.

 


Deep Freeze Version 7.4 or Lower
1. Open the Deep Freeze Configuration Administrator.

2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.

3. Click on the Embedded Events tab.

4. Select Maintenance in the Event Type drop down dialog and click Add.

5. Name the event “AVG Antivirus” in the Event Name field.

6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.

7. Select the Batch File option in the Run drop down.

8. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.

9. Click on the Maintenance tab.

10. Enter the following in the Batch File field on the Maintenance tab:
@ECHO OFF
IF EXIST "C:\Program Files\AVG\AVG2012\avgmfapx.exe" "C:\Program Files\AVG\AVG2012\avgmfaps.exe" /AppMode=UPDATE /source=inet
IF EXIST "C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe" "C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe" /AppMode=UPDATE /source=inet

 

11. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.

12. Install the updated workstation install file on your workstations.

In some editions of the Insight users guide the instructions for setting up the AD Secure mode incorrectly state two different possible names for the Insight Teachers domain user group. The correct name for the domain user group is:

"Insight Teachers"

The Faronics Core Console can be used to detect workstations which do not have the Faronics Core Agent installed and are marked as unmanaged.

If your management system and your clients are connected to a domain, the 'LDAP Connection' option can be used to allow the Faronics Core system to read LDAP information.

The following is a guide to ensure successful connectivity.


1) What information do I need to connect to an LDAP structure with the Faronics Core product?
-The name/IP address of a domain controller
-The name of the domain
-Login credentials on the domain which are associated with the 'Domain Administrator' group

If you are connecting to a domain controller by name, please ensure the name is able to resolve to the correct IP address of the target domain controller system.

2) Which information goes to which area?
Can I confirm the settings which should be used?
If you are logged onto a domain structure, results from system variables can be used.

Running a 'SET' command from a Windows Command Prompt will provide a list of variables.



Server:
%LOGONSERVER%

LDAP Domain:
%USERDNSDOMAIN%


3) I'm certain I'm using correct settings?
Is there anyway I can verify this?

'Active Directory Explorer,' (a Microsoft utility) is a graphical utility which can be used.
Active Directory Explorer can provide information in plain text if incorrect credentials (and other settings) are used.


Active Directory Explorer is much more lenient with connection settings: You can connect to either a Domain Controller or the Domain.



4) The LDAP Import is taking a long time and I can't seem to browse my LDAP area.
Is there anyway to have the Faronics Core Console go to a direct area on my LDAP structure?

Although the 'ADsPath' cannot be modified within the LDAP connection (and there are some preset configurations), a portion of the 'Path' (before the reference to the server/connection) can be copied and then used.

If the path of an area is: 'CN=Computers,DC=DomainName,DomainName [SERVER.DOMAIN]' and you'd like to go to the 'Computers' group, copy 'CN=Computers' and place that in the 'Optional' field of the 'Add New LDAP Connection' area.

In computer labs where users may log onto any workstation using personalized local profiles, installing Deep Freeze may cause difficulties as changes, including newly created profiles, are removed when Deep Freeze is in an enabled state and the workstation is restarted.

Newly created profiles on a Windows workstation can be retained even with Deep Freeze installed when redirected onto a Thawed area using Data Igloo.

To retain data, you will first need to ensure that you have a location that is not protected by Deep Freeze where the users data can be saved. This location can be either a ThawSpace created by Deep Freeze or a physical partition which is not Frozen by Deep Freeze.

Creating a Thawed location for user data.

From the 'Drives' tab of the Deep Freeze Configuration Administrator Deep Freeze can be configured to set specific volumes as Thawed by clearing the check box beside the drive letter that you want to thaw. It is not recommended to set the system volume (C:\ in most cases) as thawed. If a second partition is not available a ThawSpace can be created to act as a virtual partition to save data to.

To create a ThawSpace, open the Configuration Administrator and click on the Drives tab while creating your workstation install package. To create a ThawSpace select the drive letter, size, and host drive that you want to use and click the Add button in the ThawSpace section of the drives tab. Once created in the Configuration Administrator the workstaiton install file must be saved, and then deployed to the client workstations. Once installed the ThawSpace will show up as a lettered volume in My Computer.

Please ensure that the size of your ThawSpace does not exceed the amount of free disk space on your host drive and is also configured to have enough free disk space for your redirected data.


Mapping the user to the thawed location.

Once you have created a thawed location, Install Faronics Data Igloo and on the user mapping tab:

  1. Mark the option to 'Redirect any newly created user profiles to:'
  2. Select a Thawed target area where your newly created profiles will be saved.

Once applied any new user profiles created on the system will be created in the thawed location.

Profiles and folder data on a Windows workstation can be retained even with Deep Freeze installed when redirected onto a Thawed area.

To retain data, you will first need to ensure that you have a location that is not protected by Deep Freeze where the users data can be saved. This location can be either a ThawSpace created by Deep Freeze or a physical partition which is not Frozen by Deep Freeze.

Creating a Thawed location for user data.

From the 'Drives' tab of the Deep Freeze Configuration Administrator Deep Freeze can be configured to set specific volumes as Thawed by clearing the check box beside the drive letter that you want to thaw. It is not recommended to set the system volume (C:\ in most cases) as thawed. If a second partition is not available a ThawSpace can be created to act as a virtual partition to save data to.

To create a ThawSpace, open the Configuration Administrator and click on the Drives tab while creating your workstation install package. To create a ThawSpace select the drive letter, size, and host drive that you want to use and click the Add button in the ThawSpace section of the drives tab. Once created in the Configuration Administrator the workstation install file must be saved, and then deployed to the client workstations. Once installed the ThawSpace will show up as a lettered volume in My Computer.

Please ensure that the size of your ThawSpace does not exceed the amount of free disk space on your host drive and is also configured to have enough free disk space for your redirected data.

Mapping the user to the thawed location.

Once you have created a thawed location user profiles can be mapped.

Faronics Data Igloo can be used to redirect profiles into Thawed locations.

To redirect a user profile which already exists:

  1. Ensure that the user profile you would like to redirect does not have any resources which are used and locked.
  2. Login to the workstation with administrative rights.
  3. From Data Igloo's 'User Profile Redirection' tab, select the user which you would like to redirect and select the 'Custom Location' option from within the 'User Profile Location' area.

Users in Deep Freeze Mac can be moved to a Thawed location to allow users to save data in the users home folder. This process can be done through the Deep Freeze Mac product directly and does not require any 3rd party tools.

To move the users home folder you will first need to ensure that you have a location that is not protected by Deep Freeze where the users data can be saved. This location can be either a ThawSpace created by Deep Freeze, a Thawed physical partition or second hard disk.

Creating a thawed location for user data.

To create a ThawSpace open the Deep Freeze UI by right clicking on the Icon in the notification area on the toolbar, or by running the DFXControl application from the Applications/Faronics folder. Once you have logged in click on the ThawSpace tab and click on the + button on the bottom left to add a ThawSpace.

If you are mapping users it is recommended to use a user specific ThawSpace for each user that you are mapping. To add a user ThawSpace select the user in the Add ThawSpace dialog, set the size of the ThawSpace, and click OK. Once created the ThawSpace will be shown in the ThawSpace list as shown below.

Please note that you will need administrative rights on the local machine to create a ThawSpace.

To set a physical volume to be thawed click on the Drives tab, this will show a list of the physical volumes on the computer. To Thaw a specific volume clear the check box from the Frozen drive and click Apply.

Mapping the user to the thawed location.

Once you have created a thawed location you can now map the users home folder to this new location. To do so click on the Mapping tab in the DFXControl application to view a list of users on the local system who can be mapped.

To map a user to a new location click on the user account that you want to map and select the new location for the users home folder on the User Location drop down. If you only want to move a portion of the users home folder select the Custop option in the User Location drop down and then select the items that you want to map, and the location for each in the area below the User Location drop down.

Clicking on Apply will save your changes and the users home folder will be moved to the specified location.

Overview

During a Deep Freeze workstation installation on a Windows system, you may receive a message indicating that Deep Freeze does not support drives which are larger than 2 terabytes.


This dialog will prevent the installation of Deep Freeze on a Windows sytem.

Resolution

This issue was resolved with the release of Deep Freeze Enterprise 7.5. To install Deep Freeze on a computer with a hard disk larger than 2tb upgrade to a version of Deep Freeze higher than 7.5.

When upgrading Faronics Core agent vai GPO you may encounter an error where the installation fails with a status of "User Canceled Installation" shown in the event logs. This occurs when a password is set on the install of the Faronics Core Agent and this password is not specified as part of the upgrade process.

To update the software an MST file needs to be created that will supply the password for the install as part of the GPO push. To create a MST file you will need to download the ORCA tool from the Microsoft website and follow the instructions below.

  1. Create FCA installer through FCC connection and save it in a shared location
  2. Open ORCA and drag and drop the FCA installer file created in the previous step
  3. Go to "Transform > New Transform"Select "Property" on the left paneGo to "Tables > Add Row..."Add the following:        
    Property: PASSWORD        
    Value: <password>

    *** <password> is the password currently used in core agent installed on the workstation.
     
  4. Then, scroll down the right pane and check the new row is added properly
  5. Go to "Transform > Generate Transform..."Enter the filename: <myTransform>.mstClose ORCA
  6. Right-click your GPO and select "Edit"Go to Computer Configuration > Software Settings > New > Package...
  7. Select a newer version of MSI file (FCA installer) through Network accessible path (e.g. \\qa017\Workgroup\me\FCAmyVersion.msi)
  8. From "Deploy Software" window, select "Advanced"
  9. Select "Modifications" tab and "Add..." to add MST file created in step [5] above

Refresh the window to see the newer version of MSI file is added to GPO

Also check the GPO Settings and see "Assigned Applications" and "Transforms" under "Advanced" are pointing to the correct MSI and MST files respectively.

Reboot the target machines


Faronics products are designed to be deployed using their own native tools. We do provide a set of options that can push an install to workstations using 3rd party tools. Any tool that can run commands remotely on a workstation is capable of deploying Faronics products.

For products that package the client software as an MSI file the following syntax can be used to push the MSI file silently:

msiexec /i [path to file] /qr

Deep Freeze packages client files as EXE files and as such requires a different command line syntax to perform an unattended install, as shown below:

[path to file]\DfWKS.exe /INSTALL

Please note:

  • The standard editions of Faronics Products do not have a full set of command line controls and will require additional steps to configure the product once installed.
  • Data Igloo does not support unattended installation or configuration.
Please ensure that either a wireless card or internet cable is attached and set up properly to your Vernier LabQuest device. If you are not connected to your labs computer network then there is no way for the Insight Teacher console to locate and interact with your LabQuest device.

Windows Multipoint Server does not provide a unique identifier for each station that it communicates with, as such the classroom layout feature of Faronics Insight does not work with Windows Multipoint Server.

Faronics Insight makes use of a number of static and dynamic ports;

  • Static Ports – 796, 1053
  • Dynamic Ports – 41952 to 65535

Both the static ports and dynamic ports will need to be open to accept traffic from workstations running the Teacher Console. 

Faronics supports the use of Insight on systems running nComputing hardware with the following versions of the vSpace client software on an officially supported operating system:

 

L-Series Hardware

X-Series Hardware

U-Series

M-Series

vSpace Version

L300

L230/L130

Older L-series

X350/X550

X300

U170

M300

vSpace 4 (32-bit)

 

Not   supported

L-4.9.5.11

L-4.9.5.11

Not supported

Not   supported

Not   supported

Not   supported

vSpace 5 (32-bit)

 

Not   supported

L-5.1.3.12

Not   supported

X-5.2.4 

Not   supported

Not   supported

Not   supported

vSpace 6 (64bit) 

L-6.1.5.10

L-6.1.5.10

Not   supported

X-6.2.4.10

Not   supported

WMS* nodes only.

6.6.2.3

(Requires Insight 7.6.3+)

*Windows Multipoint Server

Installation

On a supported platform the first step in installing the product is to run the TerminalServer.MSI Package on each nComputing host system. Once the TerminalServer.MSI file has been run the SetupTSClient.EXE application needs to be run on each terminal that you want to configure as either a teacher or student workstation.

When upgrading to newer verisons of Insight only the TerminalServer.MSI file needs to be run on the host workstation as that will update all the terminals connected to that host.

When WINSelect is configured to block hotkeys, specifically the WINDOWS-L key combination, the ability of the workstation to enter into a locked state will be disabled. This will show with the following behaviours;

  • Workstations will not prompt for passwords when reusming from standby or other sleep states.
  • Workstations will not prompt for passwords when returning from the screen saver.
  • Workstations will not show the ability to lock the computer in the Windows Security dialog.

Please note that that the current Customization Code must be known before this process begins.  Do NOT proceed with the upgrade process until this has been confirmed.  For more information on how to verify your code, please refer to
https://faronics.kayako.com/Knowledgebase/Article/View/187/0/how-do-i-test-the-validity-of-or-recover-from-a-lost-customization-code

Updating Deep Freeze Enterprise to the latest version consists of two steps:

  • Step 1 – Update the Deep Freeze Enterprise Console and Administrator.
  • Step 2 – Update the client workstations.
Please login to your organizations Faronics Labs page to download the latest version of the software, and the most up to date license key available for your organization.  

Prior to beginning the upgrade process, close the Enterprise Console, if running, and shut down network connections using the exit options menu.  Please ensure any Deep Freeze related programs or services are not running as this will cause the process to fail.  This can be quickly double checked by running "Task Manager".  Under the "Processes" or "Details" section, kill any of the following if seen running:  "DFconsole.exe", "DFAdmin.exe", or "DFServerservice.exe".


Step 1 Updating the Deep Freeze Enterprise Console and Administrator.

To update your Console and Administrator, there are two options:


a. Attended installation: 
  • Right click on the downloaded package (Faronics_DFE.zip), and extract the files inside.
  • Right click on the "DFEnt.exe" file, and select the option to 'Run as Administrator".  
  • The installer will detect that Deep Freeze Enterprise is installed on the system.  Follow the prompts to complete the upgrade.  The new license key will need to be entered when prompted.  Depending on the version of Deep Freeze Enterprise that is currently installed, it may also be required to re-enter the customization code as the last step in the upgrade process.  
This method will update the Configuration Administrator, the Enterprise Console, and any Deep Freeze created files (Workstation Installers, Seeds, or Configuration Files) that are situated in the default save location:

C:\Program Files\Faronics\Deep Freeze Enterprise\Install Programs  (32-bit)
C:\Program Files (x86)\Faronics\Deep Freeze Enterprise\Install Programs (64-bit)

b. Unattended installation:

The Deep Freeze Enterprise installer allows command line upgrades:

<Path to File>\DFEnt.EXE /update=”customization code” dfupdate.log

This method will also update the Configuration Administrator, the Enterprise Console, and any Deep Freeze files (workstation installers, seeds, or configuration files) that are situated in the default save location:

C:\Program Files\Faronics\Deep Freeze Enterprise\Install Programs  (32-bit)

C:\Program Files (x86)\Faronics\Deep Freeze Enterprise\Install Programs (64-bit)

Please note, the “customization code” is the Customization Code used during the original installation of the Deep Freeze Enterprise product.  The Customization Code should only be placed within quotes if there are any spaces in the code.  If you have any issues with the upgrade process using the command line, the dfupdate.log will display any errors that were encountered.

ex.  'Deep Freeze' requires the use of quotes in the command line.  'DeepFreeze' as your customization code does not.


Step 2
Updating the client workstations. 

Once the management tools have been updated, the next step is to update the Deep Freeze Enterprise clients on the workstations.

a. Workstations running Deep Freeze Enterprise 7.60 or higher:

The recommended method is to use the "Update" action in the Deep Freeze Enterprise Console.  It can be applied to one or a group of machines.  As a best practice, we recommend testing this upgrade on a single machine before proceeding to the larger group. 

This will push down a blank installer filer that will upgrade the program binaries on the workstation, without modifying the configuration settings.  Deep Freeze will automatically thaw the machine, apply the upgrade, and reboot the machine back into a frozen state when completed.  Due to the machine restarting several times during this automated process, please do not launch this if the machine is in use as user data loss can occur.

b. Workstations running editions of Deep Freeze Enterprise older than 7.60:

The recommended process for updating the client workstations is:

  1. Thaw the workstation(s).
  2. Use the "Uninstall (leave seed)" option to remove the installed client.
  3. Ensure that you have created or have an existing "Deep Freeze Workstation Install Program" (DFWks.exe by default) updated to the latest version being used.  This can be done by re-saving the file in the Deep Freeze Configuration Administrator.
  4. Install the updated Deep Freeze client using the "Install" command.  You will be prompted to select a "Deep Freeze Workstation Install Program".  Please ensure the the file matching your desired settings is used as this will modify any existing configuration on the workstation.
If there are any issues during the upgrade process, please contact Faronics Technical Support for further assistance.

The following ports are used by Faronics Core:

  • 7751 (TCP/UDP) — This port is on the workstation and is used to receive commands from the Faronics Core Server. The Ping command is enabled on this port.
  • 7752 (TCP/UDP) — This port is on the Faronics Core Server and is used to receive events from the workstation(s).
  • 7753 (TCP/UDP) — This port is on the Faronics Core Server and is used to communicate with the Faronics Core Console.

By default, Faronics Core opens ports 7751, 7752 and 7753 on the Windows Firewall on the Local Machine, if your network consists of more than one subnet these ports will need to be open across the entire VLAN to manage workstations.

Additionally to push the workstation installation package to an unmanaged workstation the firewall must be configured to accept WMI over DCOM connections remotely. This requires port 135 to be open as well as the dynamic port range used by DCOM to be opened. Instructions for this can be found on the Microsoft KB here:

http://msdn.microsoft.com/en-us/library/aa389286%28v=vs.85%29.aspx

Release 3.31 of the Faronics Core introduced the Change Ownership action.  This action allows the user of Server A to give away a Workstation it is currently managing to Server B.

When the user of Server A goes to Change Ownership of the Workstation, the task will be blocked if Deep Freeze is installed and the Workstation is Frozen with an error message of "Cannot add or remove an application on a Frozen workstation", even though the action was Change Ownership rather than an installation/uninstallation.

To sucessfully change ownership the workstations being changed must be thawed prior to the change.

The normal sequence of events when a workstation is moved to a new console is as follows;

  1. The workstation status on the new console is set to "Joining from other console"
  2. The workstation status on the old console is set to "Left for new console"
  3. The workstation status on the new server is set to "Joined from other console"

During this process the behaviour that is shown may be different depending on if the two instances of Faronics Core are sharing the same database or working form seperate databases.

If the two servers share a common database, then:
  1. Unexpected handshaking events may be visible as the "Last Agent Event" on connected Consoles.  This is because all Consoles will see the handshaking events intended for both servers. 
  2. A workstation that has been handed over to another server will disappear from the Console attached to the original server.  If the discovered workstations are refreshed, then this workstation will be rediscovered.
If the two servers have separate databases, then:
  1. Connected Consoles will see only the expected events as the "Last Agent Event".
  2. A workstation that has been handed over to another server will remain visible in the Console, as follows:
    1. [Core 3.31]The workstation will have a Last Agent Event of "Workstation left for another console" and will be treated as a pseudo-managed workstation (similar to workstations with last event "Agent uninstalled"). This will result in the original Core Console not being able to take ownership of the workstation again. To work around this the workstation will need to be removed from the database and re-discovered to allow the Core Server to take Ownership again. 
    2. [Core 3.32] The workstation will be treated as unmanaged, and appear as unmanaged in the Console.

In versions of Deep Freeze prior to 7.21 systems could lock up at boot time if the system was configured with a RAMDisk. This issue was resolved in Deep Freeze 7.21, customers running earlier versions should update to 7.21 or higher to resolve this issue.

Faronics has a number of methods to recieve customer files. If the files are small enough, and are not something that would be considered 'hazardous' such as a malware sample the files can be emailed to the support team or attached to a ticket in the support portal.

For any larger files they can be sent via a dropbox located here;

http://dropbox.yousendit.com/faronics

When using the dropbox please ensure that you use the ticket number of your issue in the subject field of the submissions page so that your attachment can be quickly attached to the appropriate case.

License keys for Faronics Products are specific to the version of the software that is being installed and will only function for the release that they where generated for and any previous release.

For example, a license key for Deep Freeze 7.2 will work on the following versions of Deep Freeze;

  • Deep Freeze 7.2
  • Deep Freeze 7.1
  • Deep Freeze 7.0

The same key however will not work for any version of the software past 7.2, including point releases such as 7.21.

License keys for each product are automatically generated and issued to customers who have a valid maintenance package at the time that the updated version of the software is released and can be retrieved from the Faronics web site. If you require assistance in retrieving your license information please feel free to contact support for assistance. Customers in the US and Canada can download the updated builds and access their license keys from the Faronics Labs portal, customers outside of the US and Canada can access the license information through our Customer Center Portal

When you Move or have significant hardware or OS changes the Deep Freeze Console / Configuration Administrator you have to Authorize Using a One Time Password OTP Token to get into Deep Freeze Console / Configuration Administrator.


If you don't have an operational Deep Freeze Console / Configuration Administrator you can reinstall Deep Freeze Enterprise by downloading it from www.FaronicsLabs.com.

  • The Splash Screen requesting the OTP Password will present an OTP Token.
  • Enter the 8 digits from the token into the Configuration Administrator or the Deep Freeze Console under the One Time Password Screen. This can be found on the Configuration Administrator under the One Time Password tab or In the Deep Freeze Enterprise Console Under the Tools menu select One Time Password.
  • Enter the OTP token & click on Generate. This will yield a Password that can be valid for one use only or valid for multiple use based upon your selection.
  • Enter this password exactly as displayed (cut and paste will work)
  • Once you have this password and successfully log into Deep Freeze Console / Configuration Administrator.
  • You can go to any Console or Configuration Administrator created with the Same Customization Code to generate the OTP Password.


You must - MUST use the exact same customization code that you originally installed Deep Freeze with.
If you do not have this Customization Code you will not be able to use this method to generate a OTP password.

Faronics reccomends the use of the Anti-Executable maintinance mode to perform windows updates on client workstations. This allows for any changes to the applications installed on the system to be immediately reflected in the whitelist when the updates are completed.

The first step to troubleshooting any issue is to define the behavior that the computer is showing when it attempts to go to sleep. 

Does the computer only show this problem when the system is out to sleep with Power Save?

If so then the focus of troubleshooting will be on the settings in the Power Save product, we should verify the settings in place and find out if the software is properly configured to bring the computer into a sleep state when the customer is expecting it to.

Does the problem occur when the system is manually put to sleep?

If the problem occurs even when the system is manually put to sleep then the issue is likely due to some type of hardware / software issue that could be blocking the computer from entering a sleep state. At this time a deep dive through the BIOS and system settings will need to be done to determine if the issue can be resolved.

What is the problem?

If the computer does not properly enter a sleep state then the focus will need to be on finding the conditions that are causing the error to occur. 


If the computer is consuming too much power during the sleep state please check the following links:
hen testing a system with Power Save the system refuses to enter a S3 sleep state when the computer is configured to do so, the computer may ignore the request to sleep or may enter a S1 sleep state instead. This will generally only be shown when power consumption is being monitored via a Watt meter connected to the computer. The S1 sleep state will consume much more power than the S3 sleep state (50w vs. 5w as an example).

Cause

By default, Microsoft Windows XP and Microsoft Windows Server 2003 enable a universal serial bus (USB) keyboard and a USB mouse to wake a computer after the computer goes to sleep. Other types of USB devices can be enabled to wake the computer if you click to select the Allow this device to bring the computer out of standby check box. You can click to select this check box on the Power Management property page in Device Manager.

When a USB device is enabled to wake the computer, the default behavior permits the computer to enter the S1 system power state for standby. Standby is not the S3 system power state. The S1 system power state is a "lighter" system power state than S3. The S1 system power state typically conserves less power than the S3 system power state.
When Power Save is installed the software will by default enable the check box in the device manager allowing the keyboards and mice to bring the computer out of standby, in some systems where the vendor or the customer have not enabled the S3 sleep state this can cause a system that previously entered the S3 sleep state to enter S1 instead.

Note 

This issue has at this time only been noted on computers running Windows XP that have been upgraded from Windows 2000, and where not upgraded via a clean install of the operating system. It appears that most OEM's enable the S3 sleep state via the registry workaround at the end of this document.

Identifying problem Devices

To identify a problem device that is preventing a computer from entering S3 sleep the computer will need to be configured within Windows so that the operating system will see S3 as the minimum sleep state that it is allowed to enter into. This can be done using the DUMPPO.EXE application from the Microsoft Server 2003 Resource Kit and the command line listed below:

dumppo admin minsleep=S3

After running this command put the computer to sleep manually, if there is a device that is preventing S3 sleep an error will be displayed identifying the device driver by name.

Workarounds
There are a number of identified workarounds for this issue.

Via Device Manager

Disable the Allow this device to bring the computer out of standby check box for any device that is preventing the computer from entering the sleep state. This means that the device will no longer be able to wake up the computer when it is powered down. This is not suggested for keyboards and mice as most users will expect the computer to wake when those devices are used.

Via Registry Edit

This issue can also be resolved by editing the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usb 
"USBBIOSx"=DWORD:00000000

Editing this key will override the default behavior of the S3 sleep state in Windows XP and should allow the computer to enter S3 Sleep regardless of the devices attached. This fix is documented on the Microsoft site at the URL Below:
Symptom
 
If a Database has been modified, restored, or moved, the service broker is disabled.  The following error may get logged in the event logs:
 
[DataStor] ERROR: Exception: Failed to start Service Broker. The SQL Server Service Broker for the current database is not enabled, and as a result query notifications are not supported.  Please enable the Service Broker for this database if you wish to use notifications.
 
Use will also receive 'No Core Server defined.  Would you like to connect to a Core Server?' message when opening the Core Console and the Faronics Core Server service will not start
 
Solution
 
Using SQL Management Studio Express 2008/R2,
 
  • Right click on the database after login (administrator or owner priviledges on the Faronics Databases)
  • and go to properties
  • Under Options>Service Broker, set 'Enable Broker' to true   Alternatively, run a query to the Database with the following command:  ALTER DATABASE [database name] SET ENABLE_BROKER
Power Save provides the option to "Resume from Standby Password Challenge" that will require the user to enter their Windows password when the computer resumes from Standby or Hibernate. If the user is not being logged off when the machine goes into Standby or Hibernate then use the "Logoff before Powering Down Computer" option.

If a student single clicks on the system tray icon, a pop up will appear which reads, "Click here if you have a question for the Teacher". If the student clicks on that message a chat dialog will appear that the student may enter their question into, then click send.

A small question mark is displayed in the students system tray to indicate their question has been sent to the Teacher.

On the Teachers console a question mark indicating that student has a question and will show a dialog bubble with the student’s question in it.

The Teacher then has the option to either answer back with an instant message, open a live chat window with the student or to answer the question the ’old fashion way’ by addressing the entire room.

The question mark goes away when the teacher chats with the student through the chat window or uses the right click menu to Clear Student Question.

The student can also clear the question by clicking on the question mark icon that appeared in their system tray after they submitted the question and selecting, "The Teacher has been notified you have a question.

Click here to clear the question". The students system tray icon will return to normal afterwards.

Anti-Executable Enterprise is controlled centrally from Faronics Core Console. This console can be used to protect, unprotect, update, and view your Anti-Executable installed workstations. More detail on Faronics Core Console can be found in the users guide available for download from:

http://www.faronics.com/html/library.aspx

In most cases Faronics Core can be installed with little effort by systems administrators, however there are some concerns that may need to be addressed in customer environments.

Firewalls

If a firewall exists between the workstations and the Core Server steps may need to be taken to ensure that the workstations can be communicated with through the firewall. Faronics Core makes use of the following ports to communicate between client and server;

  • 7751 — This port is on the workstation and is used to receive commands from the Faronics Core Server. 
  • 7752 — This port is on the Faronics Core Server and is used to receive events from the workstation(s).
  • 7753 — This port is on the Faronics Core Server and is used to communicate with the Faronics Core Console.

Additionally to push the workstation installation file to discovered workstations any firewall must be configured to allow remote management of the client workstations via WMI and DCOM. Instructions that include steps for the configuration of Windows Firewall can be found here:

http://technet.microsoft.com/en-us/library/cc758295(WS.10).aspx

The Faronics Core Agent installer will automatically attempt to open the appropriate ports on the client workstation when it is installed, 3rd party Firewall solutions may require further configuration.

Antivirus Software

It is recommended that antivirus solutions be disabled prior to installing the Core Agent.

 

WINSelect supports the 32- and 64-bit editions of the following operating systems;

  • Windows XP SP3
  • Windows Vista
  • Windows 7
  • Windows 8 / Windows 8.1

There are no backdoor passwords to Anti-Executable. For further information please submit a ticket via the support portal or via email to support@faronics.com.

Yes, the console can display a selected student’s screen on the teacher’s machine in a full screen mode. The teacher cannot control the machine, only observe and cannot view multiple student’s screens when the one screen is enlarged.
250 computers. If you have more than 250 computers, you can assign the rest of the computers to a different channel using another console which will listen on that same new channel.
Yes you can, in the thumbnail view, this option shows an icon in the upper right hand corner that represents the Web site the student visited last.
A Managed workstation is a computer that has the Faronics Core Agent installed and is reporting its status to the Faronics Core database and can be controlled by the Faronics Core Console.

A Discovered workstation is a computer that is either detected on the local network via broadcast or discovered via importing a list from a directory service (Active Directory / eDirectory / LDAP).   

Power Save provides the ability to override the Windows operating system power options to avoid conflicting power policies. This option if useful for environments in which centralized control of workstation energy management is desired.

Power Save Mac requires that administrators manually alter the Energy Saver settings on the systems to effect changes. The settings for the Energy Saver control panel applet can be configured using Apple Remote Desktop 3 and an Automator Workflow.

Faronics Core is a management platform designed to provide administrators the ability to control their Faronics products from a single interface. It saves administrators effort and time in deploying Faronics products to thousands of workstations regardless of their location. Currently, Faronics Core is used to manage workstations running most Faronics Products.

One or more methods can be employed to enable/disable (Freeze/Thaw) Deep Freeze depending on the version being used.

A) Locally at the workstation (Deep Freeze Standard and Enterprise):

The following steps can be used to disable (Thaw) Deep Freeze:

  1. Hold down the SHIFT key and double-click the Deep Freeze icon. Alternatively, you can press CTRL+ALT+SHIFT+F6.  A Password dialog is displayed.
  2. Enter your password and click OK. If you have not yet entered a password you should be able to click OK without entering a password. The Boot Options dialog is displayed.
  3. Select "Boot Thawed" and click OK. This will disable Deep Freeze on the next reboot.
  4. The same steps can be used to enable (Freeze) Deep Freeze. The only change is to select "Boot Frozen" instead of “Boot Thawed”.

B) Remotely via Deep Freeze Command Line Control (Deep Freeze Enterprise only):

Deep Freeze Command Line Control (DFC.EXE) can be used to Thaw/Freeze Deep Freeze through a script or batch file. More information about using this utility can be found in the Deep Freeze Enterprise user guide available at: 
http://www.faronics.com/documents/DF6Ent_Manual.pdf

C) Remotely via the Enterprise Console (Deep Freeze Enterprise only):

The Deep Freeze Enterprise Console can be used to Thaw/Freeze a workstation using the following steps:

  1. Select the workstations to Thaw/Freeze.
  2. Click the "Reboot in Thawed state" button to Thaw the selected workstations. The workstations should reboot and appear in the Console in a Thawed state.
  3. Click the "Reboot in Frozen state" button to Freeze the selected workstations. The workstations should reboot and appear in the Console in a Frozen state.

The process varies depending on what edition of Deep Freeze is installed.

Deep Freeze Standard:

Enter a valid License Key into the Status tab:

  1. Press CTRL-ALT-SHIFT-F6 to open the login window.
  2. Enter your password and click OK.
  3. On the Status tab click on the Edit button and enter the License Key in the License Key field.
  4. Click Update License.

Deep Freeze Enterprise:

There are three methods: Enter the License Key manually on each computer, enter the License Key into the Configuration Administrator and create new workstation install files to distribute, or simply enter the License Key into the Enterprise Console (preferred method).

  1. Launch the Enterprise Console.
  2. Go to Tools > Licensing.
  3. The Deep Freeze License dialog is displayed.
  4. Click Edit and enter the License Key in the License Key field.
  5. Click Update License.

The License Key is automatically updated on all computers communicating with the Enterprise Console. If a computer is offline (shut down or disconnected from the network), the License Key is updated when the computer communicates with the Enterprise Console the next time.

Most popular articles 
 
Newest articles