Vínculos: Alternative Deep Freeze

_____________________________________________

The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT.

Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the companies, organizations,
products, domain names, e-mail addresses, logos, people, places, and events depicted in
examples herein are fictitious. No association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should
be inferred. Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be reproduced,
stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without
the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.

Microsoft, Active Directory, ActiveX, Internet Explorer, MSDN, SteadyState, Systems
Management Server, Visual Basic, Windows, Windows Live, Windows Server, and
Windows Vista are trademarks or registered trademarks of Microsoft Corporation in the
United States and/or other countries. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.

Contents

Contents....................................................................................4

Introduction to Windows SteadyState...........................................6

What This Handbook Includes ............................................................. 6

Installing Windows SteadyState ...................................................8
Confirming System Requirements........................................................ 8
Configuring the System for Shared Use............................................... 9
Performing Preinstallation Tasks........................................................ 10

ReinstallingWindows XP........................................................................................ 11
InstallingWindows SteadyState.........................................................12
UsingWindows SteadyState ..............................................................14

Creating User Accounts and Configuring User Settings ..............17
Shared User Terminology .................................................................. 17
Creating a Shared User Account........................................................ 18
Configuring the Shared User Profile................................................... 19
Shared User Profile Settings and Restrictions ................................... 20
General............................................................................................... 21
Windows Restrictions ......................................................................... 24
Feature Restrictions ........................................................................... 25
Block Programs .................................................................................. 26
Testing Shared User Profiles ............................................................. 26

Configuring Computer Restrictions...........................................28
Privacy Settings..................................................................................28
Security Settings................................................................................. 29
Other Settings..................................................................................... 30

Scheduling Software Updates....................................................31

Scheduling Updates ........................................................................... 31
Automatically Download and Install Updates .......................................................... 31
Manually Download and Install Updates ................................................................. 33

Selecting Updates .............................................................................. 34
Select Updates ....................................................................................................... 34

Protecting the Hard Disk...........................................................36

Windows Disk Protection Off..............................................................36

Windows Disk Protection On..............................................................36
Installing and Turning on Windows Disk Protection................................................. 37
Clearing the Cache................................................................................................. 38
Resizing the Cache File.......................................................................................... 38

Windows Disk Protection Levels ........................................................ 39
Remove All Changes at Restart.............................................................................. 40
Retain Changes Temporarily .................................................................................. 40
Retain All Changes Permanently ............................................................................ 40

Exporting and Importing User Profiles.......................................42

Exporting User Profiles.......................................................................42
Importing User Profiles .......................................................................43

Scenarios for Advanced Administrators .................................... 44
Redirecting the My Documents Folder ....................................................................44
Creating Permanent User Profiles on a Separate Partition......................................46
Creating Permanent User Profiles for All Accounts .................................................47

Customizing Individual User or Administrative Accounts ...................49
Creating a Restricted Shared Administrative Account .............................................49
Specifying a Different Language for User Profiles ...................................................51

InstallingWindows SteadyState on Multiple Computers....................54
Configuring a Reference Computer.........................................................................55
Preparing the Reference Computer with the System Preparation Tool....................55
Creating an Image of the Reference Computer.......................................................56
Transferring and Setting up the Image on Multiple Computers................................56
Turning on Windows Disk Protection on All Shared Computers ..............................57

Using Windows SteadyState with Active Directory and Network

Domains..............................................................................................57
Windows Disk Protection on Domain-Joined Computers.........................................58
Central Software Management and Windows Disk Protection.................................58
Creating a Mandatory Profile for Multiple Users ......................................................58
Creating User Restrictions for Unrestricted Domain Accounts.................................60
Creating Group Policy Restrictions with SCTSettings.adm......................................62
Group Policy Software Restriction Policies..............................................................63
Duplicating Software Restrictions by Using Software Restrictions Policies in
Windows.................................................................................................................63
Configuring Restart After Log off by Using a Logoff Script......................................64

Using Windows Disk Protection API........................................... 65

Command-line Parameters.................................................................65
DisableWDPAndReboot..........................................................................................65
EnableWDPAndReboot ..........................................................................................65

Properties............................................................................................66
CurrentMode...........................................................................................................66
CurrentStatus .........................................................................................................66
PersistDateTime .....................................................................................................67
Code Sample..........................................................................................................67

Help Ensure a More Private and Secure Experience for Users ..... 69

Setting Computer Restrictions ............................................................69
Privacy Settings......................................................................................................69
Security Settings.....................................................................................................69

Installing Updates ...............................................................................69
Schedule Updates ..................................................................................................69
Select Updates .......................................................................................................70

Protecting Your Disk...........................................................................70

Configuring User Profiles....................................................................70
General Tab............................................................................................................70
Windows Restrictions Tab.......................................................................................70
Feature Restrictions Tab.........................................................................................70

Appendix A: Windows SteadyState Glossary .............................. 72

Index ...................................................................................... 80

Introduction to Windows SteadyState

Windows® SteadyState™ helps make shared computers easier to set up

and maintain for administrators, and more reliable and consistent for
computer users. By using Windows SteadyState, you can more
effectively:

•
Defend shared computers from unauthorized changes to their
hard disks.
•
Restrict users from accessing system settings and data.
•
Enhance the user experience on shared computers.
These capabilities make Windows SteadyState beneficial in situations
where a computer is used by multiple people, such as schools, public
libraries, community technology centers, and Internet cafés.

Protecting Shared Computers

A unique challenge exists for shared computer environments. Microsoft
software is designed to offer users a great degree of flexibility in their
ability to customize their experience and to make changes to their
computer settings. However, in a shared computer environment,
administrators will typically not want to provide the full set of
customization and change capabilities because doing so could allow
changes to be made that affect the health of the computer and the
experience for other users. On a shared computer, privacy and
uniformity are very important elements of the maintenance and use of
the system. Windows SteadyState helps an administrator protect a
shared computer against unwanted changes.

What This Handbook Includes

Windows SteadyState Handbook is designed to help you install
Windows SteadyState, set up and customize user profiles and computer
settings, and use other Windows SteadyState features and capabilities
quickly and efficiently.

This section provides a brief overview of the installation and
configuration tasks and procedural steps provided in this handbook.

Note: Comments about this handbook or Windows SteadyState can be entered
on the Windows SteadyState Community Web site at:
http://go.microsoft.com/fwlink/?LinkId=77957.

Installing Windows SteadyState

Prepare your computer for a shared user environment with these stepby-
step procedures for installing Windows SteadyState. Included are
preinstallation tasks to make the installation process more efficient.

Creating User Accounts and Configuring User Settings

With Windows SteadyState, you can apply different system and feature
restrictions to each user account on the computer so that users have
limited access to Windows system tools, as well as other services,
applications, files, and data.

Setting Computer Restrictions

Set Computer Restrictions helps you to set privacy and security
restrictions that will apply to the computer as a whole and help you
design a uniform user experience.

Scheduling Software Updates

Windows SteadyState includes Schedule Software Updates to help you
download and install updates. Schedule Software Updates works with
Windows Disk Protection to help ensure that important updates are
applied to the computer and not removed.

Protecting the Hard Disk

Windows Disk Protection is designed to protect the Windows operating
system and program files from being permanently changed. During the
course of normal activity, users can perform actions which affect the hard
disk. Windows Disk Protection discards any modifications made during a
user’s session and returns the Windows partition to the default
environment at restart of the computer.

Exporting and Importing User Profiles

The Export and Import features help you to export shared user profiles
created on one computer and import them to any computer on which
Windows SteadyState is installed.

Scenarios for Advanced Administrators

The advanced scenarios provided in this section are intended for
Windows SteadyState administrators with advanced technical expertise
and experience in the configuration and administration of the Microsoft®
Windows XP and Windows Vista® operating systems.

Installing Windows SteadyState

Installation of Windows SteadyState consists of preparing the computer
for the shared user environment and installing Windows SteadyState.
This section covers:

•
Confirming system requirements
•
Configuring the system for shared use
•
Performing preinstallation tasks
•
Installing and uninstalling Windows SteadyState
•
Using Windows SteadyState
Confirming System Requirements

Systems running Windows SteadyState must meet the minimum system
configuration requirements listed in Table 1 and Table 2.

Note: Windows SteadyState is designed to work with Windows XP and Windows

Vista only. For the purposes of this handbook, all references to “Windows” refer

to Windows XP and Windows Vista only.

Table 1: System Requirements for Windows XP

Component
Requirement
Computer and processor

300 megahertz (MHz) or higher processor; 233
MHz minimum required (single or dual processor
system).

Memory

128 megabytes (MB) of RAM or higher
recommended; 64 MB minimum required.

Hard disk

1.5 gigabytes (GB) of available hard disk space
without Windows Disk Protection, or 4.0 GB of
available hard disk space with Windows Disk
Protection.
Operating system

Windows XP Professional, Windows XP Home
Edition, or Windows XP Tablet PC Edition with
Windows XP Service Pack 2 (SP2) installed.

Other NTFS file system.

Windows Scripting and Windows Management
Instrumentation (WMI) must be working.

Administrator level access.

Component
Requirement
Additional

Actual requirements and product functionality
may vary based on your system configuration
and operating system.

Table 2: System Requirements for Windows Vista

Component
Requirement
Computer and processor

1 GHz or higher recommended; 800 MHz
minimum required.

Memory

Windows Vista Home Premium, Windows Vista
Business, and Windows Vista Ultimate: 1 GB of
RAM or higher required.

Windows Vista Home Basic: 1 GB of RAM or
higher recommended; 512 MB minimum
required.

Windows Vista Starter: 512 MB of RAM or higher
recommended; 384 MB minimum required.

Hard disk

1.5 GB of available hard disk space without
Windows Disk Protection, or 4.0 GB of available
hard disk space with Windows Disk Protection.
Operating system

Windows Vista Business, Windows Vista
Ultimate, Windows Vista Home Basic, Windows
Vista Home Premium, Windows Vista Starter, or
Windows Vista with SP1Beta.

Other NTFS file system.

Windows Scripting and Windows Management
Instrumentation (WMI) must be working.

Administrator level access.

Additional

Actual requirements and product functionality
may vary based on your system configuration
and operating system.

Configuring the System for Shared Use

An efficient way to configure a computer for shared use is to first install
the full set of features, services, and programs that you will want to offer
users. Configuring the system in this way (before Windows SteadyState
is installed) will help you to set up shared user profiles more efficiently

and to defined settings and place restrictions on the existing
configuration.

It is possible to add or remove programs after Windows SteadyState is
installed; however, Windows Disk Protection must be turned off before
doing so. Also, you must reconfigure each of the user settings to reflect
the changes.

Important: If you have turned on Windows Disk Protection, you must turn off this
option before any new software is installed or new restrictions are set.

Caution: Some software is not optimized for a shared computer environment.
For example, desktop search tools may reveal private information on the shared
computer. E-mail clients requiring configuration, and Windows components such
as fax services and Internet Information Services (IIS) can also add to the
maintenance burden for the computer. They may also cause an inconsistent user
experience on a shared computer.

Accessibility

Windows SteadyState does not have any specific accessibility
provisions. All accessibility provisions that are offered through the
version of Windows running on a computer are available when using
Windows SteadyState.

Note: We recommend restricting shared user access to Control Panel in
Windows to avoid changes made by shared users to system settings on the
computer. Note that if you set this recommended restriction, users can still
modify the Accessibility features in Windows.

Performing Preinstallation Tasks

Before you install Windows SteadyState:

•
Uninstall Microsoft Shared Computer Toolkit for Windows XP,
the predecessor to Windows SteadyState, if necessary. See the
“To Uninstall Shared Computer Toolkit” procedure in this
handbook.
•
Defragment system drives, configure display settings, and
remove any software that should not be made available to any
user profile. For shared systems, consider also clearing the
Internet History folder and deleting files in My Documents.
•
Reinstall Windows XP to help establish a more secure
environment for a shared computer on which you are installing
Windows SteadyState (optional). A computer that has been used
by multiple people and on which multiple applications have been
installed and reconfigured can be difficult to reliably maintain as
a secure, shared system. For more information on reinstalling
Windows XP, see the “Reinstalling Windows XP” section in this
handbook.
© 2007 Microsoft Corporation.

Important: It is critical that you perform this step before setting up Windows Disk
Protection.

•
Download and install the latest critical updates from the Windows
Update Web site at:
http://go.microsoft.com/fwlink/?LinkId=83424.
•
Download and install up-to-date antivirus software.
•
Scan for viruses, unwanted software, and malicious software.
•
Set the Administrator password.
•
Install all of the features, services, and programs that you want
to make available to your users (recommended). For more
information on configuring your shared access computer before
you install Windows SteadyState, see the “Configuring the
System for Shared Use” section in this handbook.
Reinstalling Windows XP

If your computer has already been used and reconfigured by multiple
users, as shared computers often are, you should consider reinstalling
Windows XP before installing Windows SteadyState.

Reasons to reinstall Windows XP:

•
Reformatting and reinstalling is the best way to help create a
more secure environment, to help enhance user privacy, and to
improve performance and stability.
•
Reinstalling Windows XP automatically removes the separate
partition you may have created when you initially installed
Shared Computer Toolkit.
•
Reinstalling gives you an opportunity to create a new disk
partition. A separate disk partition can be useful when using
Windows Disk Protection because you can use it to store
permanent files and user profiles that you want to retain when
the Windows Disk Protection cache is cleared. For more
information on saving data and files permanently, see the
“Creating Permanent User Profiles on a Separate Partition”

section in this handbook.

For more information on reinstalling Windows XP, see Microsoft
Knowledge Base Article #896528 at:
http://go.microsoft.com/fwlink/?LinkId=87558.

.
To Uninstall Shared Computer Toolkit
Important: Shared user profiles will retain any restrictions placed on them after
Shared Computer Toolkit is uninstalled because they remain on the computer
after uninstallation. Existing shared user profiles will be available on installation
of Windows SteadyState.

1.
Turn off Windows Disk Protection:
a.
On the Start menu, click Programs, and then click Microsoft
Shared Computer Toolkit to open the Shared Computer
Toolkit.
b.
Click Windows Disk Protection.
c.
Click Keep Off.
d.
Restart the computer when prompted.
2.
Remove restrictions placed on the shared user profiles if necessary.
3.
Uninstall Shared Computer Toolkit:
a.
On the Start menu, click Programs, click Microsoft Shared
Computer Toolkit, and then click Uninstall the Shared
Computer Toolkit.
A message appears stating: “Removing the Toolkit will
automatically restart the computer.”

b.
Click Remove to begin the uninstallation process.
c.
Click Finish to restart your computer.
4.
Remove the User Profile Hive Cleanup Service (UPHClean):
a.
On the Start menu, click Settings, click Control Panel, click
Add or Remove Programs, and then click Remove Program.
b.
Select User Profile Hive Cleanup Service, and then click
Remove.
A message appears stating: “Are you sure you want to remove
User Profile Hive Cleanup Service from your computer?”

c.
Click Yes to start the Shared Computer Toolkit uninstallation
program, which will take approximately five seconds to complete.
5.
Shared Computer Toolkit required you to create a separate partition
for Windows Disk Protection. You can now reclaim this hard disk
space and remove this partition, as it is not required by
Windows SteadyState.
Now that Shared Computer Toolkit is uninstalled, you can proceed with
the installation of Windows SteadyState.

Installing Windows SteadyState

You can download the installation files for Windows SteadyState from
the Microsoft Download Center or from a disc. You can then use the
Windows SteadyState Installation Wizard to install Windows SteadyState
on your computer.

Windows SteadyState can be installed only on computers running a
genuine Microsoft Windows operating system. After you launch the
Installation Wizard, you will be asked whether you want Microsoft to
validate your installation of Windows. If your installation of
Windows cannot be validated, you will have an opportunity to obtain a
valid product key at that time.

For more information on the Windows Genuine Advantage, see the
Windows Genuine Advantage Web site at:
http://go.microsoft.com/fwlink/?LinkId=83431.

.
To download installation files from the Microsoft
Download Center

Downloading from the Microsoft Download Center will place the
Windows SteadyState Installation Wizard icon on your desktop for
easy reference.

1.
Log on as Administrator or a member of the Administrators group on
the shared computer.
2.
Go to the Microsoft Download Center at:
http://go.microsoft.com/fwlink/?LinkId=83430.
3.
Follow the prompts on the Download Center Web site.
4.
Double-click the downloaded installation file,
SteadyState_Setup.msi, to start the Windows SteadyState
Installation Wizard.
5.
To continue the installation of Windows SteadyState, your copy of
Windows must be verified as genuine. To validate Windows on your
computer, click Validate. If you do not want to validate your copy of
Windows, click Cancel to exit the Windows SteadyState Installation
Wizard.
.
To install Windows SteadyState
1.
Log on as Administrator or as a member of the Administrators group
on the shared computer.
2.
Start SteadyState_Setup.msi from the installation disc or from the
computer. To start SteadyState_Setup.exe, double-click the file icon.
3.
To install Windows SteadyState, you must accept the license terms
on the Microsoft Software License Terms page. If you agree to the
terms, click I accept the license terms, and then click Next to
validate your copy of Windows.
4.
To continue the installation of Windows SteadyState, your copy of
Windows must be verified as genuine. To validate Windows on your
computer, click Validate. If you do not want to validate your copy of
Windows, click Cancel to exit the Windows SteadyState Installation
Wizard.
13

5.
Click Finish to complete the Windows SteadyState installation.
.
To uninstall Windows SteadyState
1.
Turn off Windows Disk Protection. For instructions, see the
“Protecting the Hard Disk” section in this handbook.
2.
Remove restrictions placed on the shared user profiles. Shared user
profiles will remain on the shared computer even after Shared
Computer Toolkit or Windows SteadyState has been uninstalled and
will retain any restrictions applied to them. If you want to keep the
restrictions in place on user profiles after Windows SteadyState is
uninstalled, go on to Step 3.
3.
Perform one of the following tasks:
•
If you are using Windows XP, on the Start menu, click Settings,
click Control Panel, and then select Add or Remove Programs
from the Pick a Category list. Click Remove Programs, select
Windows SteadyState, and then click Remove.
•
If you are using Windows Vista, on the Start menu, click Control
Panel, and then click Uninstall a program. Select Windows
SteadyState, and then click Uninstall.
Using Windows SteadyState

The main screen of Windows SteadyState is your starting place to
access each setting and restriction you can apply. These settings are
divided into two types of settings, as shown in Figure 1:

•
Computer Settings—Use these settings to protect and
schedule software updates for the entire computer.
•
User Settings—Use these settings to configure and restrict
specific user accounts.
Additional information on the settings and options available in the
Windows SteadyState main dialog box are provided in Table 3.

Tip: For additional information and support, the left navigation pane of
Windows SteadyState includes links to several resources, such as the
Windows SteadyState Community Web site.

Figure 1: Settings and options in the Windows SteadyState main
dialog box.

Table 3: Description of Settings and Options in Windows
SteadyState

Setting or option
Description
1. Set Computer
.
Set system-wide, global computer

Restrictions

restrictions.

.
Select privacy options, security restrictions,
and other settings for the shared computer.

2. Schedule Software
.
Schedule software and antivirus updates

Updates

automatically or manually.

.
Add custom scripts that run at scheduled
intervals.

3. Protect the Hard
.
Turn Windows Disk Protection on or off.

Disk

.
Set protection levels for the system drive.

4. User Profiles
.
Select user profiles, configure Windows and
feature restrictions, and block programs for a
selected profile.

.
Lock or unlock a user profile.

.
Set the session timer, change passwords,
change user profile picture, and delete a user
profile.

Setting or option
Description
5. Add a New User
.
Add a new user, create a user name, set
passwords, and select where a user profile is
stored.

.
Select a picture to identify the user profile.

6. Export User
.
Export existing user profile.

.
Save a user profile so that it can be moved to
another shared computer.

7. Import User
.
Import an existing user profile.

.
Import an exported user profile to a shared
computer with Windows SteadyState
installed.

8. Additional Support
.
Find links to additional resources for
Windows SteadyState.

Creating User Accounts and
Configuring User Settings

After installing Windows SteadyState, your next step is to create new
user accounts and configure their corresponding user profiles for shared
computer use.

This section covers:

•
Understanding shared user terminology
•
Creating a shared user account
•
Configuring the shared user profile
•
Understanding shared user profile settings and restrictions
•
Testing shared user profiles
Shared User Terminology

The terms and definitions provided in Table 4 are specific to
Windows SteadyState or a shared computer experience, and apply to
the content in this handbook. For more information on terms and
definitions, see “Appendix A: Windows SteadyState Glossary” in this
handbook.

Table 4: Shared User Terminology

Term
Definition
Shared user A shared user profile is a single user profile, attached to a
profile single user account that is shared by multiple users on
one computer.

User

A user is a person who uses a shared computer.

Shared user

A single user account that is logged on to by multiple

account

users.

Figure 2 shows the differences between a user profile in Windows and a
shared user profile in Windows SteadyState. When shared user profiles
are created in Windows SteadyState, settings and restrictions are
applied to all users who access the shared user account on the
computer.

Figure 2: User profiles in Windows XP and shared user profiles in
Windows SteadyState

Creating a Shared User Account

You can create shared user accounts and apply different system and
program restrictions to each shared user account on the computer so
that users have specified access to Windows system tools, as well as
other services, applications, files, and data.

Typically, names for user accounts are chosen to describe the individual
or group of individuals who will have access to the shared computer. The
user account name should reflect the group or category of user for which
the account is intended. Before naming a user account, determine who
your users are and what levels of restrictions that must be applied to the
user account. For example, consider whether your users are:

•
Staff members who can access most of the applications on the
computer and can use many computer configuration
applications, such as Control Panel settings, but should be
restricted from most advanced administrative tools and
applications.
© 2007 Microsoft Corporation.

•
Adults who can access most of the applications on the computer
but should not alter computer configuration settings.
•
Children who should have restricted Internet access.
.
To create a shared user account
1.
In the Windows SteadyState main dialog box, under User Settings,
click Add a New User.
2.
In the Add a New User dialog box, in the User Name box, type a
user name.
3.
Type a password in the Password and Confirm Password boxes.
Note: Password policy requirements that apply for Windows also apply for
Windows SteadyState, including well-formed password requirements. For more
information on creating passwords, see:
http://go.microsoft.com/fwlink/?LinkId=83432.

4.
In the User Location drop-down list, select the drive on which you
want to save the shared user profile associated with this shared user
account. Normally, the files and directories associated with user
profiles are stored on the system drive where Windows is installed.
5.
Select a picture from the Picture box to associate with the shared
user profile, and then click OK.
In most cases, you will want to save the shared user profile on the same
drive on which Windows is installed. However, if you have turned on
Windows Disk Protection and want a user to be able to save information
to the computer for later access, you can save the user profile as an
unlocked profile on a different drive. Windows Disk Protection only
protects the partition containing the operating system files. Saving an
unlocked user profile on a different drive will prevent removal of the

user’s data by Windows Disk Protection.

For more information on permanent user profiles and data, see the
“Creating Permanent User Profiles on a Separate Partition” section in
this handbook.

For more information on locked user profiles, see the “Lock Profile”

section in this handbook.

Configuring the Shared User Profile

After creating the shared user account, you can manually configure
specific settings and restrictions for the associated shared user profile.
You can customize the shared user profile and create an environment for
users of the shared user profile.

As a Windows SteadyState administrator, you can choose a default
restriction level of High, Medium, or Low that automatically applies the
recommended settings to the user account you select. You can also

choose Custom restrictions and set restrictions that are customized to
each shared user account that you create in Windows SteadyState.

You can create as many shared user accounts as you require on the
shared computer and customize restrictions for each user account in
Windows SteadyState. To simplify the number of user accounts you
have to create for a public use environment, you can create one account
for each level of user that might use the computer, and then apply
specific restrictions to each account. For example, you might want to
create a user account for each of the following classifications of users:

•
Adult
•
Child
•
Teen
In this example, you can set the Low restrictions option on the Adult
user account because they are more technically advanced or require
access to system resources. You can set the Medium restrictions
option on the Teen user account to limit their access to system settings
while still allowing access to computer resources. The Child user account
can have the restrictions option set on High restrictions for maximum
protection of the shared computer system files and limited access to
external resources.

Shared User Profile Settings and Restrictions

In the User Settings dialog box, you can configure the session limits and
program and feature restrictions that you want to apply to the shared
user profile. There are four tabs in the User Settings dialog box that
help you to configure profile settings and restrictions:

•
General
•
Windows Restrictions
•
Feature Restrictions
•
Block Programs List
© 2007 Microsoft Corporation.

General

On the General tab, you can lock the user profile and set session timer
limits. Figure 3 shows the General tab in the User Settings dialog box.

Figure 3: The General tab in the User Settings dialog box

Additional information on the user settings and options available in the
User Settings dialog box are provided in Table 5.

Table 5: Description of Settings and Options in the User Settings
Dialog Box

Settings and options
Description
1. User
Displays user name and picture for selected
user.

2. General Lock or unlock a user profile.

Set session timers, change passwords, change a
user profile picture, and delete a selected user
profile.

3. Windows Restrictions
Set level of Windows restrictions: High, Medium,
Low, No, or Custom.
Set Start menu and general system restrictions.
Hide or display drives.

Settings and options
Description
4. Feature Restrictions
Set level of Feature restrictions: High, Medium,
Low, No, or Custom.

Set user-specific Internet Explorer®
and
Microsoft Office Restrictions.

Enter the home page and specific Web site
addresses that user is allowed to view.

5. Block Programs
Select programs to block user from accessing
and view currently blocked programs.

Browse to add a program on the computer that is
not listed.

6. Additional Support
Find links to additional resources for
Windows SteadyState.

Lock Profile

On the General tab, under General Settings, select the Lock profile to
prevent the user from making permanent changes check box to
remove cache files or system history created by the user when the user
logs off from the current session. We recommend that you limit the
permanent changes made by users on a shared computer by locking the
user profile.

There are important distinctions between locked user profiles and
Windows Disk Protection. Table 6 shows some of the similarities and
differences between locked profiles and Windows Disk Protection.

Table 6: Comparison of Locked Profile and Windows Disk
Protection

Locked Profile Removes changes User profile is

At log off of
user has made to

restored to the

user
the user profile.

default state

account.
Cache files, global

configured by
history, and

administrator.

environment

settings are

cleared or restored

to the default state.

Feature
Similarities
Differences
When
applied
© 2007 Microsoft Corporation.

Feature
Windows Disk
Protection

Similarities
Removes changes
a user has made to
the profile, to the
system partition,
and any files or
data the user has
saved on the
shared computer
or to another
partition or drive.

Differences
When
applied
If Remove all
changes at restart
option is selected,
restores the entire
system partition to
the original state
configured by the
administrator.
At restart of
shared
computer.
Note: If a user profile is locked, Windows Disk Protection restores the profile to
its default configuration regardless of whether the locked profile is saved to the
protected system partition or on another drive.

For more information on permanent user profiles and data, see the
“Creating Permanent User Profiles on a Separate Partition” section in
this handbook.

Session Timers

On the General tab, under Session Timers, you can configure the
session timers to define the duration of a logon session or of the idle time
before a session terminates. Select the check box for the session timer
you want to configure, and then type the number of minutes desired in
the text box.

Session Countdown

On the General tab, under Session Timers, you can select the Always
display the session countdown check box to configure a notification to
appear telling users when their session is about to end. The notification
remains on the screen throughout the session. The notification can be
moved but it cannot be minimized or turned off by the user. Figure 4
shows the session timer notification.

Figure 4: Session timer notification.

Restart Computer After Log Off

On the General tab, under Session Timers, you can select the Restart
computer after log off check box to configure the computer to
automatically restart when each user session ends.

Windows Restrictions

On the Windows Restrictions tab, you can set restriction levels that
define the content of menus and the Windows tools and features that a
user has access to.

The Windows Restrictions tab is divided into:

•
Levels of restrictions
•
Types of restrictions
Figure 5 shows the Windows Restrictions tab.

Figure 5: The Windows Restrictions tab.

When you select the High restrictions, Medium restrictions, or Low
restrictions option on the Windows Restrictions tab, the appropriate
types of restrictions are automatically selected. When you select
Custom restrictions, you can manually select the types of restrictions
that you want to apply. Windows Restrictions include:

•
Start Menu Restrictions—These restrictions help you to
prevent various program icons and features from appearing on
the Start menu. Some options, such as Command Prompt or
Windows Explorer will still appear on the Accessories menu,
but the user will receive an error when selecting these items if
you have restricted them.
© 2007 Microsoft Corporation.

•
General Restrictions—Windows offers many additional features
and programs aside from those listed on the Start menu that you
may not want to make available to your users.
Hide Drives

On the Windows Restrictions tab, under Hide Drives, you can select
which drives are visible to the user in My Computer. You can select the
option to hide all drives, show all drives, or to select specific drives that
you do not want exposed to the user, including devices such as printers
or removable storage devices.

Feature Restrictions

On the Feature Restrictions tab, you can select restrictions that will
prevent users from accessing program attributes that could damage or
clutter the computer. For example, you can use restrictions to prevent
users from adding to the Clip Organizer, disabling macro menu items,
running Microsoft Visual Basic®, or running system tools and other
management tools. Feature restrictions include:

•
Microsoft Internet Explorer Restrictions
•
Microsoft Office Restrictions
•
Home Page
•
Web Addresses Allowed
The Feature Restrictions tab is organized identically to the Windows
Restrictions tab, with restriction level options on the left and the
categories and restriction options in the list box on the right. When you
select the level of restrictions, options on the list of restrictions to the
right will appear as selected.

Internet Explorer Restrictions

With Internet Explorer Restrictions you can set restrictions in Internet
Explorer to remove attributes and menu options you may not want users
to access. For example, you can restrict shared users from the
Favorites menu in Internet Explorer by selecting the Remove Favorites
menu option.

Microsoft Office Restrictions

With Microsoft Office Restrictions you can restrict features in Microsoft
Office. For example, one of the ways that you can restrict shared users
from using macros is to select both Disable macro shortcut keys and
Disable macros. Both of these restrictions are available under
Microsoft Office Restrictions on the Feature Restrictions tab.

Home Page

In the Home Page box, you can type the Web address of the home page
you want to configure for the shared user profile. This is the home page
a shared user will see each time they open Internet Explorer.

Note: In the Home Page box, you can enter the protocol prefixes http: or https:
when you enter the Web address you want to specify for the home page of the
shared user profile.

Web Addresses Allowed

If you select the Prevent Internet access (except Web sites below)
option under Internet Explorer Restrictions, you can type the address
of the Web sites available to the user profile in the Web Addresses
Allowed check box. To enter multiple Web addresses, separate each
Web address with a semicolon; for example, type microsoft.com;
msn.com.

Note: Do not enter the protocol prefixes http: or https: in the Web Addresses
Allowed box when you enter Web addresses you want to allow the user profile
to access.

For more information about parental controls and advanced Internet
filtering, see Windows Live.
OneCare Family Safety at:
http://go.microsoft.com/fwlink/?LinkId=83433.

Block Programs

On the Block Programs tab, you can select the software you want to
prevent the user from accessing.

To block a program, in the left-hand list box, select the programs that
that you want to block, and then click Block (located between the two list
boxes). The selected items will appear in the Block Programs list box to
the right. You can search for a program by typing the name of the
program in the Search box. You can also browse for programs not on
the list by clicking Browse.

To unblock a program, select the program in the Block Programs list
box, and then click Remove. To unblock all programs, click Remove All.

When you have added the programs you want to block, click OK.

Testing Shared User Profiles

Before setting computer restrictions and configuring Windows Disk
Protection, test the shared user profiles you have created to ensure that
the configurations and restrictions are working the way you intend them
to work.

To test a shared user account, log on to the computer with the
configured shared user account and verify that:

•
The Start menu appears correctly.
•
The shortcuts on the Start menu and desktop work correctly.
•
The programs you blocked do not appear on the Start menu.
•
The user restrictions you have configured for the Start menu,
desktop, and Internet Explorer are working properly.
•
Session timers behave as configured.
27

Configuring Computer Restrictions

By configuring computer restrictions, you can also apply settings and
restrictions at the system level that will enhance the privacy and security
of all shared users who use the computer.

Note: When a Windows SteadyState computer is connected to a domain
network, options in Set Computer Restrictions may be unavailable or
superseded by restrictions placed through the enforcement of Group Policy. For
more information on how to set restrictions on a Windows SteadyState computer
in a domain environment, see the “Creating Group Policy Restrictions with
SCTSettings.adm” section in this handbook.

This section covers the computer restrictions that are available in the Set
Computer Restrictions dialog box. These restrictions include:

•
Privacy Settings
•
Security Settings
•
Other Settings
Privacy Settings

Privacy settings help you protect the privacy of all users of a shared
computer. The Privacy Settings options in the Set Computer
Restrictions dialog box in Windows SteadyState include:

•
Do not display user names in the Log On to Windows dialog
box—Selecting this option helps to ensure that the User name
box in the Log On to Windows dialog box appears blank when
a user logs off. When not selected, the name of the last user to
log on appears in the User name box.
•
Prevent locked or roaming user profiles that cannot be
found on the computer from logging on—Selecting this option
in Set Computer Restrictions in Windows SteadyState will
prevent users without an existing profile on the computer from
logging on.
© 2007 Microsoft Corporation.

•
Do not cache copies of locked or roaming user profiles for
users who have previously logged on to this computer—
Selecting this option helps to improve privacy and saves disk
space. A roaming user profile is one that resides on a networked
system. Windows SteadyState prevents Windows from saving
roaming user profiles on the local computer, which saves disk
space and prevents shared users from accessing profile files that
contain private information.

Security Settings

Security settings protect the computer from being compromised or
damaged by user activities. The Security Settings options in
Windows SteadyState include:

•
Remove the Administrator user name from the Welcome
screen (requires pressing CTRL+ALT+DEL twice to log on to
accounts not listed)—The Windows Welcome screen lists all
user account names residing on that computer. Selecting this
option removes the Administrator user name from the list on this
screen. To log on as Administrator, you must press CTRL-ALTDEL
twice to bring up the traditional logon screen.
Note: When a Windows SteadyState computer is connected to a domain
network, this setting is unavailable.

•
Remove the Shut Down and Turn Off options from the Log
On to Windows dialog box and Welcome Screen—Selecting
this option prevents users from shutting down or turning off the
computer from the Log On to Windows dialog box and the
Welcome screen.
•
Do not allow Windows to compute and store passwords
using LAN Manager—Selecting this option helps promote
secure password storage by disabling the LanMan hash
(LMHash) form of each password. LMHash is an encryption
mechanism used to support backward compatibility with earlier
Windows operating systems.
•
Do not store user names or passwords used to log on to
Windows Live ID (requires restart of the computer)—
Selecting this option prevents Windows from saving users’
Windows Live ID account and domain credentials and forces
users to enter this information each time they begin a session.
This improves privacy and prevents users from logging on with
the credentials of people who have previously used the
computer.
Note: If you select this option, you must restart Windows for it to become active.

•
Prevent users from creating folders and files in drive C:\—
Selecting this option changes the access control list (ACL) in the

root of the system drive to prevent users from creating files and
folders.

•
Prevent users from opening Microsoft Office documents
from within Internet Explorer—Selecting this option helps to
ensure that Microsoft Office applications host their own
documents so that the optional Microsoft Office software
restriction works correctly.
•
Prevent write access to USB storage devices (requires
restart of the computer)—Selecting this option prevents users
from saving files or data to USB storage devices.
Other Settings

Windows SteadyState utilizes the Windows Welcome screen to simplify
the logon process.

Turn on the Welcome screen—The Windows Welcome screen
simplifies the logon process for users by displaying a list of all user
names on that computer when Windows starts.

Note: When a Windows SteadyState computer is connected to a domain
network, this setting is unavailable.

Scheduling Software Updates

Part of protecting a computer is ensuring that it is has all of the most upto-
date Microsoft Updates and antivirus programs. In the Schedule
Software Updates dialog box, you can schedule updates at a specific
time of the day and at the frequency you want updates to be made to the
shared computer. You can schedule updates and apply them
permanently, even when Windows Disk Protection is turned on, ensuring
that important Microsoft updates and antivirus updates are not
subsequently removed at restart.

This section covers the configurations and settings that you can apply in
the Schedule Software Updates dialog box. These settings include:

•
Scheduling automatic or manual updates
•
Selecting automatic updates (Microsoft Update), antivirus
updates, or custom scripts
Scheduling Updates

In the Schedule Software Updates dialog box, under Schedule
Updates, you can select automatic or manual updates. If you choose to
automatically download and install updates with Windows SteadyState,
you can use the Select Updates options to select the types of updates
you want to perform. Windows SteadyState will automatically install
Microsoft Update, Windows Update, or Windows Server Update Services,
depending on which of these is currently used by the operating system
running on your computer.

Automatically Download and Install Updates

When you select the Use Windows SteadyState to automatically
download and install updates option under Schedule Updates, you
can specify the frequency of automatic updates. . You can choose to
automatically install updates at a specific time either daily or weekly.

Windows SteadyState can be used to automatically install:

•
Critical Windows updates.
•
Third-party antivirus software programs. For a list of supported
third-party antivirus software programs, see the “Security
Program Updates”
section in this handbook.
•
Updates provided in custom scripts. For more information on
using custom scripts, see the “Custom Updates”
section in this
handbook.
Not all updates can be installed automatically using
Windows SteadyState. We recommend that you periodically review the
updates available on Microsoft Update and manually download and

install the updates you want. For more information, see the “Manually
Install Windows Updates” section in this handbook. The updates that
Windows SteadyState cannot automatically install include:

•
Windows Live OneCare signature updates
•
Recommended updates
•
Optional updates
•
Driver updates
•
Special updates that may have their own license agreements
Before setting up automatic updates, run Windows Updates manually to
perform the initial registration of Windows Update components on your
computer. If you perform this task after you install Windows SteadyState,
you must install Windows Update manually. For more information, see
the “Manually Install Windows Updates” section in this handbook.

.
To automatically download and install updates using
Windows SteadyState

1.
Log on as a Windows SteadyState administrator.
2.
In the Windows SteadyState main dialog box, under Global
Computer Settings, click Schedule Software Updates.
3.
Under Schedule Updates, select Use Windows SteadyState to
automatically download and install updates.
4.
Select the day and time you would like updates to occur.
Any users logged on to the computer when scheduled updates begin will
be immediately logged off. While scheduled updates are in progress,
only the Administrator or users with administrative privileges can log on.
We recommend that you not log on while updates are in progress. If you
do log on, you will not be able to modify any configurations made with
Windows SteadyState until the update process is complete.

If any administrator interaction is needed during an automatic update, the
update will not complete successfully. For example, some antivirus
version upgrades require interaction to accept the terms of a service
agreement or a software licensing agreement. If your updates do not
install successfully during a version change of your antivirus software,
you must perform the update for the software manually to make sure that
the installation of the new version is successful.

After selecting the desired Windows SteadyState automatically
scheduled updates, you can still perform a manual update by:

•
Selecting Do not use Windows SteadyState to download and
install updates.
•
Downloading and installing updates. For information on manually
installing updates, see the “Manually Download and Install
Updates” section in this handbook.
•
Selecting Automatically download and install updates to
reinstate the schedule.
© 2007 Microsoft Corporation.

For more information on third-party subscription software, refer to the
product documentation or Web site for that software application.

Manually Download and Install Updates

Automatically installing updates is recommended, though not mandatory.
If you want or need to install an update manually, you can do so by
selecting Do not use Windows SteadyState to download and install
updates. Selecting this option turns off Windows SteadyState-managed
automatic updates for the shared computer. In addition, you must select
Retain changes permanently in the Protect the Hard Disk dialog box
when you manually download and install updates or your updates will be
cleared when the computer is restarted. Some instances in which you
might want to install manual updates include:

•
Installing updates spontaneously.
•
Installing an update that requires your interaction, such as an
update with a user agreement where you must specify that you
agree to the terms.
•
Checking for recommended updates on the Microsoft Web site
at:
http://go.microsoft.com/fwlink/?LinkId=83424.
•
Microsoft frequently offers enhancements and recommended
updates not included as part of the critical update packages.
Caution: If Windows Disk Protection is turned on and Remove all changes at
restart is selected, any manual updates made during the session will be lost.

.
To install manual updates with Windows SteadyState
1.
Log on as a Windows SteadyState administrator.
2.
In the Windows SteadyState main dialog box, under Computer
Settings, click Protect the Hard Disk.
3.
Select Retain all changes permanently.
4.
Install the software updates you want on the shared computer. Refer
to the software documentation for more information on the updates
you want to install.
5.
After updates are installed manually, restart the shared computer.
6.
For increased security on your shared computer, after manual
software updates have been installed, select Remove all changes
at restart in the Protect the Hard Disk dialog box so that additional
changes to the shared computer will not be saved.
Follow these steps each time you need to manually update your
software and antivirus programs.

Selecting Updates

Important software updates include any Microsoft updates, security
updates, or any custom updates required by applications installed on the
computer.

Select Updates

If you choose to automatically install updates at a scheduled time using
Windows SteadyState, you can then choose which updates you want to
include under Select Updates. If you choose Use
Windows SteadyState to automatically download and install
updates, Windows SteadyState will automatically install
Microsoft Update, Windows Update, or Windows Server Update
Services, depending on which of these is currently used by the operating
system running on your computer.

Note: Windows SteadyState only automates critical updates from Microsoft. It
does not automatically install recommended updates, optional updates, driver
updates, or special updates that may have their own license agreements. Review
the updates available on Microsoft Update periodically, manually download and
install the ones you want, and then make sure that the Retain all changes
permanently option is turned on in the Protect the Hard Drive dialog box. For

more information, see the “Manually Download and Install Updates” section in

this handbook.

Security Program Updates

You may be able to automatically update your security program using
Windows SteadyState in one of two ways:

•
Schedule Windows SteadyState to automatically update the
security program detected by Windows SteadyState and shown
in the Security Program Updates box.
•
Write a custom script to apply the updates you want at the
scheduled date and time for automatic updates.
You can perform security program updates automatically as part of the
critical updates process if Windows SteadyState detects an antivirus or
security product it can update. At time of publication,
Windows SteadyState currently detects and includes scripts for updating
the following security products:

•
Computer Associates eTrust 7.0
•
McAfee VirusScan
•
Windows Defender
•
TrendMicro 7.0
This feature can work with other antivirus or security products. If you
have a desire to use an antivirus or security product other than those
listed, you can prepare a signature update script for it as described in
your antivirus software manual. Signature update scripts can also be run
manually. For more information on installing signature updates manually,

see the “Manually Download and Install Updates” section in this
handbook.

Custom Updates

To install custom updates, such as any specialized software that your
organization creates and manages, add one or more custom scripts to
Windows SteadyState scheduled updates. Windows SteadyState
supports custom scripts written in .exe, .vbs, .cmd, and .bat file formats.
Windows SteadyState will run the custom scripts after Microsoft updates
and antivirus updates have been performed.

.
To add the custom script to scheduled software updates
1.
Log on as a Windows SteadyState administrator.
2.
In the Windows SteadyState main dialog box, under Global
Computer Settings, click Schedule Software Updates.
3.
Configure scheduled updates following the procedures in the
“Automatically Download and Install Updates” section in this
handbook.
4.
Under Select Updates, select the Custom Updates check box.
5.
Click Browse and select the custom script. The custom script will
appear in the text window.
Warning: If the computer is running MacAfee antivirus software, turn off the
script-blocking setting in the MacAfee antivirus program before the scheduled
update occurs. For more information, please refer to a MacAfee user guide.
Turning off script-blocking settings in your antivirus program may leave the
computer running Windows SteadyState unprotected from virus scripts,
unwanted software, and malicious software. To better protect your shared
computer from the installation of unwanted software, ensure that you turn on the
Protect the Hard Disk option, select the Remove All Changes at Restart
option, and restart your computer each day.

Protecting the Hard Disk

Windows Disk Protection is designed to help protect system settings and
data on the partition on which Windows is installed from being
permanently changed.

The activities performed by a user during a session cause many changes
to the operating system partition. Program files are created, modified,
and deleted. The operating system also updates system information as
part of its normal functionality. On a shared computer, however, the goal
is to create an environment of uniformity for all users. Each user who
logs on should experience the same environment as all other users, and
no user should be able to modify or corrupt the system. Windows Disk
Protection clears all changes to the operating system partition at
whatever specified interval you set.

If you choose to turn on Windows Disk Protection, you can select the
disk protection level that determines when and if Windows Disk
Protection clears changes to the protected system drive.

This section covers:

•
Turning off, installing, and turning on Windows Disk Protection
•
Attributes and configuration of the Windows Disk Protection
cache file
•
Choosing the level of disk protection you want on the shared
computer
Windows Disk Protection Off

When Windows SteadyState is first installed, Windows Disk Protection is
turned off by default and does not use any hard disk space on the
system drive. When turned on, Windows Disk Protection creates a cache
file to save all changes to the operating system and program files. The
cache file that is created will reserve a significant amount of space on the
system drive.

Windows Disk Protection should remain turned off until you are ready to
use it. After you install and turn on Windows Disk Protection, turning off
Windows Disk Protection will remove the cache file created upon its
installation. Turning off Windows Disk Protection effectively uninstalls
this protection feature.

Windows Disk Protection On

When Windows Disk Protection is turned on, it creates a cache file to
retain all of the modifications to operating system or program directories.
Histories, saved files, and logs are all stored in this cache file that has
been created on a protection partition of the system drive. At intervals

you can designate, Windows Disk Protection deletes the contents of the
cache and restores the system to the state in which Windows Disk
Protection was first turned on.

Installing and Turning on Windows Disk Protection

Before installing and turning on Windows Disk Protection, it is important
to defragment the hard disk. If you did not perform this task during
preinstallation, you should defragment the system drive and the hard
disk now. Installing and turning on Windows Disk Protection on a
fragmented hard disk can cause the creation of the Windows Disk
Protection cache to fail.

Note: Backup processes may fail in Windows when Windows Disk Protection is
turned on. To perform a backup, turn Windows Disk Protection off, perform the
backup, and then turn Windows Disk Protection back on.

.
To install and turn on Windows Disk Protection
1.
Log on as a SteadyState administrator.
2.
In the Windows SteadyState main dialog box, under Computer
Settings, click Protect the Hard Disk.
3.
To turn on Windows Disk Protection, select On.
4.
Click Yes to continue with the installation of Windows Disk
Protection.
During installation, Windows Disk Protection will calculate the size of
your hard disk and create a cache file equal to 50 percent (up to 40
gigabytes [GB]) of the free hard disk space. For example, if you have a
40-GB hard disk, and your operating system and programs use 10 GB,
you have 30 GB of free space available.

Figure 6: Illustration of cache file when Windows Disk Protection is
turned on.

Clearing the Cache

When Windows Disk Protection is turned on, all changes to the hard disk
and program files are cleared and the cache file is emptied at the
specified interval you set. As users use the computer, the cache file fills
with all changes to the operating system and program files. If the cache
file fills to 70 percent capacity, the user will receive a warning message.

When disk space usage reaches approximately 70 percent of the cache
file capacity, the person using the computer will receive a warning. If that
person continues working on the computer and disk space usage
reaches approximately 80 percent of the cache file capacity, the
computer will restart and clear the cache.

.
To clear the cache
1.
Have the shared user save files to a removable storage device (if
possible) and log off of the computer.
2.
Log on as an administrator.
3.
Open Windows SteadyState.
4.
Click Protect the Hard Disk.
5.
Ensure that the Remove all changes at restart option is the
selected.
6.
Restart the computer.
The cache file is now cleared.

Resizing the Cache File

When Windows Disk Protection created the cache file, it claimed 50
percent of the free hard disk space (up to a maximum of 40 GB). We

recommend leaving the cache file at the maximum size to offer your
users plenty of hard disk space in which to perform their activities.
However, you do have the option to resize the cache if necessary.

When determining the cache size, you have many variables to consider.
Some conditions will put the computer at greater risk of filling the cache
file between restarts. You can minimize the risk of filling the cache by:

•
Removing all changes at restart—Removing all changes at
each restart of the computer is more effective if you frequently
restart the computer.
•
Providing for a small number of users—Generally, fewer
users mean fewer changes to system or program files. Keep in
mind, however, that a single user can sometimes perform an
action which claims a large amount of hard disk space.
•
Setting a high level of restrictions—Setting a high level of
restrictions will prevent users from performing activities that
claim large amounts of hard disk space. Activities such as
downloading files and saving files to the hard disk can potentially
take up large amounts of disk space. Both of these activities can
be restricted on the User Settings dialog box or the Set
Computer Restrictions dialog box.
.
To adjust the size of the cache file
1.
Log on as an administrator.
2.
Open Windows SteadyState.
3.
Click Protect the Hard Disk.
4.
Click Change cache file size.
5.
Adjust the slider control on the cache size slider bar to increase or
reduce the cache file size, and then click OK.
Note: The Windows Disk Protection cache file can be a minimum of 2 GB and a
maximum of 40 GB of your overall hard disk space.

6.
Restart the computer to save cache file changes to the hard disk.
7.
To protect the hard disk from further changes by a shared user,
ensure that Remove all changes at restart is selected in the
Protect the Hard Disk dialog box.
Windows Disk Protection Levels

When you select the disk protection level you are defining when and if
Windows Disk Protection clears changes to the hard disk. The level of
protection you select depends on how the computer is used and whether
or not your users want to save data for any length of time. You can:

•
Remove all changes at restart.
39

•
Retain changes temporarily.
•
Retain all changes permanently.
Remove All Changes at Restart

As shared users use the computer, the cache file fills with the changes to
the operating system and program files. As a result, the longer the
computer is up and running, the larger the cache file will grow. We
recommend selecting the Remove all changes at restart option and
restarting the computer daily. With more frequent restarts, a smaller
cache size is required.

The User Settings dialog box offers you an option to restart the
computer whenever a user using the shared user profile logs off. If you
select this option on all of your shared user profiles, and if you also
select the Remove all changes at restart option in the Protect the
Hard Disk dialog box, each user will have an identical user experience.
If you do not select the option to restart after each user logs off, we
recommend restarting the computer frequently to clear it of any changes
collected in the cache file.

Retain Changes Temporarily

You might want to retain user files and data for a specified period of time.
For example, you might have a user who is working on a project and
wants to access project research files over a period of two weeks. In this
case, you would select the Retain changes temporarily option, and
then set the date and time duration. Windows Disk Protection will not
erase any changes when the computer restarts until the specified date
and time are reached.

When the specified date and time are reached, users receive a warning
message stating that the next time the computer restarts, all changes will
be cleared from the hard disk. This gives shared users an opportunity to
save their files to a removable storage device before shutting down the
computer.

Retain All Changes Permanently

After you turn on Windows Disk Protection, turning it off will delete the
cache file, which is time consuming to create. When it is time to install
patches, upgrades, or new programs, select the Retain all changes
permanently option to prevent your modifications from being lost. Any
action you perform while this option is selected will not be removed by
Windows Disk Protection. Because the cache file still exists when this
option is selected, you can easily return to one of the other two options
without repeating the time-consuming process of turning on Windows
Disk Protection.

Note: If you have a user who wants to be able to retain changes between
restarts, you can exempt the user from Windows Disk Protection by creating the
user’s profile on a partition other than the operating system partition.

For example, if Windows is installed on the C drive, you can configure the user
profile to reside on drive D. All of the user restrictions you want to enforce from
Windows SteadyState can still be applied, but this user’s data will not be subject
to removal by Windows Disk Protection. If you opt to create a user profile on an
alternate drive, you must remember not to lock the profile. A locked profile will
remove any profile modifications no matter where it resides. For more information

on locking a user profile, see the “Lock Profile” section in this handbook.

Exporting and Importing User Profiles

After you have created shared user profiles on your shared computer, it
is possible to export and import these configured user profiles to other
computers on which you have installed Windows SteadyState. With the
Export and Import features provided in Windows SteadyState, you can
easily provide uniform shared user profiles on all of your shared
computers.

This section covers:

•
Exporting User Profiles
•
Importing User Profiles
Exporting User Profiles

You can use the Export feature to export fully configured shared user
profiles to other computers running Windows SteadyState.

.
To export user profiles
1.
Click Export User.
2.
In the Export User dialog box, select the user profile you want to
export from the User name drop-down list box.
3.
Select the location you want to save the profile. Note that the name
of the shared user profile appears in the File name list with an .ssu
extension.
4.
Click Save. A message appears stating that the shared user profile
was successfully exported to the location you have chosen. Click Ok.
Repeat steps 1 through 4 in this procedure with each user profile you
want to export.

All of the user profiles are now saved to a place where they can be
imported to your shared computers running Windows SteadyState.

Importing User Profiles

Now that the shared user profiles have been exported, you can use the
Import feature to import them to your shared computers running
Windows SteadyState.

Note: Make sure that Windows Disk Protection is set to Retain all changes
permanently before importing the shared user profiles. Otherwise, Windows
Disk Protection will remove them when the computer restarts.

.
To import user profiles
1.
If you exported the user profiles to removable storage device, insert
the storage device into the appropriate drive or USB port.
2.
Open Windows SteadyState.
3.
Click Import User.
4.
In the Import User dialog box, select the location in which you saved
the exported user profiles.
5.
You will see the file names of the shared user profiles in the Import
User dialog box. Note that the name of the shared user profiles
appear in the File name list with an .ssu extension. Select a shared
user profile and click Open.
6.
Enter the shared user profile password in the Password box. The
user name already appears in the User Name box.
7.
Enter the user password in the Password and Confirm Password
boxes. You can enter any password which complies with
Windows XP password policy requirements; however, for ease of
administration we recommend that you make the password
consistent on all of the shared computers in your environment. Click
OK.
A message will appear stating that the shared user profile has been
successfully imported. The shared user profile user name will now be
included in User Settings in the Windows SteadyState main dialog
box.

Scenarios for Advanced Administrators

This section covers common advanced scenarios that occur when you
manage a shared computer environment by using Windows SteadyState.
The techniques offered in this section are intended for
Windows SteadyState administrators with advanced technical expertise
and experience in the configuration and administration of Windows.

With Windows SteadyState, you can configure shared computers so that
a user profile or user data is retained after the user has logged off. You
have three ways to store permanent user data:

•
Redirect the My Documents folder to a USB drive or remote
network drive—Users can save data to a remote drive specified
by the Windows SteadyState administrator. You must make sure
that you remove any restrictions that restrict a shared user from
accessing a remote drive before you modify the location where a
user can save data.
•
Create permanent user profiles on a separate partition—
Create or redirect user profiles and user data to a separate
partition. You can use this method to create permanent user
profiles that allow users to return to their settings and saved files
while still protecting the system files on the shared computer.

•
Create permanent user profiles for all accounts—Create user
profiles for all user accounts on a separate partition where they
are not affected by Windows Disk Protection. If you use this
method, you must customize the computer operating system
installation so that the default location for user profiles is not on
the Windows Disk Protection protected partition.
Redirecting the My Documents Folder

By default, Windows SteadyState saves the user’s data to the My
Documents folder associated with the user profile. Windows provides the
capability to redirect the My Documents folder to a different location.

Note: In Windows Vista, this folder is named Documents.

If you use Windows Disk Protection, but still want to provide users with
the capability to save documents to the same location each time they log
on the user profile, you can redirect the My Documents folder so that
users can save data to a separate partition, a removable drive such as a
USB drive, or to a mapped network drive. If you choose to save data to a
separate partition, it must be a separate partition from the partition
protected by Windows Disk Protection.

Before you redirect the My Documents folder to a different location,
make sure that the Windows SteadyState environment is properly
configured for the redirection of user data.

.
To configure Windows SteadyState for the redirection of
user data
1.
Restart the computer to clear recent disk changes.
2.
Log on to the shared computer and start Windows SteadyState.
3.
Click Protect the Hard Disk, verify that Windows Disk Protection is
turned on and that the Retain all changes permanently option is
selected, and then click OK.
4.
Under User Settings, click the user profile for which you want to
redirect the My Documents folder.
5.
Turn off all restrictions for the user profile.
6.
Restart the computer for Windows Disk Protection to save changes.
.
To redirect the My Documents folder in Windows XP
1.
Log on to the user profile for which you want to redirect the My
Documents folder.
Note: If you are saving user data to a USB drive, insert the USB drive into
the USB port of the shared computer.

2.
If you are saving user data to a USB drive, insert the USB drive into
the USB port of the shared computer.
3.
Click Start, right-click My Documents, and then click Properties.
4.
In the My Documents Properties dialog box, click Move.
5.
In the Select a Destination dialog box, select the drive where you
want to save user data, and then click OK.
6.
In the My Documents Properties dialog box, click OK.
7.
In the Move Documents dialog box, click Yes to move the
documents or No to leave the existing documents in the old location.
8.
Log off the user profile and then log on as the Windows SteadyState
administrator. If you turned off any user restrictions when you
configured Windows SteadyState for the redirection of user data,
reset those restrictions now.
9.
Restart the computer for Windows Disk Protection to save changes.
10. Log on as the administrator.
11. Click Protect the Hard Disk, verify that Windows Disk Protection is
turned on and that the Remove all changes at restart option is
selected, and then click OK.
45

.
To redirect the Documents folder in Windows Vista
1.
Log on to the user profile for which you want to redirect the
Documents folder.
Note: If you are saving user data to a USB drive, insert the USB drive into
the USB port of the shared computer.

2.
Click Start, right-click Documents, and then click Properties.
3.
In the Documents Properties dialog box, select the Location tab,
and then click Move.
4.
In the Select a Destination dialog box, select the drive where you
want to save user data, and then click Select Folder.
5.
In the Documents Properties dialog box, click OK.
6.
In the Move Folder dialog box, click Yes to move the documents or
No to leave the existing documents in the old location.
7.
Log off the user profile and then log on as the Windows SteadyState
administrator. If you turned off any user restrictions when you
configured Windows SteadyState for the redirection of user data,
reset those restrictions now.
8.
Restart the computer for Windows Disk Protection to save changes.
9.
Log on as the administrator.
10. Click Protect the Hard Disk, verify that Windows Disk Protection is
turned on and that the Remove all changes at restart option is
selected, and then click OK.
Creating Permanent User Profiles on a Separate
Partition

You may want to permanently store the changes a user makes to their
preferences and settings during the logon session. You can create
unlocked user profiles on a partition separate from the Windows Disk
Protection protected partition so that the environment settings a user is
allowed to make during a session are not cleared when they log off the
shared computer.

For information on creating all user profiles for all accounts on a separate

partition each time a user profile is created, see the “Creating Permanent
User Profiles for All Accounts” section in this handbook.

Note: If you have Windows SteadyState installed on a drive with multiple
partitions, the partition on which Windows SteadyState resides is the protected
system partition. If you are setting up a separate partition after you have installed
Windows SteadyState, you should defragment your hard drive before running
disk partitioning software. When you run any disk partitioning software with
Windows SteadyState installed on the shared computer, you must turn off
Windows Disk Protection before you defragment the drive to avoid damaging the
cache file created by Windows Disk Protection.

We recommend that you defragment your hard disk drive and set up any
separate partitions you may require before you install Windows SteadyState.

.
To create a user profile on a separate partition
1.
Log on as the administrator.
2.
Click Start, point to All Programs and then point to
Windows SteadyState.
3.
Under User Settings, click Add a New User.
4.
In the User Name box, enter the user name for the profile you want
to create.
5.
In the Password box, type the password for the user account.
Ensure that the password you choose meets the password policy
requirements. Enter the password in the Confirm Password box.
6.
In the User Location box, select the drive on which you want to
save the new user profile, and then click OK.
After a user profile is created on a partition separate from the Windows
Disk Protection protected partition, the profile remains on that
unprotected partition until the Windows SteadyState administrator
deletes the user profile. If you later decide that the user profile should no
longer be permanent, the protected user profile cannot be copied or
moved to another Windows partition. If you want the same user profile to
reside on the Windows Disk Protection protected partition so that user
changes are cleared when the user logs off or restarts the computer, you
must create a new profile with the desired restrictions on the protected
partition.

.
To delete a permanent user profile
1.
Under User Settings, select the user profile you want to delete.
2.
Click Delete User. You will be asked if you are sure you want to
delete the user’s account. If you are sure that you want to delete the

user account, click OK.

After the user account is deleted, you can recreate the user profile on the
desired partition or on the Windows protected partition. Be aware that
after the user profile is created on the Windows partition, the profile is no
longer permanent and any changes made to the user’s environment will
not be saved.

Creating Permanent User Profiles for All Accounts

If you want to ensure that all of the user profiles created for all accounts
are placed on a partition where they are not affected by Windows Disk
Protection, you must customize the computer operating system

installation so that the default location for user profiles is not on the
Windows Disk Protection protected partition.

The only supported way to change the default location for all user
accounts is during Windows installation, and you must make the change
by automating the installation of Windows with a special answer file. This
method changes the location where all user profiles are stored, including
the Default and All Users profiles. This directs Windows to automatically
create profiles on a separate partition and overrides the default system
drive location for user profiles when they are created by
Windows SteadyState.

Answer files are text files that contain responses to some, or all, of the
queries that occur during the installation process. This answer file is
called Unattended.txt in Windows XP, and Unattended.xml in Windows
Vista. After creating an answer file, you can apply it to as many
computers as necessary. It can also be included in scripts that automate
installation on multiple computers.

A relatively easy way to create an answer file for an unattended
installation of Windows is to use a deployment tool. Depending on the
operating system that your computer is running, use one of the following
tools:

•
For computers running Windows XP, use Windows Setup
Manager. Windows Setup Manager provides a wizard-based
interface for creating the answer file. For more information about
using Setup Manager to automate installations, see the
"Automating and Customizing Installations" section in the
Windows XP Professional Resource Kit at:
http://go.microsoft.com/fwlink/?LinkID=83441.
The answer file you create by using Setup Manager can include
other information, such as the time zone and network settings.

•
For computers running Window Vista, use Windows System
Image Manager (Windows SIM). Windows SIM is part of the new
Windows Automated Installation Kit (Windows AIK), a set of
deployment tools for Windows Vista. For more information about
deploying Windows Vista, see “Windows Vista Deployment StepBy-
Step” at:
http://go.microsoft.com/fwlink/?LinkID=100558.
After you create an answer file, you can change the default location
where user profiles are stored by typing the following command:

•
For Windows XP:
[GuiUNattended]

ProfilesDir = drive:\foldername

•
For Windows Vista:
© 2007 Microsoft Corporation.

[GuiUNattended]

ProfilesDirectory = drive:\foldername

Customizing Individual User or Administrative
Accounts

We recommend that you limit the actions of users on a shared computer
by restricting the profiles for shared user accounts as discussed in the
“Configuring the Shared User Profile” section of this handbook. Through
the use of shared user accounts, administrators can ensure that users
will not be able to access any administrative tools and privileges that
may allow them to make unwanted changes to the operating system or
to the programs installed on the shared computer.

There are applications that you may want to allow users to run that will
require enhanced access to the shared computer.

Creating a Restricted Shared Administrative Account

For users to run applications that are not designed to run on
Windows XP, a restricted shared administrative account can be created
for the purpose of operating nonstandard software, such as Internetbased
and network-based multiplayer games. Some older educational
programs also require more administrative access than is allowed with a
typical Windows SteadyState user account with a restricted shared user
profile.

For a list of non-Microsoft programs that do not work with typical
Windows SteadyState shared user accounts, see Microsoft Knowledge
Base Article #307091 at:
http://go.microsoft.com/fwlink/?LinkId=83434.

Note: A restricted shared administrative account for the above scenarios is not
necessary for computers running Windows Vista.

A restricted shared administrative account is an unlocked user profile in
which most restrictions have been removed. This type of unrestricted
user account allows access to the increased permissions necessary to
run nonstandard applications.

Before you create a shared administrative account for general users,
consider the following questions:

•
Can the nonstandard software be upgraded to or replaced with a
version that runs correctly with limited user privileges on
Windows XP?
•
Can the software be removed from your environment with a
limited effect on your business needs?
If the answer to either of the preceding questions is “no,” you can create

a restricted shared administrative account.

Note: If the shared computer is connected to a network, network policy might
prevent you from completing this procedure if you are not an administrator of the
network domain.

.
To add a shared user account to the Administrators
group on the computer

1.
Log on as the Windows SteadyState administrator. You must also be
logged on as an administrator or a member of the Administrators
group to add a shared user account to the Administrators group on
the computer.
2.
Click Start, and then click Control Panel.
3.
In Control Panel, double-click User Accounts.
4.
On the Users tab, under Users for this computer, click the shared
user account that you want to add to the Administrators group, and
then click Properties.
5.
On the Group Membership tab, select the Other option, choose
Administrators from the drop-down list, and then click OK.
After the shared user account has been added to the Administrators
group, use Windows SteadyState to restrict the shared administrative
account access to all programs and settings, with the exception of the
increased permissions that are necessary to run nonstandard
applications.

Important: Removing restrictions on a user account to open up administrative
access for non-Microsoft software can increase exposure to security risks
associated with allowing unrestricted accounts in Windows SteadyState, and
may produce an unstable environment on the shared computer.

.
To restrict a shared administrative account
1.
Log on as the Windows SteadyState administrator.
2.
Click Start, point to All Programs and then point to
Windows SteadyState,
3.
On the Windows SteadyState main dialog box, under User
Settings, click the shared administrative user profile you created.
4.
On the General tab, under General Settings, select the Lock
profile to prevent the user from making permanent changes box.
5.
On the Windows Restrictions tab, select the High restrictions
option. Under Start Menu Restrictions in the list, you may want to
leave all of the restrictions selected; clearing any of the restrictions
may create a security risk for the shared computer. However, for
individual nonstandard applications you can turn off some of these
restrictions.
© 2007 Microsoft Corporation.

6.
In the Hide Drives section, select the drives you want to hide from
the restricted administrative user.
For security on the shared computer, you may want to configure the
following restrictions to limit a restricted administrator’s access to system
files and program folders:

•
On the Windows Restrictions tab, under General Restrictions
in the list, select the Disable Notepad and WordPad check box.
This will prohibit the restricted administrator user account from
modifying critical scripts and batch files to bypass security.
•
On the Windows Restrictions tab, under Start Menu
Restrictions, select the Prevent programs in the All Users
folder from appearing check box and the Remove the Help
and Support icon check box. This will prevent programs from
appearing on the Start menu when the restricted administrative
user is logged on.
•
On the Feature Restrictions tab, click the Microsoft Office
Restrictions check box. This will prohibit the restricted
administrator from running Microsoft Office programs that are
unrelated to nonstandard applications that they are running.
Specifying a Different Language for User Profiles

If you manage shared computers in a large organization or for users with
different language needs, you might want to provide programs in multiple
languages. Windows XP and Windows Vista both provide the necessary
technology for a global user experience.

The Windows XP Multilingual User Interface (MUI) Pack is a set of
language-specific resource files that you can add to the English
language version of Windows XP Professional. By using MUI, your users
can change the interface language of the operating system to any of 33
supported languages. The MUI is sold only through Microsoft Volume
Licensing programs such as the Microsoft Open License Program
(MOLP/Open), Select, and Enterprise Agreement.

Windows Vista is language-neutral, and all language and locale
resources are added by means of language files. For a full translation,
use the Windows Vista Multilingual User Interface Pack (MUI). For a
free, partial translation, use the Windows Vista Language Interface Pack
(LIP).

MUI Pack Requirements

If your organization uses Windows XP, MUI will run on computers that
are running Windows XP Professional, but not on computers running
Windows XP Home Edition. MUI is sold only through Microsoft Volume
Licensing programs such as the Microsoft Open License Program
(MOLP/Open), Select, and Enterprise agreement.

If your organization uses Windows Vista, there are two types of language
files:

•
Windows Vista Multilingual User Interface Pack (MUI)
•
Windows Vista Language Interface Pack (LIP)
MUIs provide a translated version of all or most of the resources for a
language and locale. MUIs require a license and are only available with
Windows Vista Ultimate and Windows Vista Enterprise.

LIPs provide a translated version of the most widely-used areas of the
user interface. LIPs are available for download free of charge on the
Microsoft Web site at:
http://go.microsoft.com/fwlink/?LinkId=100559.

Most LIPs can be installed on any version of Windows Vista. Because
the entire user interface is not translated, LIPs require at least one parent
language. The parts of the user interface that are not translated will
display in this parent language. When you download a LIP, you are given
the parent language requirements for that LIP. The parent language
must be installed before the LIP can be installed.

Configuring Windows SteadyState for MUI Installation

The input language can be configured for the computer when text is
entered by using the keyboard. With multiple languages configured, a
user can switch between languages as required. You can add an input
language in a user profile as long as you have installed the appropriate
language from MUI.

Before you add an input language to a user profile, make sure that the
Windows SteadyState environment is properly configured for the addition
of the language.

.
To prepare Windows SteadyState for MUI installation
1.
Log on as administrator.
2.
Click Protect the Hard Disk, verify that Windows Disk Protection is
turned on and that the Retain all changes permanently option is
selected, and then click OK.
3.
Under User Settings, click the user account for which you want to
change the user input language.
4.
Turn off all restrictions for the user account.
5.
Perform one of the following steps:
•
If you are using Windows XP, install the MUI.
•
If you are using Windows Vista, install the appropriate language
file.
6.
Log off as the Windows SteadyState administrator to save changes
to the computer.
For more information about the requirements and installation of the
Windows XP MUI Pack, see “Frequently Asked Questions—Windows

Server 2003, Windows XP & Windows 2000 MUI” at:
http://go.microsoft.com/fwlink/?LinkId=83435.

For more information about the requirements and installation of the
Windows Vista language files, see the “Guide to Windows Vista
Multilingual User Interface” at:
http://go.microsoft.com/fwlink/?LinkId=100555.

Changing the User Input Language

After you install MUI, you can use the Regional and Language Options
dialog box in Control Panel to define the standards and formats the

computer uses, a user’s location, and the input languages used by the

user profile.

.
To add an input language for a user profile in
Windows XP

1.
Log on to the specific user account for which you want to change the
user input language.
2.
Click Start, and then click Control Panel.
3.
In Control Panel, double-click Regional and Language Options.
4.
In the Regional and Language Options dialog box, click
Languages, and then, under Text Services and Input Languages,
click Details.
5.
In the Text Services and Input Languages dialog box, choose the
user input language you want to add to the user’s profile from the list
under Default input language. You can add additional services for
the selected input language under Installed services.
6.
When the input language has been added, log off the user account
and log on as the Windows SteadyState administrator.
7.
Reset the restrictions you want on the user profile you have just
modified.
.
To add an input language for a user profile in Windows
Vista

1.
Log on to the specific user account for which you want to change the
user input language.
2.
Click Start, and then click Control Panel.
3.
In Control Panel, under Clock, Language, and Region, click
Change display language.
4.
In the Regional and Language Options dialog box, select the
Keyboards and Languages tab.
5.
Click Install/uninstall languages, and follow the steps in the
Install/Uninstall Languages Wizard.
53

6.
When the input language has been added, log off the user account
and log on as the Windows SteadyState administrator.
7.
Reset the restrictions that you want in place for the user profile you
have just modified.
Installing Windows SteadyState on Multiple
Computers

When you install Windows SteadyState on several computers that have
identical hardware configurations, the most efficient installation method
to use is disk imaging (a process that is also referred to as cloning). This
method involves:

•
Configuring a reference computer—Configure a computer that
you will use to replicate the Windows SteadyState installation
image on other computers in your environment. Follow the
installation instructions in the “Installing Windows SteadyState”
section of this handbook to prepare your reference computer for
disk imaging and installation on multiple computers.
•
Preparing the reference computer with the System
Preparation Tool—After Windows SteadyState is installed, user
profiles have been created, and security and critical updates
have been installed, use the System Preparation Tool (Sysprep)
to prepare the computer for imaging (optional). You can find
Sysprep on the CD that came with your Windows operating
system.
Note: For more information on Microsoft’s policy with the use of Sysprep and
Windows XP, see Microsoft Knowledge Base Article #302577 at:
http://go.microsoft.com/fwlink/?LinkId=83437.

•
Creating an image of the reference computer—Create an
image of the reference computer hard disk and transfer that
image to the hard disk of other computers.
•
Transferring and setting up the image on multiple
computers—After the disk image has been transferred to
multiple computers, a Mini Setup Wizard will start that validates
and activates Windows XP for use on the new computer.
•
Turning on Windows Disk Protection on All Shared
Computers—After the disk image has been transferred to other
computers and after you have confirmed that all user profiles are
in place on each shared computer, turn on Windows Disk
Protection.
© 2007 Microsoft Corporation.

Configuring a Reference Computer

We recommend that you configure a reference computer that will be
used to create the master disk image for multiple installations of
Windows SteadyState by setting up your reference with a clean
installation of the operating system. For more information on preparing
your computer for Windows SteadyState installation, by using Windows
Disk Protection, creating user accounts, and configuring user profiles,
see the “Installing Windows SteadyState” section of this handbook.

Preparing the Reference Computer with the System
Preparation Tool

After you configure the reference computer, your next step is to prepare
the computer for imaging. Many settings on a computer running
Windows XP or Windows Vista must be unique, such as the Computer
Name and the Security Identifier (SID), which is a number used to track
an object through the Windows security subsystem. To address this
requirement, Windows XP and Windows Vista provide a tool called the
System Preparation Tool (Sysprep) that removes the SID and all other
user-specific and computer-specific information from the computer, and
then shuts down the computer so that you can use a disk duplication tool
to create a disk image. The disk image is a compressed file that contains
the contents of the entire hard disk on which the operating system is
installed.

Sysprep can be used to prepare a reference computer with
Windows SteadyState for disk imaging. You can then replicate the disk
image on multiple computers with the same or similar hardware
configurations.

Sysprep can be used to prepare a reference computer with Windows
SteadyState for disk imaging. You can then replicate the disk image on
multiple computers with the same or similar hardware configurations.

Before you run Sysprep on a computer with Windows SteadyState,
ensure that:

•
All user profiles are unlocked. Sysprep.exe does not recognize
locked or mandatory profiles and will copy a new Ntuser.dat file
into the <user> folder. This will prevent profiles from being linked
to the new SIDs, and will cause the profiles to become invalid.
•
Windows Disk Protection is turned off. The cache file must not
be copied from one computer to another. After the target
computers are imaged, you can turn Windows Disk Protection
back on.
Typically, when a client computer starts Windows XP or Windows Vista
for the first time after loading a disk image that has been prepared with
Sysprep, Windows automatically generates a unique SID, initiates Plug
and Play detection, and starts the Mini Setup Wizard. The Mini Setup
Wizard prompts for user-specific and computer-specific information, such
as the Microsoft Software License Terms, regional options, user name
and company, and product key.

You can further automate the imaging process by including a special
answer file named Sysprep.inf with your master image. Sysprep.inf is an
answer file that automates the Mini Setup Wizard. It uses the same INI
file syntax and key names (for supported keys) such as Unattend.txt in
Windows XP or Unattend.xml in Windows Vista. Place the Sysprep.inf
file on a floppy disk or in the following folder:

%systemdrive%\Sysprep

If you use a floppy disk, insert it into the floppy disk drive after the
Windows startup screen appears. Note that if you do not include
Sysprep.inf when running Sysprep, the Mini Setup Wizard requires user
input at each customization screen.

To learn more about how to use Sysprep, see the following resources:

•
For an overview of the process of imaging clients, including the
use of Sysprep to prepare a system for imaging in Windows XP,
see:
http://go.microsoft.com/fwlink/?LinkId=83440.
•
For information about how to customize Sysprep installations,
see:
http://go.microsoft.com/fwlink/?LinkId=83441.
•
For information on using Sysprep with Windows Vista, see:
http://go.microsoft.com/fwlink/?LinkId=100557.
Creating an Image of the Reference Computer

After you run the System Preparation Tool to prepare the reference
computer for imaging, the tool shuts down the reference computer. At
this point, perform one of the following tasks to create an image of the
computer hard disk:

•
If you are using Windows XP, you can use a non-Microsoft
imaging tool.
•
If you are using Windows Vista, you can use the ImageX imaging
tool.
For more information about disk duplication of Windows XP installations,
see Microsoft Knowledge Base Article #314828 at:
http://go.microsoft.com/fwlink/?LinkId=83438.

For more information about using ImageX with Windows Vista, see:
http://go.microsoft.com/fwlink/?LinkId=100560.

Transferring and Setting up the Image on Multiple
Computers

After you transfer an image to a new computer and start the computer,
Windows generates a unique SID, initiates Plug and Play detection, and
starts the Mini Setup Wizard. After installation finalizes, you must
complete the following tasks:

•
Activating Windows XP—For more information about activating
Windows XP, see Microsoft Knowledge Base Article #302806 at:
http://go.microsoft.com/fwlink/?LinkId=83442.
•
Activating Windows Vista—For more information about
activating Windows Vista, see “Activating Windows Vista” at:
http://go.microsoft.com/fwlink/?LinkId=100561.
Turning on Windows Disk Protection on All Shared
Computers

After your disk image has been installed on all shared computers, you
will want to turn on Windows Disk Protection to protect the system drive
and save the unlocked user profiles on each computer. Make certain that
the Retain all changes permanently option is selected for every
computer when you are configuring system drive restrictions. Otherwise,
Windows Disk Protection will remove the newly installed unlocked user
profiles when each computer restarts.

For more information about exporting and importing user profiles, see the

“Exporting and Importing User Profiles” section in this handbook.

Using Windows SteadyState with Active
Directory and Network Domains

The Active Directory® directory service offers significant benefits for
shared computers on a network. Active Directory gives network users
controlled access to resources anywhere on the network by using a
single set of credentials. It also provides network administrators with an
intuitive, hierarchical view of the network, and a single point of
administration for all network objects.

Active Directory provides an environment for centrally managing user
accounts that require access to network resources. In this environment,
users must log on with the same credentials on multiple computers, as
many educational institutions require. For these reasons,
Windows SteadyState has been designed to work as favorably in domain
environments as it does for workgroup computers.

Please note that most of the settings and restrictions available in
Windows SteadyState are also available through the Group Policy
template (SCTSettings.adm) provided with Windows SteadyState. When
considering the installation of Windows SteadyState on shared
computers that are connected to a domain network, Group Policy is more
effective than using Windows SteadyState for restricting multiple user
accounts across numerous computers on a domain network.

Windows Disk Protection on Domain-Joined Computers

When a computer running Windows XP is joined to an Active Directory
domain, the computer uses a computer account password to
authenticate with the domain and gain access to domain resources. By
default, the domain-joined computer initiates a change to the computer
account password automatically within every 30-day period. A domain
controller accepts the password change and allows the domain-joined
computer to continue to authenticate. The new password is stored locally
on the domain-joined computer and can be confirmed by Active
Directory. If a password change fails, or if a domain-joined computer
attempts to use an incorrect password, the computer will not be capable
of accessing the domain.

Central Software Management and Windows Disk
Protection

When Windows Disk Protection is on, software updates to the computer
are ideally performed through the critical updates process offered by
Windows Disk Protection. Windows Disk Protection helps keep the
computer trustworthy by first performing a regularly scheduled restart to
clear all disk changes, and then downloading and installing the required
updates on top of this trusted base. This model is less flexible than some
central software management models in which updates can be initiated
centrally and scheduled to occur at any time.

A centrally managed software distribution system, such as Microsoft
Systems Management Server (SMS), can provide the flexibility to
schedule software updates to occur at any time, but with Windows Disk
Protection, software updates must be scheduled at specific times.

If your organization requires regularly changing the schedule for software
updates, instead of following a fixed schedule you set within Windows
Disk Protection, you might want to consider whether Windows Disk
Protection is right for your environment.

In contrast, if you can integrate your centrally managed software update
process into the client-driven Windows Disk Protection update process,
you might have a situation in which central software distribution and
Windows Disk Protection can work together.

Note: The software management model used by Windows Disk Protection might
not be appropriate for environments with portable computers such as notebooks
and tablet computers that are routinely disconnected or turned off at the time
when the Windows Disk Protection critical updates process is scheduled to
occur.

Creating a Mandatory Profile for Multiple Users

Mandatory user profiles are a type of roaming user profile to which users
cannot make permanent changes. Mandatory user profiles are available
in Windows XP Professional, but not in Windows XP Home Edition.
Mandatory user profiles are available in all versions of Windows Vista
supported by Windows SteadyState. Mandatory user profiles are stored

on a network server and are downloaded and applied each time a user
logs on. The profile is not updated when the user logs off.

The advantage of using a mandatory profile is that you can make
changes to the master mandatory profile and a user can access that
profile on any shared computer that is connected to a the network. The
potential disadvantage of mandatory profiles is that the shared computer
must have network access for a user to log on. If the shared computer
cannot access the network, mandatory user profiles are unavailable and
users cannot log on.

.
To create a mandatory profile for multiple users
1.
Create a shared folder on a network server that will store mandatory
profiles.
2.
Create a subfolder in that shared folder for each mandatory user
profile you want to use.
3.
Click Start, and then click Control Panel.
4.
In Control Panel, perform one of the following steps:
•
In Windows XP, double-click Administrative Tools, and then
double-click Computer Management.
•
In Windows Vista, click Classic View, double-click
Administrative Tools, and then double-click Computer
Management.
5.
In Computer Management, click Local Users and Groups, and
then double-click Users.
6.
For each user account that will use the mandatory user profile, rightclick
the account and then click Properties.
7.
In Properties, click Profile, and then, in the Profile path, type the
network path to the shared folder where the mandatory user profile is
saved (for example, C:\server1\profiles\user1).
8.
Create, configure, and restrict a user profile and then copy that user
profile to the appropriate network shared folder.
9.
In the network shared folder, in the profile folder, rename the
Ntuser.dat file to Ntuser.man. This changes the user profile from a
simple roaming profile to a mandatory user profile.
For more information on how to create and use mandatory user profiles,
see the following resources:

•
For general information about roaming and mandatory profiles in
Windows XP, see “User profiles overview” in the Windows XP
Professional Product Documentation at:
http://go.microsoft.com/fwlink/?LinkId=83443.
•
For steps on how to assign a mandatory profile to a user account
in Windows XP, see Microsoft Knowledge Base Article # 307800
at:
http://go.microsoft.com/fwlink/?LinkId=83444.
59

•
For information on roaming, mandatory user profiles, and how to
assign a mandatory user profile, see the “Managing Roaming
User Data Deployment Guide”
at:
http://go.microsoft.com/fwlink/?LinkId=100556.
Creating User Restrictions for Unrestricted Domain
Accounts

Some organizations must restrict domain accounts on specific
computers, but these domain accounts are unrestricted by Group Policy.
This often happens with shared facilities that are used briefly by domain
users, such as CD or DVD creation labs or other types of dedicated
computer kiosks.

Similarly, operators may want to restrict domain accounts on specific
computers but do not have the access rights to make the required
changes within Group Policy to do so.

Other security-conscious environments would like to ensure that default
restrictions are applied to domain users even if network issues prevent
Group Policy restrictions from being applied during an initial logon
(usually caused by tampering, such as the well-timed removal of a
network cable).

Note: If you copy the Default User folder to the NETLOGON shared folder on a
domain controller, the settings and restrictions of this default profile will apply to
all domain users the first time they log on. The folder will be replicated to all other
domain controllers providing a Default User profile for all new domain accounts.

All of these scenarios can be addressed by setting restrictions on the
Default User profile in Windows SteadyState. The Default User profile is
then used as the template when creating all new user profiles for both
domain and local accounts. This particular technique does not work on
domain accounts that are configured with roaming user profiles.

Note: It is advisable to create a backup of the Default User profile before you
customize the profile for use on the domain. To do this, make a copy of the
Default User folder located in the Documents and Settings folder.

.
To create a custom Default User profile
1.
Log on as the Windows SteadyState administrator.
2.
Create a new local user profile.
3.
Log off and then log on as the local user that you just created.
© 2007 Microsoft Corporation.

4.
Customize the user settings and environment. For example, you
could:
•
Customize the Start menu.
•
Customize the desktop and taskbar.
•
Install and configure printers.
5.
Log off and then log on as the Windows SteadyState administrator.
6.
Configure and apply restrictions for the newly created user profile.
7.
Perform one of the following tasks:
•
In Windows XP, click Start, and then click My Computer.
•
In Windows Vista, click Start, and then click Computer. To show
menus, press the ALT key, and the menu bar will appear above
the toolbar.
8.
Click the Tools menu, and then click Folder Options.
9.
In the Folder Options dialog box, on the View tab, under Advanced
settings, click Show hidden files and folders, and then click OK.
Several of the files in the new profile are hidden by default and must
be visible to be copied to the new custom Default User profile.
10. Perform one of the following tasks:
•
In Windows XP, click Start, right-click My Computer, and then
click Properties. In the System Properties dialog box, on the
Advanced tab, under User Profiles, click Settings.
•
In Windows Vista, click Start, right-click Computer, and then
click Properties. In the System Properties dialog box, click
Advanced system properties. On the Advanced tab, under
User Profiles, click Settings.
11.
In the User Profiles dialog box, click the user profile that you just
created and customized, and then click Copy To.
12.
In the Copy To dialog box, under Copy profile to, click Browse,
click the \Documents and Settings\Default User folder, and then
click OK.
13.
Under Permitted to use, click Change, click Everyone, and then
click OK. If Everyone is not available, click Advanced, click Find
Now, click Everyone, and then click OK.
After the Default User profile is customized, Windows XP or Windows
Vista assigns the Default User profile along with its restrictions to any
new user who logs on to the computer. This technique cannot be used to
lock new user profiles as they are created. However, you can use
customized Default User profiles along with Windows Disk Protection to
clear the new user profiles that are created on the Windows partition with
each restart of the computer.

Creating Group Policy Restrictions with
SCTSettings.adm

Windows SteadyState includes a Group Policy template called
SCTSettings.adm in the ADM folder commonly located in C:\Program
Files\Windows SteadyState. This template reproduces most of the
settings included in Windows SteadyState Feature Restrictions tab of
the User Settings dialog box, and can be used to deploy restrictions to
users who are members of an Active Directory domain.

Group Policy for a domain can be configured either with the Group Policy
Management Console, or by using the Group Policy Editor built into
Active Directory Users and Computers. For Windows XP, the Group
Policy Management Console is an add-in tool available for download
from Microsoft. Group Policy Management Console is integrated into
Windows Vista. By adding the SCTSettings.adm template into these
tools, you can gain access to account restrictions and settings that are
appropriate for user accounts on shared computers.

The SCTSettings.adm Group Policy template included with
Windows SteadyState also includes the capability to set idle and
mandatory logoff timers, if Windows SteadyState is installed on your
computers.

It is important that you apply these settings only to specific user
accounts, so as not to restrict legitimate administrative user accounts on
any computers.

.
To use Active Directory Users and Computers to manage
Windows SteadyState restrictions

1.
Start Active Directory Users and Computers on a computer running
Microsoft Windows Server.
2003 by clicking Start, and then clicking
All Programs.
2.
Click Administrative Tools. In Active Directory Users and
Computers, right-click the organizational unit (OU) for which you
want to configure policy, and then click Properties.
3.
On the Group Policy tab, select the policy you want to modify, and
then click Edit.
4.
Expand User Configuration, right-click the Administrative
Templates folder, and then click Add/Remove Templates.
5.
In the Add/Remove Templates dialog box, click Add and then
browse to the location of the SCTSettings.adm template, commonly
located in the following folder:
%systemdrive%\Program Files\Windows SteadyState\ADM

6.
Browse the settings in the All Windows SteadyState Restrictions
folder and note their similarity to the program and user restrictions
settings in Windows SteadyState. Descriptions are given for each
setting.
7.
Make any restrictions changes that you want and then exit Group
Policy Editor.
Note: We recommend that you create an OU that stores the shared user
accounts in your environment, and that you apply the SCTSettings.adm template
to the User Configuration portion of a Group Policy Object linked to this
dedicated OU.

Group Policy Software Restriction Policies

Windows SteadyState provides administrators with an effective way to
restrict software, especially for a single shared computer or for a small
environment of shared computers. However, when administrators want
to centrally manage software restrictions across many computers or
users, we recommend that you set software restrictions by using Group
Policy Software Restriction Policies. Software restrictions that are
implemented by using Software Restriction Policies across a large
number of shared access computers on a given site, domain, or range of
organizational units are more efficiently administered than the restrictions
that can be implemented by using Windows SteadyState.

Software restrictions that can be applied by using Software Restrictions
Policies are identical to those restrictions that can be applied in
Windows SteadyState.

For more information on using Group Policy Software Restrictions
Policies, see: http://go.microsoft.com/fwlink/?LinkId=83445.

Duplicating Software Restrictions by Using Software
Restrictions Policies in Windows

If you want to use Software Restrictions Policies in Windows to directly
duplicate the Windows and program restrictions settings that a
Windows SteadyState administrator can configure, create the path rules
defined in the following sections. Optionally, you can also restrict
Notepad and WordPad and prevent Microsoft Office programs from
running using Software Restriction Policies.

For example, to duplicate the effect of the Allow only programs in the
Program Files and Windows folders to run feature in the Windows
Restrictions tab in Windows SteadyState, use a Software Restriction
policy to set the Software Restriction Policy Security Level to
Disallowed, and then create additional rules to unrestrict or allow each
of the following paths, as shown in Table 7.

Table 7: Software Restriction Rules

Rule
Description
%ProgramFiles%

Allows programs to run

%Windir%

Allows Windows programs to run

*.lnk

Allows Start menu and desktop shortcuts to work

As an added security measure, you can also create an additional path
rule that restricts files from being run in the Temp folder. To restrict users
read/write permissions to the Temp folder, add the following rule by
using Software Restrictions Policies.

%WinDir%\Temp

For more information on using Group Policy Software Restrictions
Policies, see: http://go.microsoft.com/fwlink/?LinkId=101602.

Configuring Restart After Log off by Using a
Logoff Script

When a computer running Windows XP is joined to a domain, it is more
difficult to ensure changes are cleared between user logon sessions. If
you use Group Policy and Software Restrictions Policies, use a logoff
script to reproduce the Restart computer after log off option, commonly
located under General Settings in Windows SteadyState.

.
To use Group Policy to configure the computer to restart
when a user logs off

1.
Open the Group Policy Object for the domain or OU to which your
users belong.
2.
Under User Configuration, expand Windows Settings, and then
click Scripts (Logon/Logoff).
3.
Open the Logoff object and add a logoff script. The logoff script can
be a script written in any scripting language supported by Windows
that contains a command to restart the computer.
Note: You can use the shutdown command in a batch file to restart the
computer. At the command prompt, type the following command:

shutdown -r -t 00

The shutdown command is restricted when you restrict access to the command
prompt. You can also use the ForceLogoff.exe tool included with
Windows SteadyState to restart the computer.

Using Windows Disk Protection API

The Windows SteadyState Application Programming Interface (API)
consists of a Windows Management Instrumentation (WMI) interface that
allows a member of the Administrators group to work with Windows Disk
Protection using scripts, and to perform many of the same procedures
available in the user interface.

The name of the API is Sctui.exe and it is located in the following folder:

%systemdrive%/Program Files/Windows SteadyState.

The WMI interface has two command-line parameters:
EnableWDPAndReboot and DisableWDPAndReboot.

After you have enabled Windows Disk Protection, the script can use one
or more of these three properties: CurrentStatus, CurrentMode, and
PersistDateTime.

For more information about Windows Disk Protection, see the “Protecting
the Hard Disk” section in this handbook.

For additional information about WMI, see:

•
The “Windows Management Instrumentation (WMI)” MSDN
article at: http://msdn2.microsoft.com/enus/
library/aa394582.aspx.
•
The “Using WMI” MSDN article at:
http://msdn2.microsoft.com/en-us/library/aa393964.aspx.
Command-line Parameters

DisableWDPAndReboot

Disables and uninstalls Windows Disk Protection. This process requires
three restarts to:

1.
Clear the cache.
2.
Commit changes made to the computer that remove the Windows
Disk Protection driver.
3.
Finish uninstalling Windows Disk Protection.
Example:

sctui /DisableWDPAndReboot

EnableWDPAndReboot

Installs and enables Windows Disk Protection. A console window opens
to show status messages during installation. If installation was
successful, the system is automatically restarted to complete enabling
Windows Disk Protection.

Example:

sctui /EnableWDPAndReboot

Properties

CurrentMode

Set or retrieve the current mode for Windows Disk Protection. Note that
the CurrentMode property can only be applied if the CurrentStatus
property is WDP_ACTIVE. The CurrentMode properties listed in Table 8
directly correspond to the three levels of disk protection available when
Windows Disk Protection is turned on.

Table 8: Windows Disk Protection Modes and Corresponding Disk
Protection Levels

Windows Disk
Protection mode
Level of disk protection
WDP_MODE_DISCARD Remove All Changes at Restart
(0)
WDP_MODE_PERSIST Retain Changes Temporarily
(1)
WDP_MODE_COMMIT Retain All Changes Permanently
(2)
CurrentStatus

When queried, this read-only property will return a value that indicates
whether Windows Disk Protection is active or passive.

Table 9: CurrentStatus Values and Corresponding Windows Disk
Protection Status

CurrentStatus values
Windows Disk Protection status
WDP_ACTIVE (0)

Windows Disk Protection is actively caching
changes. This is the most common value.

WDP_PASSIVE (1)

Windows Disk Protection is on, but changes are
saved directly to the hard disk without using the
cache file as temporary storage.

Note: The passive state (WDP_PASSIVE) is not a user-selectable or writable
state available through the Windows SteadyState user interface, but is used
internally by the Windows SteadyState application.

PersistDateTime

Use to query or specify the date and time at which
WDP_MODE_PERSIST expires and automatically reverts to
WDP_MODE_DISCARD when Windows Disk Protection is turned on.
The date type for this property when queried is
WBemScripting.SWbemDateTime. The PersistDateTime property has
no effect unless the CurrentMode property is set to
WDP_MODE_PERSIST.

Code Sample

The sample code that follows establishes the constants, sets the
Windows Disk Protection level to the Retain Changes Temporarily
option (WDP_MODE_PERSIST), and then specifies the date and time at
which this mode will expire and revert to the Remove All Changes at
Restart option (WDP_MODE_DISCARD).

' Windows Disk Protection sample script

' Define some useful constants
'
' WDP_Control.CurrentStatus
const WDP_ACTIVE = 0
const WDP_PASSIVE = 1

' WDP_Control.CurrentMode
const WDP_MODE_DISCARD = 0
const WDP_MODE_PERSIST = 1
const WDP_MODE_COMMIT = 2

' Identify the computer to manipulate
'

strComputer = "."

' The WDP_Control.PersistDateTime property requires a
FILETIME type.
' The easiest way to create a FILETIME from readable
string is to use
' the WBemScripting.SWbemDateTime object.

set dateTime = Createobject
("WBemScripting.SWbemDateTime")

' Set the datetime to May 8, 2020 at 8:00 AM
dateTime.SetVarDate #5/8/2020 08:00:00 AM#
'
' Get an instance of the WDP_Control WMI class
'

set objWbemServices = GetObject ("winmgmts:\\" &
strComputer & "\root\wmi")
set setWdpObjects = objWbemServices.ExecQuery
("SELECT * FROM WDP_Control")

for each objWdp in setWdpObjects
objWdp.CurrentMode = WDP_MODE_PERSIST
objWdp.PersistDateTime = dateTime.GetFileTime
objWdp.Put_

Help Ensure a More Private and Secure

Experience for Users

Privacy and security are very important elements of the maintenance and
use of a shared computer. With Windows SteadyState, you can help
protect a shared computer against unwanted changes and also help
provide an environment that better protects the privacy of your users.

This section contains recommendations to help you select computer,
Windows, and feature restrictions in Windows SteadyState to help give
shared users a more private and secure experience.

Setting Computer Restrictions

Privacy Settings
In Privacy Settings, select the following restrictions:

•
Do not display user names in the Log On to Windows dialog
box
•
Prevent locked or roaming user profiles that cannot be
found on the computer from logging on to this computer
•
Do not cache copies of locked or roaming user profiles for
users who have previously logged on to this computer
Security Settings
In Security Settings, select the following restrictions:

•
Do not allow Windows to compute and store passwords
using LAN Manager Hash values
•
Do not store user names or passwords used to log on to
Windows Live ID or the domain (requires restart of the
computer)
•
Prevent users from creating folders and files on drive C:\
Installing Updates

Schedule Updates

Select Use Windows SteadyState to automatically download and
install updates. You can use Windows SteadyState to automatically
install critical updates from Microsoft at a time you schedule. Scheduling
automatic updates will ensure that necessary Microsoft updates are
installed on the shared computer in a timely manner.

Select Updates

Select the Security Program Updates check box and then select the
programs you want Windows SteadyState to automatically update.
Windows SteadyState will then install software updates for programs
displayed in the Security Program Updates check box at the time you
scheduled in the Schedule Software Updates dialog box.

Protecting Your Disk

In Protect the Hard Disk, select the following options:

•
Turn Windows Disk Protection on.
•
Remove all changes at restart.
Configuring User Profiles

General Tab

•
Select Restart computer after log off for each shared user
profile.
•
Select Lock Profile to prevent the user from making
permanent changes under General Settings.
•
Select Log off after “xx” minutes idle in Session Timers and
then enter the number of minutes in which you want the
computer to log off if the user is away from the computer for an
extended period of time.
Windows Restrictions Tab
In Start Menu Restrictions, select the following restrictions:

•
Remove the My Documents icon
•
Remove the My Recent Documents icon
•
Remove the My Pictures icon
•
Remove the My Music icon
•
Remove the Favorites icon
•
Remove the Frequently Used Programs list
Hide network drives and unprotected partition drives from the user in
Hide Drives. You can still allow users to read from or save data to a
USB drive.

Feature Restrictions Tab
In Internet Explorer Restrictions, select the following restrictions:

•
Empty the Temporary Internet Files folder when Internet
Explorer is closed
•
Remove Security Tab in Internet Options
© 2007 Microsoft Corporation.

•
Remove Privacy Tab in Internet Options
•
Disable AutoComplete
71

Appendix A: Windows SteadyState
Glossary

Included in this glossary are definitions for the terms, phrases, and
feature names that are commonly associated with Windows SteadyState
and are used throughout this handbook.

Active Directory

The Windows-based directory service. Active Directory stores
information about objects on a network and makes this information
available to users and network administrators. Active Directory gives
network users access to permitted resources anywhere on the
network using a single logon process. It provides network
administrators with an intuitive, hierarchical view of the network and
a single point of administration for all network objects

administrator

The person responsible for administering use of a shared computer
system, communications system, or both. A system administrator
performs such duties as assigning user accounts and passwords,
establishing security access levels, allocating storage space, and
watching for unauthorized access.

antivirus update

A periodic update from software manufacturers to their antivirus

software.

Automatic Updates

A feature that works with the Windows Update Web site to deliver
updates (patches and fixes) for Windows as they become available
according to settings that users can choose.

Block Programs

A tab in the User Settings dialog box used to block a given user

from accessing listed programs.

cache

Generally, a file used to store information temporarily. Windows Disk
Protection utilizes a cache file to store changes made to system and
profile files during user sessions. This cache file is emptied of
contents at intervals, depending on how Windows Disk Protection is
configured.

clear

To erase or empty the cache file on the hard disk when a user logs
off or the computer is restarted (only when Windows Disk Protection
is turned on).

computer restrictions

Settings that limit operating system functionality, including privacy
and security.

critical update

A broadly released fix for a specific problem addressing a critical,
non-security related issue or bug.

custom update

Update, patch, or upgrade to software other than those available
through Microsoft Update.

defragmentation

The process of rewriting parts of a file to contiguous sectors on a
hard disk to increase the speed of access and retrieval. In Active
Directory, defragmentation rearranges how the data is written in the
directory database file to compact it.

disable

To deactivate or turn off.

domain

A collection of computers in a networked computer environment that
share a common domain database and security policy. A domain is
administered as a unit with common rules and procedures, and each
domain has a unique name.

drive restrictions

Feature on the Windows Restrictions tab of the User Settings
dialog box that allows administrator to select which drives on the
computer are accessible and visible to the users of the shared user
profile.

enable

To activate or turn on.

export

To output data and database objects to another database,
spreadsheet, or file format so another database, application, or
program can use the data or database objects. You can export data
to a variety of supported databases, programs, and file formats.

Family Safety

A feature set in Windows that allows parents and individuals to
customize key aspects of their online and computing experience as
they feel appropriate for their child or themselves (specifically,
people they interact with and information they see).

Feature Restrictions

Settings that limit customer use of, or access to, specific feature
attributes and commands.

imaging

The process of capturing an installation of Windows for deployment
to one or more destination computers.

import

To bring information from one system or program into another. The
system or program receiving the data must somehow support the
internal format or structure of the data.

kiosk

A freestanding computer or terminal that provides information to the
public, usually through a multimedia display.

lock

To allow the shared user profile configuration set by the
administrator to remain static from one user session to another.

locked user profile

A user account whose user profile settings return to a state defined
by Windows SteadyState every time a user logs on to the account;
no matter where the user profile settings are physically located.

mandatory user profile

A user profile that is not updated when the user logs off. It is
downloaded to the user's desktop each time the user logs on, and it
is created by an administrator and assigned to one or more users to
create consistent or job-specific user profiles. Only members of the
Administrators group can change profiles.

Microsoft Update

A Microsoft Web site that provides updates (patches and fixes) for
multiple Microsoft products in one place, including Windows
operating system software and Windows-based hardware, Microsoft

Office system, Microsoft SQL Server™, and Microsoft Exchange

Server.

notification

A message or announcement sent to the user or administrator of a
system. The recipient may be a person or an automated notification
manager.

notification area

The area on the taskbar adjacent to the system control area that
contains icons that appear when certain events occur, such as when
you receive e-mail.

partition

A portion of a physical disk that functions as though it were a
physically separate disk. After you create a partition, you must format
it and assign it a drive letter before you can store data on it. On basic
disks, partitions are known as basic volumes, which include primary
partitions and logical drives. On dynamic disks, partitions are known
as dynamic volumes, which include simple, striped, spanned,
mirrored, and redundant array of independent disks (RAID)-5
volumes.

privacy settings

Settings that allow the administrator to control the collection, use,
and distribution of personal data.

protected partition

A partition on a shared computer whose state is made static by
Windows Disk Protection.

public computer

A computer in a public environment that is accessed by several
different users on a daily basis. Often this type of computer is utilized
as a public access computer, Internet kiosk, lab computer, or
instructional computer.

remote management

For an administrator, the process of managing Windows Disk
Protection in Windows SteadyState from a remote computer through
Active Directory Group Policy.

restrict

To block access to a program or operating system functionality.

restricted user

A user account that has settings or restrictions applied by
Windows SteadyState.

restriction

A setting that blocks access to program or operating system
functionality.

restriction level

A pre-defined set of program restrictions that are automatically
applied.

retain

When Windows Disk Protection is turned on, to keep (not erase) the
cache file on the hard disk when a user logs off or the computer is
restarted.

roaming user profile

A server-based user profile that is downloaded to the local computer
when a user logs on and that is updated both locally and on the
server when the user logs off. A roaming user profile is available
from the server when logging on to a workstation or server computer.
When logging on, the user can use the local user profile if it is more
current than the copy on the server.

Schedule Software Updates

Feature in Windows SteadyState used to set schedules for software
and operating system updates. Tool works in conjunction with
Windows Disk Protection to ensure that updates are saved
permanently.

Security Center

Windows launch point to manage security settings for automatic

updates, internet options, or Windows Firewall.

security settings

Settings used to specify privacy, security, and logon configurations

for Windows.

session countdown

Feature on the General tab of User Settings that allows the
administrator to display the session countdown interface to alert
users of how much time is left before the end of their sessions.

session timer

Feature on the General tab of User Settings that allow the

administrator to set session limits and display attributes.

shared access computer

shared user account

A single user account that is logged on to by multiple users.

shared user profile

A file that contains configuration information for a specific user
including settings and restrictions applied by Windows SteadyState.
Each user's preferences, such as desktop settings, persistent
network connections, and application settings, are saved to a user
profile that Windows uses to configure the desktop each time a user
logs on.

Start Menu Restrictions
Settings that allow the administrator to restrict Start menu attributes.

System Preparation Tool (Sysprep)

The tool that prepares an operating system for imaging. Sysprep
removes system-specific settings and other data that should not be
copied to a destination computer. Sysprep also resets the Windows
installation to start Windows Welcome or in audit mode.

unallocated disk space

Unpartitioned and unformatted space on a hard disk.

unlock

Allows the shared user profile configuration set by the administrator
to be modified by users from one session to another.

unlocked user profile

A user account whose settings that are changed in a user session
are retained every time the user logs on to the account.

user

A person working with software on a computer; a computer operator.

user icon, picture

Picture associated with shared user profile in Windows SteadyState.

user profile

A file that contains configuration information for a specific user, such
as desktop settings, persistent network connections, and application
settings. Each user's preferences are saved to a user profile that is
used to configure the computer each time a user logs on.

User Profile Hive Cleanup Service (UPHClean)

A service that helps to ensure user sessions are completely
terminated when a user logs off. System processes and applications
occasionally maintain connections to registry keys in the user profile
after a user logs off. In those cases the user session is prevented
from completely ending.

User Settings

Windows SteadyState feature used for configuring shared user
profiles.

Windows Disk Protection

A feature that helps protect the Windows partition that contains the
Windows operating system and other programs from being
permanently modified from user session to user session. After
Windows Disk Protection is installed, the administrator can choose to
retain all changes, retain changes for a specified duration, or to
remove all changes to the Windows partition at each computer
restart.

Windows Genuine Advantage (WGA)

A program for licensed Windows software that provides access to
updates, value-added downloads, free software trials, and special
promotions.

Windows Live ID

A single set of sign-in credentials (e-mail address and password) that
provide user access to Windows Live ID sites and services.

Windows Restrictions

Restricts user access to programs, settings, Start menu items, and
locks shared local user profiles against permanent changes.

Windows SteadyState

A software application that is used by administrators of one or more
public shared computers to help maintain computer reliability and
stability from one user session to the next.

Windows Update

A Microsoft Web site from which Windows users can install or update
device drivers. By using an ActiveX® control, Windows Update
compares the available drivers with those on the user's system and
offers to install new or updated versions.

workgroup

A grouping of computers organized to allow users to access and
share resources, such as printers and shared folders, within the
specified group. Workgroups in Windows do not offer the centralized
user accounts and authentication offered by domains.

Index

accessibility, 10
activating Windows, 57
Active Directory, 57, 58, 62
administrative account, 49, 50
administrator, 6, 7, 19, 44, 45,

47, 50, 51, 63, 72, 73, 74, 75,
76, 77
Administrators group, 50
answer file, 48, 56
antivirus, 11, 15, 31, 34, 72, See
security updates
automatic updates, 31
Blocking programs, 20, 22, 26
cache file, 36, 37, 38, 39, 40,
46, 72, 75
command prompt, 64
computer restrictions, 15, 26, 28
Control Panel, 10, 12, 14, 18,
50, 53
critical updates, 11, 34, 54, 58,
69, 70
Critical Windows updates, 31
Custom restrictions, 20, 24
custom updates, 34
defragment, 37, 46, 47
disk image, 54, 55, 57
Documents, 46
domain, 29, 50, 57, 58, 60, 62,
63, 64, 73
drive restrictions, 57
export, 42
Family Safety, 26, 73
Feature Restrictions, 20, 22, 25
games, 49
Glossary, 72

Group Policy, 57, 60, 62, 63, 64

SCTSettings.adm. See
home page, 22, 26
icon

picture, 19
import, 42
installation, 6, 8, 12, 13, 37, 44,

48, 54, 55
Internet Explorer, 25, 26, 30
Internet Information Services,

10
LMHash, 29
Lock profile, 22
Microsoft Download Center, 12
Microsoft Office, 25, 30, 51, 63
Multilingual User Interface, 51
My Computer, 25
My Documents, 10, 44, 45
network, 50, 57, 59, 72
nonstandard software, 49
notification, 23
NTFS, 8, 9
partition, 12, 19, 36, 40, 44, 46,

47
password, 29, 43, 47, 58
Password policy requirements,

19
permanent user profiles, 19, 44
preinstallation, 10, 37
printers, 25
program files, 7, 36, 38, 39
protected partition, 44, 46, 47,

48
reference computer, 54, 55, 56
retaining changes, 40

schedule software updates, 14,
58

scripts, 31, 34, 35, 48, 51, 64

SCTSettings.adm, 62

search, 10, 26

security updates, 34

session countdown, 23

session timers, 21, 23, 27
timers, 62

Setup program, 13

Shared Computer Toolkit, 10,
12, 14

Software Restriction Policies, 63

Start menu, 27

system configuration
requirements, 8

system partition, 36, 46

System Preparation Tool, 54, 55

USB drive, 44, 45

user input language, 53

user profile, 7, 9

profile, 26
shared user profile, 12, 14
User Profile Hive Cleanup

Service, 12
user restrictions, 27, 41, 63
User Settings, 20, 21, 39, 40,

43, 72, 73
Welcome screen, 29, 30
Windows Disk Protection, 7, 10,

11, 19, 26
Windows Genuine Advantage,

13
Windows Live ID, 29
Windows partition, 7, 47, 61, 77
Windows Restrictions, 20, 21,

24, 25, 50, 51, 63, 73
Windows Scripting, 8, 9
Windows SteadyState

Community Web site, 6, 14
Windows Update, 72
workgroup, 57

Buscar en este blog

Alternative Deep Freeze

Datos personales

PÁGINAS WEB