Advanced Options

•

Disable Command Line options – This option is selected by default. Clearing this checkbox allows for further customization of the Deep Freeze installation program when using the Silent Install System. Selecting this option prevents the pre-existing configuration choices from being changed during installation.

•	Enable Deep Freeze local policies – For enhanced security, Deep Freeze removes the following local privileges: debugging programs, modifying firmware, and changing the system time; clear this option to use existing privileges.

•	Allow user to change the clock – Select this option to allow Frozen users to adjust the system clock. Enable this feature during Daylight Savings to allow Windows to update the time automatically each season.

•

Manage Secure Channel Password – Secure Channel Password is a feature of all Windows operating systems and only applicable if the system is running in Windows Server Domain Environment. Secure Channel Password is used for secure communication between the server and workstations. The Secure Channel Password is automatically changed based on the operating system settings. While using Deep Freeze, the newly changed Secure Channel Password is lost on reboot. The Manage Secure Channel Password option avoids this situation. The Manage Secure Channel Password feature of Deep Freeze changes the value of the Group Policy Maximum machine account password age based on the Deep Freeze state (Frozen or Thawed).

>	Select the Manage Secure Channel Password option if you want Deep Freeze to manage Secure Channel Password.

When the workstation is Frozen – The workstation will not change the Secure Channel Password. This ensures that the secure communication between the server and the workstation is always maintained.

When the workstation is Thawed – The workstation will change the Secure Channel Password and sync the password with the server.

>	Do not select the Manage Secure Channel Password option if you do not want Deep Freeze to manage the Secure Channel Password.

When the workstation is Frozen – When the Secure Channel Password is changed and synced with the server, it resets to the old password on reboot.

When the workstation is Thawed – If the workstation is Thawed on the day the Secure Channel Password is changed, the new password takes affect and the workstation is synced with the server.

The Manage Secure Channel Password feature of Deep Freeze always overrides the Group Policy Maximum machine account password age and Disable machine account password changes. Set the following in the Group Policy for the Manage Secure Channel Password feature to work: Domain Controller: Refuse machine account password changes to Not Defined

•	Restart on Logoff – Select this checkbox to Restart the computer automatically when it is logged off. If this option is selected, the computer is restarted when a user logs off in a Frozen state.

•	Protect MBR/GPT – Select this checkbox if you want Deep Freeze to protect the Master Boot Record or the GUID Partition Table. If this option is selected, changes to the Master Boot Record are reversed on reboot when the computer is in a Frozen state.

•	Show One Time Password Token – When this option is selected, the OTP Token will be displayed on the password entry dialog on the Deep Freeze workstation.

If OTP feature is not used, it is recommended to keep this option disabled.

•

Retain Windows Event Logs – Select this checkbox to retain Windows Event Logs. Deep Freeze creates a 100 MB ThawSpace and stores all Windows Event Logs so they are not erased upon reboot even when the computer is in a Frozen state. The log file is recycled once it reaches 100 MB. The log files contain events related to Application, Hardware, System and Security.

•	Manage Virtual Memory – Enable this for rare cases where hardware with limited RAM may experience performance issues. Selecting this option allows Deep Freeze to manage the page file size.

This option is disabled by default. The page file size will be adjusted to match the RAM size if this option is enabled, which will allocate more hard drive space on the workstation.

•	Manage Local Administrator Password Solution – Local Administrator Password Solution (LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on Active Directory-joined or Windows Server Active Directory-joined machines.

When this option is enabled on systems where LAPS setup is detected, Deep Freeze will disable the ability of LAPS to change the configured local admin password in Frozen state and allow to do so in Thawed state. This feature ensures that the current admin password can be rotated only in Thawed state and remain synchronized with Active Directory.

•

Delay Frozen reboot to complete Windows updates – Select this option to delay reboot into a Frozen state if configuration or installation for Windows updates are pending. If you select this option and perform Windows updates (through means other than Deep Freeze), rebooting into a Frozen State will ensure that all Windows updates installation and configuration are completed before rebooting into a Frozen state.

If you select Delay Frozen reboot to complete Windows updates and install Deep Freeze, the installer checks if all Windows updates are completed. If the Windows updates are not completed, Deep Freeze installation will not proceed. Complete Windows updates and try installing Deep Freeze again. If you disable Delay Frozen reboot to complete Windows updates and install Deep Freeze, ensure that all Windows updates are completed manually. Disabling this option may result in the computer being stuck in a reboot cycle due to incomplete Windows updates.

Example

On a Windows Domain Environment using Windows Server 2008 R2 that manages multiple workstations, Secure Channel Password is used for secure communication between the server and workstations.

In Deep Freeze Enterprise Configuration Administrator, go to the Advanced Options tab and select Manage Secure Channel Password. Create the Workstation Install file and deploy it to the workstation.

Set the following in the Group Policy for the Manage Secure Channel Password feature to work:

Domain Controller: Refuse machine account password changes to Not Defined

Domain Member: Disable machine account password changes to Disabled

When the workstation is Frozen, the Secure Channel Password does not change. When the workstation is Thawed, the Secure Channel Password is changed at the workstation and synced with the server.