Creating a Steady State by Using Microsoft

Technologies
Microsoft Corporation
Published: September 2010

Abstract
This document provides information for IT professionals and partners who support Internet cafes,
libraries, and schools. It describes how to use Group Policy settings, native Windows 7 features,
and the Microsoft Deployment Toolkit to create a steady state on shared-access computers.
Copyright information
This document is provided “as-is.” Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using
it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
Contents
Creating a Steady State by Using Microsoft Technologies..............................................................1
Abstract ...................................................................................................................................1

Copyright information......................................................................................................................2

Contents..........................................................................................................................................3

Creating a Steady State by Using Microsoft Technologies..............................................................4

Native Windows Features...............................................................................................................5

Scenarios and Limitations...............................................................................................................6

Introducing Ben Miller...............................................................................................................8

Configuring Standard User Accounts..............................................................................................8

Configuring Shared User Accounts...............................................................................................12

Creating a Mandatory User Profile................................................................................................12

Assigning a Mandatory User Profile..............................................................................................13

Configuring Accounts to Autologon...............................................................................................14

Configuring Group Policy Settings................................................................................................15

Blocking Applications....................................................................................................................17

Scheduling Updates......................................................................................................................18

Using Group Policy Preferences...................................................................................................19

Restoring the Hard Disk Drive.......................................................................................................21

System Restore.........................................................................................................................21

Using the Microsoft Deployment Toolkit 2010...............................................................................22

Exporting and Importing Profiles...................................................................................................23

Virtualizing Shared Computers.....................................................................................................25

Additional Information................................................................................................................25
Creating a Steady State by Using Microsoft
Technologies
Shared computers present unique challenges. Microsoft® publishes software that gives users a
great degree of flexibility, allowing them to customize their experiences by configuring their
computers’ settings. In shared-computer scenarios, however, administrators want to limit users’
ability to change settings, particularly settings that would affect the health of the computer or the
experience of other users. Privacy and consistency are very important in shared-computer
scenarios.
Windows® SteadyState™ is a free tool from Microsoft that helps make shared computers easier
to set up and manage. In scenarios where users share computers (for example, in kiosks,
schools, libraries, or Internet cafes). Windows SteadyState helps make those computers more
reliable, providing a more consistent experience for users. Additionally, it helps defend shared
computers from unauthorized changes and restricts users from changing system settings or files.
Windows SteadyState is a useful tool for shared-computer access; however, it supports 32-bit
versions of Windows XP and Windows Vista® only. It does not support Windows 7. You can learn
more about Windows SteadyState, including the Windows operating systems it supports, at
Windows SteadyState.
Even though Windows SteadyState does not support Windows 7, many of its features can be
replicated by using native Windows 7 features and free tools from Microsoft. For example, you
can configure many Group Policy settings, and prevent users from changing them. You can use
the Microsoft Deployment Toolkit (MDT) 2010 to quickly reimage shared computers and restore
their original states. In addition to simulating many of the significant Windows SteadyState
features, using these features and free tools has the added benefit of supporting 64-bit
computers.
This document is part of a set of documents that is intended primarily for IT pros who configure
shared-computer access in business environments. But partners who support shared-computer
access in schools, libraries, and Internet cafes will also find the information useful. The document
set includes:
• Creating a Steady State by Using Microsoft Technologies (this document) Describes the
native Windows 7 features and free tools from Microsoft that you can use to create a steady
state on computers running Windows 7.
For a web version of this document, see Creating a Steady State by Using Microsoft
Technologies in the Windows 7 Technical Library.
• Group Policy Settings for Creating a Steady State Describes Group Policy settings that
you can use to configure computer and user settings and prevent users from changing those
settings.
For a web version, see Group Policy Settings for Creating a Steady State in the Microsoft
Download Center.

4
 • The SteadyState Reference worksheet (a downloadable .xlsx file) Look up and filter
settings that the two previous documents describe. For example, you can quickly find
information about settings that are related to Start menu restrictions.
In this document:
• Native Windows Features
• Scenarios and Limitations
• Configuring Standard User Accounts
• Configuring Shared User Accounts
• Configuring Group Policy Settings
• Restoring the Hard Disk Drive
• Exporting and Importing Profiles
• Virtualizing Shared Computers

Note

To provide feedback or ask questions about the information that these documents
contain, please contact: Windows IT Pro Community.

Native Windows Features

Microsoft developed Windows SteadyState when the Windows management features were less
robust and mature than they are today. As an example, many businesses allowed users to log on
to their computers with full administrative access, simply because most applications required full
access to the computer, and restricting users’ accounts significantly limited their flexibility.
On the other hand, Windows 7 is a modern operating system that supports modern management
features. Businesses can more easily deploy standard user accounts (accounts with limited
access to the system’s files and settings) without limiting users’ productivity. This contributes
significantly to your ability to simulate many Windows SteadyState features by using native
Windows 7 features. Additionally, many Group Policy settings are available for restricting
computer and user settings, and features like AppLocker™ allow businesses to control which
applications users can run.
When users log on to computers as a member of the Administrators group, they can change any
file or setting and access other users’ files on shared computers. Obviously, allowing users to log
on to shared computers as a member of the Administrators group is not a best practice. When
users log on to computers with standard user accounts, they cannot change system files or
settings; therefore, standard user accounts protect the computer’s configuration from malicious or
accidental changes. Additionally, users with standard user accounts cannot access other users’
files on a shared computer—protecting other users’ privacy.
Users with standard user accounts cannot change system settings or files, but this does not
prevent them from using their older applications. Applications that are designed for Windows 7
should already work with standard user accounts. For older applications that are not compatible
with standard user accounts, Windows 7 provides the ability to redirect an application’s system
5
changes to a location within a user’s profile. The application believes it has full access to the
system, even though it does not. Users can continue using older applications that are not
compatible with standard user accounts without affecting other users on a shared computer.

Scenarios and Limitations

Windows SteadyState provides key features for setting up and managing shared computers
running Windows XP or Windows Vista. At a high level, the Windows SteadyState features and
the Windows 7 features that this document describes include the following:

Windows SteadyState Windows 7 In this document

Creating user You can apply system You can create Configuring Standard
accounts and and feature restrictions standard user User Accounts
configuring user to each user account accounts to isolate Configuring Shared
settings on the computer so users from system User Accounts
that users have limited tools, services,
access to Windows applications, and files;
system tools, other then, use Group Policy
services, applications, settings to configure
files, and data. and restrict access to
user settings.

Setting computer You can apply privacy You can create Configuring Group
restrictions and security standard user Policy Settings
restrictions to the accounts to restrict
whole computer and users from changing
design a uniform user computer settings and
experience. help protect their
privacy. You can
configure the computer
by using Group Policy
settings.

Scheduling software You can download and You can schedule Scheduling Updates
updates install updates. This Automatic Updates by
works with Windows using Group Policy
Disk Protection to help settings. Standard
ensure that important user accounts cannot
updates are applied to remove these
the computer and not important updates.
removed.

Restoring the hard Windows Disk Users with standard Restoring the Hard
disk drive after each Protection helps user accounts cannot Disk Drive

6
 Windows SteadyState Windows 7 In this document

user session protect the Windows change system files or

operating system and settings. Therefore,
program files from discarding changes to
permanent changes. the hard disk drive
When people are after each user
using the computer, session is less critical.
they can cause This also eliminates
changes to the hard the complexity of
disk drive. However, updating computers
Windows Disk that are using
Protection discards Windows Disk
those changes after Protection. However,
restarting the you can restore the
computer. hard disk drive on
shared computers
each night by using
MDT 2010.

Exporting and You can export shared You can export users’ Exporting and
importing user user profiles created files and settings by Importing Profiles
profiles on one computer and using Windows Easy
import them to any Transfer, and then
computer on which import them on any
Windows SteadyState other computer.
is installed. Windows Easy
Transfer is a tool that
is built in to Windows 7
that users can use to
migrate their files and
settings from one
Windows installation to
another.

With the exception of Windows Disk Protection, the features that Windows SteadyState provides
have counterparts in the native Windows 7 features and the free tools that this document
describes. Although Windows SteadyState does provide a single, easy-to-use interface for
configuring shared computers, any IT pro or partner can easily set up and manage shared
computers by following the guidance in this document. As for Windows Disk Protection, the
section titled Restoring the Hard Disk Drive, recommends strategies that can help you simulate, if
not replicate, this feature.
This document supports a variety of scenarios. These include computers that are shared in
businesses (for example, kiosks and call centers), libraries, schools, and Internet cafes. To help

7
you better understand this document’s recommendations, it follows a fictional user named Ben
Miller, who is an IT pro with Blue Yonder Airlines.

Introducing Ben Miller

Ben Miller is an IT pro for Blue Yonder Airlines. His manager tasked Ben with an exciting new
project: setting up shared-access computers.
He is configuring two types of shared computers. The first type are computers that employees
can use to check email, search the Web, and so on. These computers will be in meeting rooms
and cafeterias. Employees will use their own accounts to log on to these computers.
The second type are shared computers in public areas that guests can access. Because guests
will not have an account on the Blue Yonder Airlines domain, guests will log on to shared
computers by role. That is, they will log on to shared computers using a preconfigured account
named ByaGuest. Ben prefers to not enable the built-in Guest account.
In both cases, Ben has specific requirements. The health of the computers and users’ privacy are
paramount. Additionally, he wants to assure users a consistent experience every time they log on
to one of the shared computers. He is installing Windows 7; therefore, he cannot use Windows
SteadyState to configure the shared computers.

Configuring Standard User Accounts

The first step to configure the shared computers for Blue Yonder Airlines is to configure user
accounts on each computer. Because the company has a network of computers running Windows
Server® 2008 R2, and the employee user accounts are listed in Active Directory®, Ben does not
need to configure user accounts on the computers that employees will share. He simply needs to
avoid adding user accounts to the local Administrators group. Domain users are members of the
Standard Users group by default. This will isolate users so that they cannot change system files
or settings, and they cannot access other users’ files or settings.
Ben needs to create user accounts for computers that guests will share. The best way to define
these accounts is based on roles. For example, a school might define three roles—students,
teachers, and staff—and then configure each shared account as appropriate. A library might
configure patron and staff roles. Ben needs only one named ByaGuest. Rather than creating this
account in Active Directory, he will create an account on each computer and then configure the
computers to automatically log on by using the ByaGuest account.

To create a local user account

1. On the shared computer, click Start, type local users, and then click Edit local
users and groups. If Windows 7 prompts you for an administrator password or
confirmation, type the password or confirm that you want to continue.
2. Click the Users folder, click Action, and then click New User.
3. In the New User dialog box (shown in Figure 1), type the appropriate information,
8
 and then click Create.

Figure 1 Creating a new user account in Windows 7

4. If you want to create more than one user account, repeat the preceding steps for
each user account, and then click Close.

Note

When you create user accounts for individual users, do not select the User cannot
change password check box. However, when you create shared, role-based user
accounts, select this check box to prevent users from changing the password and to
prevent other users from accessing the shared computer. Additionally, select the
Password never expires check box to ensure continuous access to the shared account.
In addition to creating standard user accounts, you can configure them when users first log on to
the computer. Windows 7 stores users’ files and settings in user profiles, which are separated
from system settings. By default, Windows 7 stores these user profiles in C:\Users, creating one
subfolder for each user who logs on to the computer. The first time a user logs on to the
computer, Windows 7 creates the user’s profile folder by copying the default user profile from
C:\Users\Default to the user’s profile folder.
Configuring default user profiles is an easy way to configure new user accounts. However, they
aren’t appropriate for all settings. Default user profiles are a great and simple way and to
configure preferences that you want to allow users to change. They are not appropriate for
settings that you want to control. For these, use Group Policy settings. For more information
9
about configuring policies, see the section titled Configuring Group Policy Settings in this
document.

To create a default user profile

1. Log on to a computer running Windows 7 as a member of the local Administrator
group. Do not use a domain account.

Note
Use a lab or extra computer running a clean installation of Windows 7 to create a
default user profile. Do not use a computer that is required for business (that is, a
production computer). The process these steps describe removes all domain
accounts from the computer, including user profile folders. After creating the
default user profile, you can copy it from C:\Users\Default to a network location or
to a removable storage device.
2. Configure the settings that you want to include in the user profile. For example, you
can configure settings for the Start Menu, Windows Explorer, and so on.
3. Create an Unattend.xml file that sets the CopyProfile parameter to True. The
CopyProfile parameter causes Sysprep to copy the currently logged-on user’s profile
folder to the default user profile. You can use Windows System Image Manager, which is
part of the Windows Automated Installation Kit (Windows AIK) to create the Unattend.xml
file. For more information, see Windows Automated Installation Kit for Windows 7.
4. At a command prompt, type the following command and press ENTER:
sysprep /oobe /reboot /generalize /unattend: unattend.xml
(Sysprep.exe is located at: C:\Windows\System32\sysprep)
5. Complete the out-of-box experience, and then log on to the computer by using an
account that has local administrator privileges.
6. Click Start, type user profile, and then click Configure advanced user profile
properties.
7. In the User Profiles dialog box (shown in Figure 2), click Default Profile, and then
click Copy To.

10
Figure 2 Copying the default user profile by using the User Profiles dialog box
8. In the Copy To dialog box, do the following:
a. In the Copy profile to text box, type the path of the location where you want to
save the default user profile.
b. Under Permitted to use, click Change, type Everyone, and then click OK.
9. Click OK to copy the default user profile.

Note
Other methods of creating default user profiles exist. For example, you can click
the Copy To button on the User Profiles dialog box to copy a user profile folder to
the default user profile. However, the steps that this section describes are the
only steps that Microsoft supports for customizing a default user profile. These
steps clean the source user profile so that it supports multiple users. For more
information, see How to customize default user profiles in Windows 7 and in
Windows Server 2008 R2.

11
Configuring Shared User Accounts
In addition to configuring shared computers for employees, Ben is creating shared computers for
corporate guests. For these computers, users will share a single account named ByaGuest.
Maintaining the computers’ health and creating a consistent user experience are requirements.
Additionally, because users might leave personal information on shared computers (for example,
through cookies in Internet Explorer® 8), he needs to protect their privacy.
Ben needs Windows 7 to forget users’ changes after every user session. This includes any files
they saved in the Documents folder, any cookies that Internet Explorer 8 saved, and so on. The
simplest way to do that is to use a mandatory profile.
Ben can create a default user profile, as the previous section described, and then use that profile
as the basis for a mandatory profile. This will create one central user profile for all users. When
users log off of the computer, Windows 7 deletes their changes. Each time users log on to the
computer by using the shared account, they start with a new copy of the mandatory user profile.

Creating a Mandatory User Profile

The first step to creating a mandatory user profile is to create a default user profile. The section
titled Configuring Standard User Accounts, describes how to create a default user profile. You
must create a folder for the mandatory user profile and configure its permissions so that everyone
can access it. Then you copy the default user profile to the mandatory user profile folder.
Windows 7 recognizes a mandatory user profile that is based on the name of the registry hive file.
Each user profile contains a registry hive file named Ntuser.dat, which contains the user’s registry
settings. Renaming it to Ntuser.man causes Windows 7 to make the user profile mandatory.

To create a mandatory user profile

1. Copy the default user profile that you created in Configuring Standard User Accounts
to C:\Users on the shared computer.
2. Rename the folder Mandatory.v2. (The root part of the file name can be anything you
like, but the folder name must end with “.v2” to identify it as a Windows 7 user profile
folder.)
3. Use the following procedure to rename Ntuser.dat to Ntuser.man:
a. Open C:\Users\Mandatory.v2 in Windows Explorer.
b. In Windows Explorer, click Organize, and then click Folder and search options.
c. On the View tab, select the Show hidden files and folders check box, clear the
Hide protected operating system files check box, click Yes to confirm that you
want to show operating system files, and then click OK to save your changes.
d. Rename Ntuser.dat to Ntuser.man. Figure 3 shows what this should look like in
Windows Explorer with hidden files showing.

12
 Figure 3 Preparing a mandatory user profile

Assigning a Mandatory User Profile

Previously, Ben created the account named ByaGuest for shared access to the computers. Now,
he simply needs to assign the mandatory user profile he created to the local user accounts.

To assign a mandatory user profile to a shared account

1. On the shared computer, click Start, type local users, and click Edit local users
and groups. If Windows 7 prompts you for an administrator password or confirmation,
type the password or confirm that you want to continue.
2. Click the Users folder.
3. In the right pane, click the user account to which you want to assign the mandatory
user profile. In Ben’s case, he clicks the account named ByaGuest.
4. Click Action, and then click Properties.
5. On the Profile tab, in the Profile path box, type the path of mandatory user profile
that you want to assign to this account, omitting the “.v2” from the end of the folder name.
In Ben’s example, the path is C:\Users\Mandatory.

13
 Figure 4 Assigning a mandatory user profile to a user account

Configuring Accounts to Autologon

Ben wants to configure the public shared-access computers to automatically log on as ByaGuest
each time they start. That way, corporate guests do not need an account or password to use the
computer. To do this, he can configure the registry values shown in Table1. These values are
located in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Ben could use a manual process to configure these registry values on each shared computer. For
example, Ben could export these values to a .reg file, and then import that .reg file in to the
registry on each computer. However, because Ben’s shared computers are all joined to a domain,
he will use Group Policy preferences to automatically configure these values on each shared
computer. For more information about Group Policy preferences, see the section titled Using
Group Policy Preferences.

14
Value Type Setting

AutoAdminLogon REG_SZ 1

DefaultDomainName REG_SZ LITWARE

DefaultUserName REG_SZ ByaGuest

DefaultPassword REG_SZ Password

Table 1 AutoLogon registry values

Note

The Windows Sysinternals Suite includes a tool named Autologon that you can use to
configure computers to automatically log on to a specific account. The benefit of using
this tool is that it encrypts the password, whereas the values shown in Table 1 in store the
password in plain text.

Configuring Group Policy Settings

Group Policy provides an infrastructure for managing computer and user settings in businesses.
Administrators define Group Policy objects (GPOs) in Active Directory. Windows 7 applies the
settings to computers each time they start or to users each time they log on. Group Policy
refreshes GPOs at a regular interval.
Standard user accounts cannot change settings that administrators define in a GPO. For
example, if Ben defines a setting that configures the Windows 7 desktop theme, users cannot
change the theme. Windows 7 also supports a variety of settings that restrict users from certain
parts of the user interface. Ben can prevent users from opening Control Panel, for example.
Windows SteadyState implements many of its features as Group Policy settings, and Windows 7
provides many more Group Policy settings than earlier versions of the Windows operating
system. This makes it easy to replace Windows SteadyState with native Windows 7 features and
free tools from Microsoft.

Note

Group Policy is enforceable only with standard user accounts. If you allow users to log on
to their computers as administrators, they can change or remove Group Policy settings
with minimal effort. However, Group Policy will reapply any settings that users change or
remove at the next refresh interval.
The second document in this set, Steady State Reference Document, describes a large number
of Group Policy settings that you can use to configure and restrict settings. It also identifies
Windows SteadyState settings that match Group Policy settings to help you transition from

15
Windows SteadyState to using native Windows 7 features by identifying which Group Policy
settings match which Windows SteadyState settings.
Because Ben’s shared computers are domain-joined, he can configure GPOs in Active Directory,
and then apply those GPOs to multiple computers. The remainder of this section focuses on how
to configure local Group Policy objects (LGPOs) on shared computers that are running
Windows 7, replicating the way Windows SteadyState works. Local Group Policy objects are
stored on individual computers whether or not they are part of an Active Directory Environment.

To configure the LGPO

1. On the shared computer, click Start, type group policy, and then click Edit group
policy to open the Local Group Policy Editor.
2. In the console tree (left pane), click the folder that contains the setting you want to
configure, as shown in Figure 5.
3. In the details pane (right pane), click the setting that you want to configure, and then
click Action, Edit on the menu.

Figure 5 Configuring the LGPO

The local policy settings apply to the computer and to all users who use the computer. You can
optionally configure multiple LGPOs to help better manage settings on shared computers.
Multiple LGPOs is a collection of LGPOs that include:
• Administrators Local Group Policy. This LGPO applies user policy settings to
members of the Administrators group.
• Non-Administrators Local Group Policy. This LGPO applies user policy settings to
users who are not included in the Administrators group.

16
 • User-Specific Local Group Policy. This LGPO applies user policy settings to a specific
local user.

Note

Using multiple LGPOs has an advantage over configuring a single LGPO. The single
LGPO applies settings to the computer and to all users who use the computer. So the
restrictions in the LGPO apply to local administrators, and these restrictions can prevent
administrators from maintaining the computer without first resetting the LGPO. Instead,
you can configure restrictions by using the non-administrators LGPO. This leaves
administrators free to maintain the computer while applying restrictions to standard users.

To configure multiple LGPOs

1. Click Start, type mmc, and press ENTER to open the Microsoft Management
Console.
2. Click File, and then click Add/Remove Snap-in.
3. In the Available Snap-ins list, click Group Policy Object Editor, and then click
Add.
4. In the Select Group Policy Object dialog box, click the Browse button.
5. In the Browse for the Group Policy Object dialog box, click the Users tab, and
then click the user or group for which you want to create or edit the local Group Policy
settings.
6. Click OK, click Finish, and then click OK.

Blocking Applications
Windows SteadyState allows you to create a list of programs to block for each user. Windows 7
includes a more robust feature for controlling the applications that users can run: AppLocker (see
Figure 6). AppLocker works with the LGPOs and GPOs that are deployed in Active Directory, and
it provides a significant advantage for shared computer environments. Applocker is supported by
the Windows 7 Enterprise or Windows 7 Ultimate operating systems.
AppLocker is more flexible than earlier tools for managing the applications that users can run,
including software restriction policies and Windows SteadyState. Instead of providing a list of
programs to block, AppLocker allows you to specify which applications users are allowed to run.
Doing so can make controlling applications easier because it allows you to prevent even unknown
applications from running on the computer.

17
Figure 6 Defining an AppLocker rule by using the Create Executable Rules Wizard
With AppLocker, you can:
• Define rules based on file attributes, such as the file’s digital signature, including the
publisher, product name, file name, or file version. For example, you can create a rule that
specifically allows any version of Adobe Acrobat Reader to run.
• Create exceptions to rules. For example, you can create a rule that allows all built-in
Windows programs to run except the Registry Editor (Regedit.exe), preventing users from
trying to make changes to the registry.
Creating AppLocker rules by using the Create Executable Rules Wizard is easy. You can learn
more about AppLocker on TechNet.

Scheduling Updates
Ben’s requirements include keeping computers healthy and protecting users from security risks. A
key way Ben can do that is by applying security updates regularly. One option is to manually
configure Automatic Updates. To do that, he simply clicks Start, types windows update, and clicks
Windows Update. Then, he clicks Change settings and chooses which type of updates to install
and when to install them.
To configure Automatic Updates for shared computers, Ben can use Group Policy settings.
Because Blue Yonder Airlines uses Windows Server Update Services (WSUS) to install Windows
updates, Ben will create a GPO in Active Directory that configures his shared computers to
automatically download and install approved updates from WSUS.

18
You can also configure an LGPO or a GPO in Active Directory to automatically download and
install updates from Windows Update. As shown in Figure 7, Windows Update settings are
located at:
Computer Configuration\Administrative Templates\Windows Components\Windows Update

Figure 7 Group Policy settings for Automatic Updates

Group Policy settings provide a great deal of flexibility for scheduling updates. Not only can you
configure which types of updates to install and when to install them, but you can choose whether
Automatic Updates prompts users to restart their computers, whether Automatic Updates installs
recommended updates in addition to important updates, and so on. Automatic Updates in
Windows 7 allows you to schedule updates on shared computers similarly to Windows
SteadyState.
The second document in this set, Steady State Reference Document, describes the Group Policy
settings that you can use to schedule and configure Automatic Updates in Windows 7. That
document also lists recommended values for these settings. You can apply these settings by
using an LGPO or a GPO in Active Directory.

Using Group Policy Preferences

Ben has identified a number of settings that he wants to configure with Group Policy for
applications that do not support Group Policy settings. He also wants to configure a number of
Windows features that do not provide Group Policy settings. For example, he wants to configure
shared computers so that they automatically log on by using the ByaGuest account.

19
To do that, Ben can use Group Policy preferences in the Group Policy Management Console. In
Figure 8, you see how Ben uses registry items in Group Policy preferences to configure
Autologon in Windows 7. (LGPOs do not support Group Policy preferences.) By using Group
Policy preferences, Ben can configure settings for applications that do not support Group Policy.
Also, he can configure these settings and allowing users to change them, or he can enforce them
each time Group Policy refreshes. To learn more about Group Policy preferences, see Group
Policy Preferences Overview.

Figure 8 Using Group Policy preferences to configure shared computers

The key difference between Group Policy settings and Group Policy preferences is enforcement.
Group Policy strictly enforces policy settings. Group Policy writes settings to the Policy branches
of the registry, and the access control lists (ACLs) on those branches prevent standard users
from changing them. When an application or operating system feature that is compatible with
Group Policy looks for a potentially managed setting, it first looks for the policy setting. If the
policy setting does not exist, it looks for the setting elsewhere in the registry.
Applications and operating system features that are compatible with Group Policy typically
disable the user interface for settings that Group Policy is managing, which prevents users from

20
changing them. Group Policy refreshes policy settings every 90 minutes, by default, but this time
can be configured by a Group Policy administrator.
In contrast to Group Policy settings, Group Policy preferences are not strictly enforced. Group
Policy does not store preferences in the Policy branches of the registry. Instead, it writes
preferences to the same locations in the registry that the application or operating system feature
uses to store the settings. The implications of this include:
• Group Policy preferences support applications and operating system features that are not
compatible with Group Policy.
• Group Policy preferences do not cause the application or operating system feature to
disable the user interface for the settings they configure.
The result is that when you deploy Group Policy preferences, users can change the settings. By
default, Group Policy refreshes preferences at the same interval as Group Policy settings.
However, you can prevent Group Policy from refreshing individual preferences by choosing to
apply them only once. Doing so configures the preference one time and allows the user to
change it.
Group Policy filtering is substantially different from Group Policy preference item-level targeting.
You filter GPOs using WMI filters, and those filters determine whether Group Policy applies to the
entire GPO. You cannot filter individual policy settings within a GPO. Of course, you can create
GPOs based upon your filtering requirements to work around this limitation, but that might lead to
a large set of GPOs to manage. On the other hand, Group Policy preferences support item-level
targeting—you can target individual preference items within a GPO. For example, a single GPO
can contain two preference items, both of which configure power policies. You can target the first
preference item at desktop PCs and the second at mobile PCs. Additionally, whereas Group
Policy filtering requires you to write sometimes complex WMI queries, item-level targeting
provides a friendly user interface.

Restoring the Hard Disk Drive

A typical user session causes many changes to the Windows partition. It creates, changes, and
modifies program files. The operating system updates settings as part of its normal activity. Given
that one of Ben’s requirements is to provide a consistent experience from one user session to the
next, he needs a way to discard these changes each time a user session ends.
In Windows SteadyState, Windows Disk Protection helps protect system settings and data from
permanent changes on the partition on which the Windows operating system is installed.
Windows 7 does not provide a similar capability. However, free tools from Microsoft can help Ben
automatically reimage shared computers every night.

System Restore
System Restore is a Windows 7 feature that helps users quickly recover from problems. System
Restore saves snapshots of the system at key points, such as before installing an application or

21
device driver. Users can recover from a problem by restoring the operating system to one of
these snapshots.
Although scripting is beyond the scope of this document, it is possible to use System Restore to
simulate the functionality of Windows Disk Protection. The TechNet Script Center Repository
contains a number of scripts for automating System Restore. You can use these scripts to
assemble a solution that creates a snapshot during installation, and then restores the computer to
that snapshot when the user logs off of the computer.
System Restore does not restore users’ files; however, combining System Restore with
mandatory user profiles can almost completely reset a computer between each user session.

Using the Microsoft Deployment Toolkit 2010

Not only does Ben want to reset users’ profile folders when they finish their session, he also
wants to reset shared computers so that they discard any system changes that Windows made
as part of normal activity. Microsoft does not offer a tool similar to Windows Disk Protection that
supports Windows 7. However, Ben can reinstall Windows 7 on shared computers each night—
resetting them daily.
Windows 7 and the Windows AIK provide flexible and robust tools for automating the Windows 7
installation. On their own, however, these tools can be difficult to automate and use for shared-
computer scenarios.
Ben needs a simple solution that fully automates the Windows 7 deployment tools so that he can
schedule it to reset. The Microsoft Deployment Toolkit (MDT) 2010 provides such a solution, and
it is a free download at the Microsoft Download Center. MDT 2010 provides a framework for using
the Windows 7 deployment tools, and Ben can customize MDT 2010 for the shared-computer
scenario. To learn more about MDT 2010, see Microsoft Deployment Toolkit.
To use MDT 2010 to automatically rebuild shared computers each night, Ben must do the
following:
1. Create a deployment shared resource and stock it with Windows 7 source files,
applications, device drivers, and package files.
2. Create a task sequence based on the Standard Client Task Sequence that MDT 2010
provides to install Windows 7 on shared computers.
3. Configure properties in CustomSettings.ini or the MDT 2010 database to fully automate
installation of the task sequence. The Microsoft Deployment Toolkit Sample Guide, part of the
MDT 2010 documentation set, contains numerous examples that show how to fully automate
installation.
4. Make the deployment shared resource accessible to the shared computers. Because
Ben’s shared computers are domain-joined and have network access, Ben is hosting the
deployment shared resource on a file server. This simplifies maintenance for Ben when he
must update the applications, device drivers, and packages on the deployment shared
resource. However, you can also copy the deployment shared resource to a local hard disk
drive and install Windows 7 from there.

22
 5. Schedule a task on the shared computers to automatically start installation each night,
making sure to include the credentials of a local administrator account that has access to the
deployment shared resource. Because each new installation will not have the scheduled task,
Ben will use Group Policy preferences to automatically schedule the installation task.
Alternatively, you can write a script to schedule the installation task.

Exporting and Importing Profiles

Windows SteadyState provides the ability to export users’ accounts, files, and settings and then
import them on another computer running Windows SteadyState. Windows 7 has a similar
capability: the Windows Easy Transfer tool. Ben can use this tool to copy the ByaGuest account
and its files and settings from one shared computer to another shared computer, rather than re-
creating them on each.
Windows Easy Transfer is a Windows 7 installation tool that helps users move their accounts,
files, and settings when they migrate from earlier Windows versions to Windows 7. The tool
supports three methods for moving accounts:
• Connect two computers by using an Easy Transfer Cable and then run Windows Easy
Transfer on both computers to transfer everything.
• Transfer accounts from one computer to another by using a network connection.
• Export a shared computer’s accounts to a removable storage device, then transfer them
to other computers.
Ben wants to copy accounts from one shared computer to another without connecting them, so
he will export a shared computer’s accounts to a removable storage device. Then, he can transfer
the accounts to other shared computers from the removable storage device.
Use the following procedure on the computer that you want to save and copy the account.

To export an account and its files and settings

1. On the Start menu, type easy transfer, and then click Windows Easy Transfer.
2. Click Next.
3. Click An external hard disk or USB flash drive, and click Next.
4. Click This is my old computer.
5. Select the check box next to each account that you want to export to the removable
storage device, as shown in Figure 9, and then click Next.

23
 Figure 9 Exporting an account by using Windows Easy Transfer
6. In the Password box, type a password with which to protect the exported account,
files, and settings. In the Confirm Password box, retype the password, and then click
Save.
7. In the Save Your Easy Transfer File dialog box, type the path and name of the Easy
Transfer File that you want use for exporting the account. Then, click Save.
8. Click Next, click Next, and then click Close.
Use the following procedure on the computer that you want to apply the account.

To import an account and its files and settings

1. On the Start menu, type easy transfer, and then click Windows Easy Transfer.
2. Click Next.
3. Click An external hard disk or USB flash drive, and click Next.
4. Click This is my new computer, and then click Yes.
5. In the Open an Easy Transfer File dialog box, locate the Easy Transfer File that
contains the accounts, and then click Open.
6. Select the check box next to each account that you want to import, and then click
Transfer.

24
 7. Click Close.

Virtualizing Shared Computers

A physical computer with Windows 7 installed on it is the best way to provide a rich experience for
users sharing a computer. However, it is not the only way. Virtualization can also enable shared-
computer scenarios. The Microsoft Virtualization website describes the types of virtualization that
Microsoft offers. The following Microsoft technologies can help businesses virtualize shared-
access computers:
• Windows Virtual PC Windows Virtual PC is a free download for Windows 7 that
provides desktop virtualization on the client. Although Windows Virtual PC does not provide
the deployment and management features of other Microsoft virtualization products, it is a
simple solution to shared-access computing. For example, you can use the Undo Disks tool
to restore virtual machines to their original state. The Virtual PC Guy's Blog contains
numerous scripts that you can use to automate various tasks. The drawback to using
Windows Virtual PC in Ben’s scenario is that preventing users from accessing the host
computer is difficult. For more information, see Windows Virtual PC.
• Microsoft Enterprise Desktop Virtualization (MED-V) MED-V is part of the Microsoft
Desktop Optimization Pack (MDOP), and it adds the missing deployment and management
features to Windows Virtual PC. You can more easily provision virtual machines to users and
control them. However, because MED-V relies on Windows Virtual PC to run virtual
machines, it has the same limitations in shared-computer scenarios: Preventing users from
accessing the physical computer is difficult. For more information, see Microsoft Enterprise
Desktop Virtualization (MED-V).
• Virtual Desktop Infrastructure (VDI) With VDI, businesses host users’ desktops in the
datacenter. Users access those desktops by using Remote Desktop Connection. VDI has the
potential to be viable in shared-computer scenarios. You can put thin clients in public areas
instead of rich clients. Then, employees can access their own virtual desktops from the
datacenter. In this case, the thin client is shared, but the desktop experience is not. You can
also provide access to shared virtual desktops. In this case, the thin client and the desktop
experience are shared. The benefit is that you can heavily manage the virtual desktop from a
central location. Additionally, you can write scripts to add capabilities such as reverting to a
snapshot when a user logs off of the desktop. See Operating system virtualization for more
information.
• Application Virtualization (App-V) App-V is part of MDOP. By itself, App-V does not
provide the capability to virtualize shared computers. However, App-V can add value to
shared computers by giving users access to their applications from any shared computer they
use. For more information, see Application Virtualization.

Additional Information
• AppLocker on TechNet

25
• Group Policy
• Group Policy Preferences Overview
• How to customize default user profiles in Windows 7 and in Windows Server 2008 R2
• Microsoft Deployment Toolkit (MDT) 2010
• Microsoft Download Center
• Microsoft Virtualization
• Windows Automated Installation Kit for Windows 7
• Windows SteadyState

26