+ Post New Thread
Results 1 to 8 of 8
Windows 7 Thread, Impact of DeepFreeze/HDGuard on User Profiles & Logins in Technical; Hi all, I'm dragging up this old thing for discussion again. Firstly, a bit of an explanation. We use HDGuard ...
  1. #1

    Join Date
    Nov 2013
    Location
    Brisbane
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Impact of DeepFreeze/HDGuard on User Profiles & Logins

    Hi all,

    I'm dragging up this old thing for discussion again.

    Firstly, a bit of an explanation.

    We use HDGuard across 2000 devices, ranging from labs to laptops running on wireless. Because of the sheer size of our campuses, and the number of students that use these devices, it is pretty much a given that we have to use one of these products.

    We've been a HDGuard user for 7 years, and have always found it great. However, we are all know, there is a noticeable performance hit from running software like that on machines (we tested Deep Freeze and its performance hit was actually worse than HDGuard).

    So, our issue. Because of HDGuard, obviously our machines never save a profile onto a machine. The impact of this the students still need to build a profile every time they login to a machine, and we enforce a reboot when a student logs off. Also, regardless of whether or not the machine students login to has our full lab image on it (including Autodesk, CS6, Archicad, Office, etc), or just a 'slimmer' version (Office + Basics), the time from boot to desktop can be anywhere between 3-5 minutes.

    Now, I'm not sure how that compares to other schools, but for us it is unacceptable. This is on brand new hardware, but the issue with this is the disks in the machines are just too slow (5400RPM drives, probably 'green').

    Now, when it comes down to it - these are my questions and discussion points:


    • For environments that use HDGuard/DeepFreeze/Similar, what is your typical time for a machine to boot, a user to login, and a usable desktop environment to be up?
    • For environments that don't use HDGuard/DeepFreeze/Simlar, what is your solution to keeping machines clean? Do you schedule imaging? Do you just trust your AV?
    • Do you use Mandatory Profiles, and if so, how does that impact your network when you have 400-500 devices logging in in a period change? How does your WiFi hold up for that? Have you noticed any performance hits?
    • If you do use mandatory profiles, and we have dabbled with that in the past, some software still generally freaks when it tries to do things with the user profile. ArchiCAD is one that comes to mind. How do you deal with that?
    • Anything else to discuss or points to raise?


    Thanks in advance,
    Justin

  2. #2
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,025
    Thank Post
    43
    Thanked 84 Times in 80 Posts
    Rep Power
    22
    You just set group policy to delete profiles.. or script Delprof2 on pc shutdown. I found using hdguard your av and os are always out of date. Ive found mandatory profile is not needed anymore due to reg by gpp. You can redirect appdata if needed.

  3. #3
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,671
    Thank Post
    168
    Thanked 221 Times in 204 Posts
    Rep Power
    67
    HDGuard also used to trash HDDs on a regular basis when I had it at my last place, must've been the increased amount of disk writes as the drive failures basically stopped after we removed it and went to mandatory profiles instead.

    HDGuard used to slow the boot down by an extra minute or two due to the AV issue and profile re-creation - again once on mandatory profiles it was down to 30 seconds or so after login (cold boot to desktop with HDDs was under 2 minutes)

    We managed to set up all our software with the profile and tweaked it over time for anything new, maybe another alternative would be to set a pre-configured default profile, let users change things but then reset on logoff?

  4. #4

    Join Date
    Sep 2013
    Posts
    34
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Mandatory profiles could be your solution here. Give all students one shared mandatory profile. You need to configure the software that "freaks" while setting up the profile. This way, everyone who logs in gets the same profile. You can also set it to keep a local copy of said mandatory profile, and have the computers poll the server for updates upon startup. Building a profile for the first time can take time, depending upon how much data you have to create.

  5. #5
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    809
    Thank Post
    83
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    We use Deep Freeze here on about 1300 student machines and almost half those are netbooks. Profiles are kept on the local machine so they have to be rebuilt every time, but it doesn't seem to be that detrimental to performance. A typical desktop (Core2, 4GB, 7200RPM disk) can be up and running from a cold boot in a couple of minutes. We do not enforce a reboot on log off though. The netbooks on the other hand really dogged down with Symantec End Point 12.x and Deep Freeze, so about two years ago we started stripping the AV out of the netbook carts and only running Deep Freeze; this increased performance on orders of magnitude. We still use AV on the desktops though since they have the ability to be woken up at night for updates. The AV on netbooks since it wasn't getting updated was next to useless anyways.

    Depending on how you have the schedule set for Windows Updates and AV updates could really be hurting performance as well if it is constantly downloading the same updates throughout the day.

  6. #6

    Join Date
    Nov 2013
    Location
    Brisbane
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    All good responses so far - let me address each one

    You just set group policy to delete profiles.. or script Delprof2 on pc shutdown. I found using hdguard your av and os are always out of date. Ive found mandatory profile is not needed anymore due to reg by gpp. You can redirect appdata if needed.
    We don't run AV on our machines with HDGuard - they get blitzed after every session. Good thought on redirecting AppData - that could be a potential workaround.. not sure if it'll play nice.

    HDGuard also used to trash HDDs on a regular basis when I had it at my last place, must've been the increased amount of disk writes as the drive failures basically stopped after we removed it and went to mandatory profiles instead.

    HDGuard used to slow the boot down by an extra minute or two due to the AV issue and profile re-creation - again once on mandatory profiles it was down to 30 seconds or so after login (cold boot to desktop with HDDs was under 2 minutes)

    We managed to set up all our software with the profile and tweaked it over time for anything new, maybe another alternative would be to set a pre-configured default profile, let users change things but then reset on logoff?
    Strange, we've never seen that issue with excessive drive failures - we lost maybe 10-20 drives a year out of 2000 devices?

    Yes, we have defintley noticed the direct impact having HDGuard on there alone makes. We don't run AV on our HDGuarded machines for three reasons - the performance, as you mentioned, and the fact that update scheduling in HDGuard was a bit hit-and-miss back in the day, as well as we didn't feel the need due to the machines being HDGuarded.

    Yes - we have thought about including a local mandatory profile, but the problem with that is is we cock it up or need to make a change, the machines are protected by HDGuard

    Mandatory profiles could be your solution here. Give all students one shared mandatory profile. You need to configure the software that "freaks" while setting up the profile. This way, everyone who logs in gets the same profile. You can also set it to keep a local copy of said mandatory profile, and have the computers poll the server for updates upon startup. Building a profile for the first time can take time, depending upon how much data you have to create.
    Yep, that's what I'm leaning towards still. The software that freaks had been preconfigured in our captured profile. No doubt there was a %USERNAME% somewhere that got replaced.

    We use Deep Freeze here on about 1300 student machines and almost half those are netbooks. Profiles are kept on the local machine so they have to be rebuilt every time, but it doesn't seem to be that detrimental to performance. A typical desktop (Core2, 4GB, 7200RPM disk) can be up and running from a cold boot in a couple of minutes. We do not enforce a reboot on log off though. The netbooks on the other hand really dogged down with Symantec End Point 12.x and Deep Freeze, so about two years ago we started stripping the AV out of the netbook carts and only running Deep Freeze; this increased performance on orders of magnitude. We still use AV on the desktops though since they have the ability to be woken up at night for updates. The AV on netbooks since it wasn't getting updated was next to useless anyways.
    Interesting stats on your times there - is that from boot, login to desktop, or boot to login screen..? What would be an exact figure on that if you don't mind me asking?

    Thanks for the input so far guys, appreciate it!

  7. #7


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,157
    Thank Post
    234
    Thanked 2,742 Times in 2,021 Posts
    Rep Power
    801
    Quote Originally Posted by justinmglc View Post
    We don't run AV on our machines with HDGuard - they get blitzed after every session.
    What would happen if one (or more) of your PCs got infected with Cryptolocker? By the time you found out, the computers may have been rebooted leaving any data saved on the network that hasn't been backed up impossible to decrypt.

  8. #8

    Join Date
    Nov 2013
    Location
    Brisbane
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Arthur View Post
    What would happen if one (or more) of your PCs got infected with Cryptolocker? By the time you found out, the computers may have been rebooted leaving any data saved on the network that hasn't been backed up impossible to decrypt.
    Whilst possible, this is unlikely for a number of reasons:


    • Packet filtering on all incoming/outgoing traffic, so we'd catch it (hopefully) in that
    • Machines that have HDGuard and no AV are student use machines only. The worst damage they could do is their own H:\ drive, in which case we'd just pull the last ShadowProtect snapshot and restore the data. Students cannot write to any network shares other than their own.
    • If a staff member happens to use a student machine with HDGuard on it (doesn't happen often) and no AV, again the worst damage they could do is their own H:\ drive, for which again we can restore backups from, again with ShadowProtect. Staff have access to network resources they can actually write too - typically their own departments' public storage, in which case we can also restore from a backup

SHARE:
+ Post New Thread

Similar Threads

  1. User profiles on server
    By DAZZD88 in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 20th November 2009, 12:26 PM
  2. Impact of CC4 on internal support response times
    By d-taylor in forum Network and Classroom Management
    Replies: 6
    Last Post: 10th October 2009, 04:02 PM
  3. Impact of Multicast steaming video on a network
    By maniac in forum Wireless Networks
    Replies: 5
    Last Post: 23rd April 2008, 01:20 AM
  4. Replies: 4
    Last Post: 27th September 2006, 02:31 PM
  5. Java Script fails to work on one user profile!
    By pmassingham in forum Windows
    Replies: 0
    Last Post: 29th June 2006, 07:32 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •