What are the downsides of reboot-to-restore software in a corporate environment?

cn flag

I work in a small IT department in a medium-sized enterprise (up to 200 users). Thanks to home office and our growing field workforce, it has become more challenging to supervise and manage our client PCs. One option we figured out to eliminate all our worries is to use reboot-to-restore software like Deep Freeze or HDGuard.

During our investigations, we found use-cases for that kind of software in an educational or public environment but next to no usage in corporate IT. Why is that so?

What are the downsides of reboot-to-restore software, specifically in the context of a corporate IT environment?

Appleoddity avatar
ng flag
You don’t see it because it’s for kiosks, that change users all the time and require a fresh start each time someone sits down at it. Hardly the scenario in a corporate environment. You might see it on virtual workstations. In a corporate environment you should not have to reset a workstation all the time. This is an indication that other best practices aren’t in place, such as “least-privilege” access and group policies to enforce corporate policy and settings.
cn flag
Probably because: no-one wants it and it would be a headache to manage.
de flag
Something missing in your question is the specific problem or problems you are trying to solve. You say it has "become more challenging"... what do you mean by that? Users install software that breaks things? Get viruses and malware? Accidentally reformat drives? One of the easiest solutions to stuff like that is simply to take-away administrative privileges from your desktop users. Sure, you have to approve (and perhaps manually install) anything the user wants and doesn't have, but that can solve many of the support issues I suspect are concerning you.
cn flag
@Christopher Schultz So far we had no incidents with our external client computers. However we are worried about our inability to employ some of our company security standards, like update management, monitoring, etc. on those devices. Also we don't have a way to access those devices by ourselves.
de flag
Last clarifying question for you @G4schberle: it sounds like you don't really have any fleet-wide management process at all in-place at this point. Usually all this stuff would be handled with Group Policies configured centrally, with all your computing assets connecting to a Windows Domain Controller to disseminate those policies, software, updates, etc. to everyone. Strictly using reboot-to-restore sounds like you've given-up on this standard "active" approach to IT management. (I just double-checked the question-tags; perhaps assuming a Windows environment was incorrect on my part.)
kr flag

Mostly you see that kind of software used in public access computers - schools, kiosks, things like that where people use the computer for a limited amount of time and don't want to leave any information behind when they are done.

For a typical office computer, it would have a ton of downsides:

  • User profiles get regenerated every reboot, which means long logins
  • Outlook is going to download your entire mailbox on every boot
  • Constant 2FA prompts because all the indicators that you regularly login from this computer get removed
  • Users can't customize any settings (which might be a good thing in some situations, but not all)
  • Can't save passwords, bookmark websites, or stay logged into anything
  • Anything people save is gone, unless the software lets you unfreeze certain folders. Even then, someone's going to lose their work occasionally

Most of those are advantages on computers that are used by dozens of people a day and only used once, but big disadvantages for someone's daily use computer.

There are some use cases for it, but overall it tends to cause more problems than it solves.

How would you feel if it was your office computer that reset to it's initially imaged settings every time it reboots? If you really want to give it a try, start with doing it to the IT department's computers and see how well it works.

bn flag
Also can't use anything that requires a reboot.
Polygorial avatar
cn flag
I have a few more points that could be added: - Updates for most applications, like Firefox and Chrome, likely have to be done manually. Windows updates will work though. - Custom core applications for the individual user requires a custom image. The applications for bookkeeping is only needed by a few persons, and adding it to everyone requires a lot of licenses. - Custom helper applications that the user handles can't be used. This could for example be a browser or a text editor the user prefers.
fraxinus avatar
ng flag
@MonkeyZeus A sane modern SSD will survive writing 10 or 50 GB every day for maybe 10 years. And, software like this actually decreases the writes.
gb flag
*"How would you feel if it was your office computer that reset to it's initially imaged settings every time it reboots?"* A good question, with a simple answer: I would never reboot it. I hardly ever reboot my office computer *now*, so very little would change, other than I would be extremely frustrated and lose many hours of productivity each time it *did* happen to restart. I'm unsure how users refusing to restart their desktop computers would aid either security or productivity or anything else an IT department might be concerned with.
ro flag
@CodyGray at least on windows, the administrator is able to force restarts for updates. I found that out a few months back, when I apparently hadn’t restarted my laptop in a number of months, and the administrator added it!
de flag
I'm surprised nobody mentioned that network-mounted drives might be an option to solve the "can't ever save anything" and "download all the emails" problems. I think for stupendously ignorant and untrustworthy users, reboot-to-restore would be a great idea.
cn flag

The biggest downside is the micro management.

I state it as for most user profile problems you can bypass them but you need to think your deployment carefully.

In example for the user profiles;

  • Roaming profile to solve to keep user settings.
  • DeepFreeze related: Using a thawed space to create the user profile there. (Retaining user data)
  • Citrix Profile Management could be used if you have the license to do so.

I added an answer as no one talk about it, but other tool exist that do what you want but it add a layer of complexity. I have in mind XenDesktop/VMWare Horizon/View. Those tool goal is to have your desktop centralized inside a datacenter and your user connect to them. The computer just become a terminal, and the user can use any desktop(s) he want to connect. You can read on golden image deployment (here or here), but that type of deployment make a reboot of the VM return to its state.

cn flag
For some companies a DaaS implementation sure could be a great solution. We had to dismiss that idea a while ago, as the mobile network in some regions is too bad, to ensure a stable connection from the mobile devices to our datacenter. Additionally the solution we looked at (Horizon) is pretty expensive.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.