Overview

In some instances, customers may experience periodic BSOD issues after installing the Windows 10 Anniversary Update on machines protected by Deep Freeze.

Problem

The Windows 10 Anniversary update introduced additional drivers into the system that can interfere with the ability of our drivers to properly respond to some IO requests to our Storage Spaces or ThawSpaces.

Resolution

A hotfix for the issue is being worked on and will be released as soon as possible. Customers seeing this issue should contact the Faronics Support team to open a ticket on this issue to be advised when the update is released. The support team can be reached via email to support@faronics.com.

Workaround

This issue can be worked around by changing the load order for some drivers on the system. To apply the appropriate changes to a computer please follow the process below;

In Thawed state open regedit.exe and find following registry key:

HKLM\System\CurrentControlSet\Control\Class \{71A27CDD-812A-11D0-BEC7-08002BE2092F}\UpperFilters

Edit driver order as follows:

DeepFrz
Volsnap
FarSpace

Reboot the workstation, so the new order of drivers will take effect.

There are methods that can be used to deploy this fix in larger environments in an automated manner, for assistance in deploying this fix in larger deployments please contact the Faronics Support team.

The following procedure was provided by Bloomberg, for support and assitance in implementing this process please contact Bloomberg support at HTTP://WWW.BLOOMBERG.COM/NOW/CONTACTS/

1. Reboot the system Thawed
2. Log into the computer using a profile/login that you are not trying to redirect or Data Igloo cannot redirect any registry keys. (For example. Don’t log in as you if you are trying to redirect your user profile)
3. Open Data Igloo
4. Go to User Profile (to redirect the enter profile) and then Registry Key redirection
5. The following keys are to be redirected in order for Bloomberg software to update and retain information including licenses while the system is Frozen. And the registry keys that need to be saved/stored/kept are:
   • 32-bit Operating System
     • HKEY_LOCAL_MACHINE\SOFTWARE\Bloomberg L.P. (and all keys created under this key)
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
   • 64-bit Operating System
     • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Bloomberg L.P. (and all keys created under thiskey)
     • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
       Users can have the rights listed below instead of Uninstall.
   • 32-bit Bloomberg Office Tools in 32-bit Operating System.
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
       Bloomberg Office Tools (32-bit) 32-bit Bloomberg Office Tools in 64-bit Operating System
     • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
       Uninstall\Bloomberg Office Tools (32-bit)
   • 64-bit Bloomberg Office Tools in 64-bit Operating System
     • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
       Uninstall\Bloomberg Office Tools (64-bit)
6. 6. Reboot the system Frozen and test the Bloomberg software

Problem

Cause

Workaround

SC CONFIG bits START=auto
SC START bits
SC CONFIG wuauserv START=auto
SC START wuauserv

Faronics is aware of an issue impacting customers running Apple Hardware who run Windows on the Apple hardware using BootCamp. On systems configured with an NVME based SSD the operating system will fail to boot once Deep Freeze is installed. This issue appears to only affect systems running Apple OEM NVME SSD disks.

As of macOS 10.13 Apple systems running Solid State disks are, by default, being converted to use an updated file system called APFS on the boot disk. Deep Freeze does not support installation on a APFS based system and cannot be used on systems that have been upgraded to macOS High Sierra and converted to APFS at this time.

While Faronics does intend to support AFPS in a future release of the Deep Freeze product we at this time cannot provide a timeframe for support. For customers who wish to upgrade to High Sierra, and run Deep Freeze this document will detail a process for performing the macOS upgrade and suppressing the conversion of the file system to APFS

It is important to note that while converting to APFS is the default during the High Sierra install process not all machines are converted during the upgrade. Systems running a magnetic disk, or systems configured as a Fusion Drive are not automatically converted and continue to use the existing HPFS+ based file system on the boot volumes.

The attached document will detail the process of installing High Sierra and suppressing the conversion of the system to APFS in order to continue to be able to use Deep Freeze on the client system without interruption.

If the client system has already updated to High Sierra and has converted to APFS the only way to revert this setting will require a reformat of the disk and a reinstall of the operating system.

1. Install the Deep Freeze Enterprise software on the new server with the same customization code (recall this code is an unrecoverable encryption key set by your organization at the time of install).
2. Shutdown the old Deep Freeze console and close down the network connections. This will force the machines to check into the new server (a reboot of the workstation may be needed).

1. Install the Deep Freeze Enterprise software on the new server with the same customization code (recall this code is an unrecoverable encryption key set by your organization at the time of install).
2. Open the Deep Freeze Administrator on the current server.
3. Open the most recently deployed Deep Freeze workstation installation or configuration (.rdx) file.
4. Under the 'Advanced Options' tab, modify the 'Console IP' value where the machines report into.
5. Hit 'Save As' to create a new configuration file. Name it so it is easily recognized without opening the file (depfrz-<today's date>-new server.rdx as an example).
6. When you are ready to cut the machines over, open the Deep Freeze Enterprise console.
7. Select the machines you wish to move to the new server, and right click on the group. Select 'Update configuration'.
8. Once the configuration has been applied successfully, reboot to apply the network change when the machines are available to do so.
9. The machines should now begin to report into the new console (There will still be entries for the workstations in the old console, but they will have an '!' in front indicating a lack of communication).

1. Hit the cloud button in the new console (this only appears if you have a license key applied), at which point you'll need to enter your customization code, and cloud credentials.
2. When you connect the to the Deep Freeze Cloud, you'll be prompted to create a new site, or connect to an existing one. Select your existing site from the list.  A new site will not display any of your existing policies, or deployed Cloud Agents, even if it has a similar name.

• Selecting WAN mode radial button
• Fill in the hostname or IP address of the console 
• Hit 'Apply and Restart' once completed to apply the changes

• Click on the start menu
• Type 'cmd' in the search bar
• Right click on 'Command Prompt' to find the 'Run as Administrator' option and select it

• Go under the 'Tools' menu, and enter the 'Network Configuration'
• Uncheck 'Enable Local Service' and select 'Ok'
• Once more, enter the 'Tools>Network Configuration' dialog
• Check the option to 'Enable the local service' and select 'Ok'

• Search 'cmd' in the search bar, right click on 'Command Prompt' to find the 'Run as Administrator' option and select it
• Run 'netstat -vonba > log.txt' to export the current list of ports in use on the system
• Search the file for your Deep Freeze port (ex. 7725) 
• If any other programs aside from 'DFConsole.exe', or 'DFServerservice.exe' are using this port, there is a conflict and will prevent correct Deep Freeze Console functions

• On the client, hold the 'Shift' key and double click on the Polar Bear icon (alternatively you can use the hotkey combination of Ctrl-Alt-Shift-F6)
• On lower left side of the the login screen, the OTP token will be listed - note down this token number (XXXXXXXX:XXXXXXXX)
• There will be options to generate a temporary access password based off this provided token using either the Deep Freeze Enterprise Console or Administrator
  • In the Deep Freeze Console, go to 'Tools>One Time Passwords'
  • In the Deep Freeze Configuration Administrator, go to 'File>One Time Passwords'
• Enter the token provided into the dialog box, and press the button to 'Generate Password' 
• Note the provided password and attempt to login to the Deep Freeze workstation

• Close all Deep Freeze management applications (ensure the network services are shut down): Deep Freeze Enterprise Console (DFConsole.exe), Configuration Administrator (DFAdmin.exe), and the Console Communication Service (Dfserverservice.exe).  Double check they are not running using Windows Task Manager (taskmgr.exe) by checking under 'Processes' or 'Details'
• Run the following utility to initialize all Deep Freeze components with the appropriate Customization Code:
  
  • "C:\Program Files\Faronics\Deep Freeze Enterprise\DFInit.exe"   (32-bit)
  • "C:\Program Files (x86)\Faronics\Deep Freeze Enterprise\DFInit.exe"  (64-bit)

Overview
This document details the process of creating a Custom Action in Deep Freeze Enterprise Console using Windows PowerShell scripting technology

Introduction
A Deep Freeze Action File is an XML file that allows end users to define additional functionality in the Deep Freeze Enterprise Console. An Action File defines a method for calling an external command or program file and passing some workstation-specific information (e.g. machine IP addresses, computer names).

This document describes an example of using PowerShell script to initiate a remote command or run a process remotely on selected workstation(s) using Deep Freeze Enterprise Console.  It is assumed the user has some knowledge of PowerShell scripting, XML language, as well as Deep Freeze Custom Action XML syntax. For more information about Custom Action scripting please refer to Deep Freeze user’s guide and Technical Papers.

Configuring the environment and testing PowerShell script
To be able to use Windows PowerShell remote commands, PowerShell must be installed on the target Windows workstations and enabled. Recent Windows OS already have PowerShell installed, but those systems still may be shipped in a locked down configuration, where PowerShell is disabled.

The easiest way to enable Windows PowerShell remoting is to use the Enable-PSRemoting cmdlet on target workstation. To do this, launch Windows PowerShell with Admin rights and run following command:

PS C:\> Enable-PSRemoting -Force

This enables Windows Remoting service (WinRM) and configures the Windows Firewall so that it can accept incoming commands within same Domain. Mixed Domain environments require some additional configuration to get remote execution working, which is not in the scope of this document.

Testing PowerShell script
Before implementing PowerShell script as a Custom Action, it is a good practice to run the script on its own to insure it works correctly. In that case it makes it easier troubleshoot the script.

For the purpose of this document we will use a “Invoke-Command” which runs a script remotely. It has following syntax:

Invoke-Command -computername [COMPUTER] -ScriptBlock { [COMMAND] }

where [COMPUTER] is the target workstation Computer name, and [COMMAND] is the series of PoweShell commands.

In order to run PowerShell command without initiating PowerShell session we will use following command:

powershell -Command "& { <list of PowerShell commands> ;}"

In a following example it shows a command which uses PowerShell script for running IpConfig remotely against the target workstation with the name "Workstation1":

powershell -Command "& {Invoke-Command -computername Workstation1} -ScriptBlock {ipconfig /all; Start-Sleep -s 10};}"

This command can be launched from Windows Command Prompt window and will bring up a full IPConfig report for the target workstation and keep the Command Prompt window open for 10 seconds.

Implementing Custom Action for running a remote command
Once the above script has been successfully tested, it now can be embedded into Custom Action inside <EXECUTE> tag, where computer name will be parameterized with %%WKSNAME%% parameter, which is contextual to the selected workstation. Upon launching Custom Action Deep Freeze Console will build the actual command by replacing %%WKSNAME%% parameter with the currently selected workstation name:

<EXECUTE>powershell -Command & "{Invoke-Command -computername %%WKSNAME%% -ScriptBlock {ipconfig /all; Start-Sleep -s 10};}"</EXECUTE>

<ACTION#>

    <CAPTION>

       <ENGLISH>Get ipconfig info</ENGLISH>

       <GERMAN>Get ipconfig info</GERMAN>

       <JAPANESE>Get ipconfig info</JAPANESE>

       <SPANISH>Get ipconfig info</SPANISH>

       <FRENCH>Get ipconfig info</FRENCH>

       <CHINESE>Get ipconfig info</CHINESE>

       <PORTUGUESE>Get ipconfig info</PORTUGUESE>

    </CAPTION>

    <FILEMENU>Y</FILEMENU>

    <POPUPMENU>Y</POPUPMENU>

           <SILENT>Y</SILENT>

    <SUBITEMS/>

    <PARAMS/>

    <SYNC/>

    <LOG/>

    <EXECUTE>powershell -Command &amp; &quot;{Invoke-Command -computername %%WKSNAME%% -ScriptBlock {ipconfig /all; Start-Sleep -s 10};}&quot;</EXECUTE>

    <WORKDIR>C:\Windows\system32\</WORKDIR>

</ACTION#>

This code snippet can be added into existing CustomActions.xml file, where <ACTION#> tag must be edited with actual number of action as it would show in Console Custom Action menus.

Note: in XML code some of the special characters must be replaced with character entities, as seen in above code sample.

In order the newly created Custom Action take effect, the Deep Freeze Console must be restarted.

Implementing Custom Action which prompts user to enter a remote command
In previous example we have created a specific custom action for running IPCconfig. This way user can create an unlimited number of predefined Custom Actions for each specific command as per user requirements.

However, it may give more flexibility, if the Custom Action would prompt the user to enter a command or program to be run on selected workstation. In order to achieve this, the command must parameterized inside the XML file similarly to workstation name described above.

In the below XML code sample we have reworked the previous PowerShell command, which now remotely runs cmd command, which in its turn launches any command, script or executable represented by %CMD% parameter, entered by user.

<ACTION#>
<CAPTION>
<ENGLISH>Push remote command using Powershell</ENGLISH>
<GERMAN>Push remote command using Powershell</GERMAN>
<JAPANESE>Push remote command using Powershell</JAPANESE>
<SPANISH>Push remote command using Powershell</SPANISH>
<FRENCH>Push remote command using Powershell</FRENCH>
<CHINESE>Push remote command using Powershell</CHINESE>
<PORTUGUESE>Push remote command using Powershell</PORTUGUESE>
</CAPTION>
<FILEMENU>Y</FILEMENU>
<POPUPMENU>Y</POPUPMENU>
<SILENT>Y</SILENT>
<SUBITEMS/>
<PARAMS>
<CMD>
<VAR>%CMD%</VAR>
<CAPTION>
<ENGLISH>Command</ENGLISH>
<GERMAN>Befehl</GERMAN>
<JAPANESE>ƒRƒ}ƒ“ƒh</JAPANESE>
<SPANISH>Comando</SPANISH>
<FRENCH>Commande</FRENCH>
<CHINESE>ÃüÁî</CHINESE>
<PORTUGUESE>Comando</PORTUGUESE>
</CAPTION>
</CMD>
</PARAMS>
<SYNC>N</SYNC>
<LOG/>
<EXECUTE>powershell -Command &quot;&amp; {Invoke-Command -computername %%WKSNAME%% -ScriptBlock {cmd /c %CMD%}&quot;</EXECUTE>
<WORKDIR>C:\Windows\system32\</WORKDIR>
</ACTION#>

1. Shut down the machine completely.
2. Boot the computer from the recovery partition by holding down COMMAND-R at boot time.
3. After booting open the terminal by selecting the appropriate option from the utilities menu.
4. Run the following command in the terminal;
   
   diskutil cs list
   
   In the output from the command you should see a line indicating;
   

   Logical Volume xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx

   Note down this long string of letters and numbers on your system
5. Run the following command to revert the Core Storage Volume.
   
   diskutil cs revert xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
   
   Replacing the "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" with the combination of letters and numbers that you saw in step three.
6. Reboot the system.

Problem

Systems running Deep Freeze and McAffe Endpoint Security or Virus Scan will fail to communicate with the ePolicy Orchestrator server resulting in systems not properly updating virus definitions.

To help mitigate against replay attacks against the ePO Server the McAfee Agent and ePO Server maintain a sequence number that incremented each time that a client checks in with the ePO Server. In the event that a client checks in with a lower than expected sequence number the ePO Serer will reject the communication with the client machine resulting in the errors described above.

On the server’s side an error log similar to the following will be shown in the agent_%computername%.log file;

2009-11-12 11:57:34        I       #1492        naInet        Reading acknowledgement from ePO Server
2009-11-12 11:57:34        I       #1492        naInet        Received response [] from ePO Server
2009-11-12 11:57:34        I       #1492        naihttp       Failed to get acknowledgement from Server
2009-11-12 11:57:34        E       #1492        imsite        Error trace:
2009-11-12 11:57:34        E       #1492        imsite        [uploadFile,,/spipe/pkg?AgentGuid={91EEA947-D3FB-4CC2-AEC7-05D15CDB5C6A}Source=Agent_3.0.0,pkg00129024970542750000_12124.spkg,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack,C:\Documents and Settings\All Users\Administrator\McAfee\Common Framework\Unpack\pkg00129024970544780000_2913.spkg]->
2009-11-12 11:57:34        E       #1492        imsite         NaInet library returned code == -14

Solution
To prevent this from occurring the sequence checking feature of the ePO server will need to be disabled. This is done by editing the SERVER.INI file (located in C:\Program Files\McAfee\ePolicy Orchestrator\DB by default)  on the ePO Server to include the following entry;

ConnectionsRequireValidSequenceNumber=0

In some cases, administrators may need to take additional steps to address this issue on machines impacted by the issue by resetting the McAfee Agent GUID used to identify the systems affected. This can be done my removing the following registry keys from the system;

32-Bit:  [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\]
64-Bit:  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\]

After removing these registry keys the McAfee Framework Service will need to be restarted, or the system will need to be rebooted.

Documentation on this issue can be found on the McAfee Website at the URL’s below;

Sequence number invalid (computers running McAfee Agent fail to connect to the ePolicy Orchestrator server)

https://kc.mcafee.com/corporate/index?page=content&id=KB60776

How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator directory

https://kc.mcafee.com/corporate/index?page=content&id=KB56086

Overview

This document will detail the recommended practice for configuring a McAfee Endpoint Security to update properly when Deep Freeze is protecting a workstation.

Introduction

The most common interaction that we find on customers workstations is between antivirus software and Deep Freeze. Antivirus software by design requires periodic updates to maintain it’s effectiveness on a client workstation, and problems may arise unless steps are taken to ensure that the antivirus software can perform updates in a timely manner.

Scheduled are used to configure the antivirus software to update in a time frame where Deep Freeze will not be protecting the workstations. This has the advantage of being one of the less difficult methods to configure but does require that the workstations have a period of time where they will not be used and can be configured to update automatically.

Configuring McAfee Endpoint Security to update with Deep Freeze

McAfee Endpoint Security supports the use of a command line function that can be used to trigger antivirus updates when the workstations enter into maintenance mode. To configure Deep Freeze to trigger McAfee Endpoint Security to update when maintenance mode starts follow the process below:

Deep Freeze 8.x or Higher

1. Open the Deep Freeze Configuration Administrator.
2. Configure your Deep Freeze install package as per your normal requirements, including passwords and other settings that may be required.
3. Click on the Workstation Tasks tab.
4. Select Batch File in the Task Type drop down and click Add.
5. Name the event “McAfee Antivirus” in the Name field.
6. Select the frequency for the updates to occur in the Day drop down and set the start and end time for the event.
7. The options “Allow User to Cancel Event”, “Shutdown after Maintenance”, and “Disable Keyboard and Mouse” can be enabled if desired.
8. Click on the Batch File tab.
9. Enter the following in the Batch File Contents field on the tab:
   

   @ECHO OFF
   IF EXIST "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" /UPDATE
   IF EXIST "C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" "C:\Program Files (x86)\Endpoint Security\Threat Prevention\amcfg.exe" /UPDATE

10. Click on the “Create” button on the toolbar and save the Workstation Install Program in a location that you will remember.
11. Install the updated workstation install file on your workstations.