Windows Steady State: Safeguard Shared Computers with Disk Protection and User Restrictions

Nota: Este artigo foi publicado originalmente em 2007. Windows SteadyState has been discontinued by Microsoft. This guide has been updated to include modern alternatives and current best practices for shared computer protection.

If you have ever managed computers in a library, school lab, internet cafe, or any shared-access environment, you know the challenge: users install unwanted software, change system settings, delete critical files, and leave behind personal data. Windows SteadyState was Microsoft’s free answer to this problem, and while the tool itself is no longer available, the concepts and the modern tools that replaced it remain essential knowledge for any IT administrator.

What Was Windows SteadyState?

Windows SteadyState (originally called “Shared Computer Toolkit for Windows XP”) was a free utility released by Microsoft designed to make it easier to manage shared computers. It was available for Windows XP and Windows Vista and provided three core categories of protection:

1. Disk Protection — Reverts the system drive to a known good state on reboot
2. User Restrictions — Limits what standard users can do on the system
3. Shared Access Configuração — Manages profiles, time limits, and privacy settings

Microsoft officially discontinued Windows SteadyState in 2011, removing it from their download center.

Core Features of Windows SteadyState

Disk Protection (Windows Disk Protection)

The flagship feature of SteadyState was its disk protection capability. When enabled, it worked as follows:

• All changes made to the system drive (typically C:\) were written to a cache file rather than directly to the disk.
• Upon reboot, the cache was discarded and the system returned to its original, clean state.
• Administrators could choose from three levels of protection:
  • Remove all changes at restart — Full rollback on every reboot.
  • Retain changes temporarily — Cache changes and only discard them when the cache fills up.
  • Persist changes permanently — Commit cached changes to disk (essentially disabling protection temporarily for maintenance).

This meant that no matter what a user did — installed malware, deleted system files, changed desktop wallpaper — the machine would be pristine again after a simple restart.

User Restrictions and Profile Management

SteadyState provided granular control over user accounts:

• Block access to specific programs — Whitelist or blacklist applications.
• Lock down the Start menu and taskbar — Prevent users from modifying UI elements.
• Restrict Control Panel access — Block users from changing system settings.
• Set time limits — Automatically log users out after a defined session duration.
• Hide drives — Prevent users from browsing specific drive letters.
• Disable removable media — Block USB drives, CD/DVD burning, and other external storage.

Shared Access and Privacy Features

For public or shared environments, SteadyState also offered:

• Automatic profile cleanup — Delete temporary files, browser history, and cached data at logoff.
• Profile locking — Prevent users from modifying their profile settings permanently.
• Login scheduling — Restrict when specific accounts could log in.
• Privacy clearing — Remove cookies, browsing history, and recent document lists at the end of each session.

Why SteadyState Was Discontinued

Microsoft stopped supporting SteadyState because:

• It only worked on Windows XP and Vista, both of which have reached end-of-life.
• Windows 7 and later introduced built-in features like AppLocker, Group Policy enhancements, and later Assigned Access that covered some of the same use cases.
• The enterprise market shifted toward virtualization and cloud-based endpoint management (e.g., Microsoft Intune, Azure Virtual Desktop).

Modern Alternatives to Windows SteadyState

Faronics Deep Freeze

Deep Freeze by Faronics is the most well-known direct replacement. It works on the same principle as SteadyState’s disk protection:

• Freezes the system partition at a desired state.
• All changes are discarded on reboot.
• Supports Windows 10 and Windows 11.
• Enterprise management console for controlling hundreds of machines.
• Offers “Thawed” periods for scheduled maintenance and updates.

Deep Freeze is a commercial product and is widely used in education, healthcare, and hospitality environments.

Reboot Restore Rx / Reboot Restore Rx Pro

Reboot Restore Rx offers a free version with basic reboot-to-restore functionality:

• Restores the system drive to a baseline snapshot on every reboot.
• The Pro version adds scheduling, multiple snapshots, remote management, and Windows Update integration.
• Supports Windows 10 and Windows 11.

Windows 10/11 Assigned Access (Kiosk Mode)

Modern Windows includes built-in kiosk features:

# Set up a single-app kiosk using PowerShell
Set-AssignedAccess -AppName "Microsoft.MicrosoftEdge" -UserName "KioskUser"

# Remove assigned access
Clear-AssignedAccess

Assigned Access locks a standard user account to a single Universal Windows Platform (UWP) app, making it ideal for kiosk-style deployments.

For multi-app kiosk configurations, you can use a provisioning package or MDM policy with an XML configuration:

<AssignedAccessConfiguration>
  <Profiles>
    <Profile Id="{GUID}">
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        </AllowedApps>
      </AllAppsList>
      <StartLayout>
        <!-- Custom Start layout XML -->
      </StartLayout>
      <Taskbar ShowTaskbar="false" />
    </Profile>
  </Profiles>
</AssignedAccessConfiguration>

Windows Unified Write Filter (UWF)

For IoT and embedded scenarios, Windows 10/11 Enterprise and IoT editions include the Unified Write Filter, which is the closest modern equivalent to SteadyState’s disk protection:

# Enable UWF feature
Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter"

# After reboot, enable the filter on the system volume
uwfmgr volume protect C:
uwfmgr filter enable

# Commit changes during maintenance
uwfmgr overlay commit

UWF redirects all writes to an overlay and discards them on reboot, exactly like SteadyState did.

Group Policy and AppLocker

For environments with Active Directory, Group Policy Objects (GPOs) combined with AppLocker can replicate many of SteadyState’s user restriction features:

• Software Restriction Policies or AppLocker rules to control which applications can run.
• Group Policy Preferences to lock down desktop settings, Start menu, and Control Panel.
• Folder Redirection to manage user data centrally.
• Logon/logoff scripts to clean up user sessions.

Choosing the Right Solução

Feature	Deep Freeze	Reboot Restore Rx	Assigned Access	UWF	Group Policy
Disk protection (reboot-to-restore)	Yes	Yes	No	Yes	No
User restrictions	Limited	No	Yes (single/multi-app)	No	Yes
Free option	No	Yes (basic)	Yes (built-in)	Yes (Enterprise/IoT)	Yes (with AD)
Remote management	Yes (Enterprise)	Yes (Pro)	Yes (Intune/MDM)	Yes (scripts)	Yes (AD)
Windows 11 support	Yes	Yes	Yes	Yes	Yes

Melhores Práticas for Shared Computer Management

1. Layer your defenses — Combine disk protection with user restrictions and network-level controls.
2. Schedule maintenance windows — Whether using Deep Freeze “Thaw” periods or UWF commit commands, plan regular times for Windows Updates and software installations.
3. Use standard user accounts — Never give shared users local administrator rights.
4. Enable audit logging — Track who logs in and what they do, even if the system resets on reboot.
5. Automate provisioning — Use imaging tools (e.g., MDT, SCCM, or Intune Autopilot) to rapidly redeploy machines if the protection layer fails.
6. Test before deploying — Always test your protection configuration in a non-production environment before rolling it out to a shared computer lab.

Resumo

Windows SteadyState was a groundbreaking free tool that solved real problems for administrators of shared computers. Although Microsoft discontinued it in 2011, the principles it introduced — disk protection via write filtering, session-based user restrictions, and automated profile cleanup — live on in modern tools like Faronics Deep Freeze, Reboot Restore Rx, and Windows’ own Unified Write Filter and Assigned Access. By understanding the legacy of SteadyState, you can select and configure the right modern solution for your shared computing environment.

Artigos Relacionados

• Authentication issues with Outlook Anywhere and Terminal Services Gateway (TS Gateway)
• Cannot find scanpst.exe on my machine. Where can I find it?
• Changes with NginX 1.4.7 - High