Question Windows 11 Lockdown Computers
Question Windows 11 Lockdown Computers
Good afternoon.
I handle IT for a big library and use a tool named Smartshield to prevent permanent writes on our computers.
It seems the program creates a ram drive and saves all changes there.
After a reboot, all modifications are erased, making the system ready for the next user.
It functions flawlessly 99% of the time.
The remaining 1% causes a reboot command to be triggered, leading to repeated failures.
With more than 800 computers, this results in about 8 units failing each month, requiring manual restarts after Windows updates.
Manual protection is needed for Windows updates even when using an admin account.
I had a suggestion to switch to a Windows-based solution.
First, limit the patron account to read and execute access on the C: drive.
Then move all library files—desktop, pictures, downloads—to a separate D: partition where they can be written.
During logoff, a task manager script would clear the D: drive.
This approach would eliminate the need to manually unprotect computers before updates, simplifying the process.
Anyone have thoughts on granting a local user only read and execute permissions to C:?
I assume essential Windows functions would run automatically with service level permissions.
I wanted to gather some feedback before beginning the tests.
windows includes a built-in guest account, which does not keep any modifications made during the session. All data and settings will be erased upon logging out, ensuring that each subsequent guest user starts with a clean slate. This account has certain privilege restrictions.
More than 800 computers fail monthly, requiring manual restarts after Windows updates.
Your approach doesn’t address this issue.
Windows will still receive updates as intended.
Have you considered using Kiosk mode?
Create a single-app kiosk on Windows – Configure Windows
A single-use device is straightforward to configure in Windows Pro, Enterprise, and Education versions.
learn.microsoft.com
We have Kiosk mode configured for our catalog stations to access only the catalog site. It seemed we could only select one application for kiosk mode, so we chose Edge for this purpose. For regular patron computers, they have many preinstalled applications on their desktops that they can use. Sometimes we also need to install special apps for school exams, which might not work well with kiosk mode. We use a domain account for patron logins, which has restrictions on the subnets they can access. I hadn’t noticed guest accounts before. (After some research they are quite different from what I thought!) I wonder if the last one I used was on Windows 7. The new Windows 11 guest accounts look promising. I’ll test them tomorrow to see if they fit with the subnet limits and other requirements my boss has. Thanks USAFRet and kerberos_20!