Security policies are only valuable if they're actually enforced. A perfectly crafted security policy sitting in a document does nothing. A policy that's implemented but can be bypassed does little better. And a policy that's enforced today but drifts tomorrow creates a false sense of security.
The challenge for IT teams isn't usually knowing what security measures to implement - it's ensuring those measures stay implemented across every device, every day, regardless of what users do or what threats attempt to compromise them.
Faronics Cloud addresses this through consistent policy enforcement, fleet-wide visibility, and automatic remediation of misconfigured devices. This guide explains exactly how these capabilities improve your endpoint security posture.
Policy Enforcement That Actually Sticks
Traditional security policy enforcement relies on configuring devices and hoping that configuration persists. Users modify settings. Malware changes configurations. Software installations alter system state. Over time, devices drift from their intended configuration.
Faronics Cloud enforces policies differently - through mechanisms that can't be easily bypassed and that automatically restore intended configurations:
Deep Freeze: Configuration that can't drift
Deep Freeze doesn't just set configuration - it guarantees configuration. Every reboot restores the machine to its defined baseline. This means:
Security settings remain as defined. Windows Defender enabled? It stays enabled. Firewall configured? It stays configured. UAC settings? Exactly as you set them. Users can't permanently disable security features because changes don't persist.
Malware can't persist. Even if malware executes and modifies system configuration during a session, those modifications are wiped on reboot. Rootkits, backdoors, persistence mechanisms - all removed.
Shadow IT is automatically removed. Users install unauthorised software? Gone after reboot. Browser extensions they shouldn't have? Gone. Cryptocurrency miners? Gone. The baseline is the baseline.
Configuration audits become trivial. When every machine returns to a known state on reboot, you don't need to scan for configuration drift. The configuration is what you defined, guaranteed.
Anti-Executable: Application control that blocks by default
Anti-Executable enforces a whitelist model - only approved applications can run:
Unknown executables are blocked. Not flagged, not warned - blocked. Malware that antivirus doesn't recognise still can't execute. This is enforcement at the most fundamental level: the program simply doesn't run.
Users can't install software. Even with admin rights, software outside the whitelist won't execute. This enforces software policy without relying on user cooperation or account restrictions alone.
Policy applies regardless of delivery method. Whether malware arrives via email, USB drive, browser download, or network exploit - if it's not whitelisted, it doesn't run. The delivery vector doesn't matter; the execution policy does.
WINSelect: Interface restrictions that can't be bypassed
WINSelect enforces restrictions at the Windows shell level:
System access points are removed, not just hidden. Users can't access Control Panel, Settings, Registry Editor, or command prompts because those access points don't exist in their environment. There's nothing to hack around.
Storage restrictions are enforced. If users shouldn't access USB drives or local storage, they can't. This isn't a Group Policy that might be overridden - it's an interface restriction they can't circumvent.
Kiosk-style lockdowns are absolute. When WINSelect is configured for maximum restriction, users see only what you want them to see. No escape routes, no workarounds, no creative ways around the restrictions.
Centralised policy management
All of these enforcement mechanisms are managed centrally through Faronics Cloud:
• Define policies once, apply to device groups
• Changes propagate automatically to all affected devices
• Consistent enforcement across locations and device types
• No per-device configuration that could be missed or inconsistent
Visibility and Compliance Across Your Fleet
You can't secure what you can't see. Faronics Cloud provides visibility into your endpoint fleet that supports compliance and rapid response:
Real-time device status
The Faronics Cloud console shows the current state of every managed device:
Protection status. Is Deep Freeze frozen or thawed? Is Anti-Executable active? Is WINSelect enforcing restrictions? You see protection status at a glance, not just whether the device is online.
Policy compliance. Which policy is applied to each device? Has the device received recent policy updates? Are there devices that haven't checked in and might be running outdated configurations?
Last check-in and activity. When did each device last communicate with Faronics Cloud? Devices that haven't checked in may need attention - connectivity issues, powered off, or removed from the network.
Fleet-wide overview
Dashboard views aggregate device status across your entire fleet:
• How many devices are currently frozen vs. thawed?
• How many devices have checked in within the last 24 hours?
• Which device groups have the highest/lowest compliance rates?
• Are there patterns suggesting systemic issues?
This fleet-wide view lets you assess overall security posture quickly, without checking devices individually.
Supporting compliance requirements
For organisations with compliance obligations, Faronics Cloud provides evidence of:
Consistent configuration. Deep Freeze guarantees devices return to approved configurations. This supports compliance requirements around endpoint hardening and configuration management.
Application control. Anti-Executable demonstrates that only approved software can run. This supports requirements around whitelisting, software inventory control, and preventing unauthorised applications.
Access restrictions. WINSelect shows that access to sensitive system areas is restricted. This supports requirements around least privilege and access control.
Update management. Scheduled maintenance windows demonstrate that devices are being updated regularly. This supports patch management compliance requirements.
Audit readiness. When auditors ask "how do you ensure endpoints maintain their security configuration?" you have a clear answer: Deep Freeze guarantees it. When they ask "how do you prevent unauthorised software?" you have a clear answer: Anti-Executable blocks it. These aren't best-effort measures - they're enforced controls.
Reducing Risk from Misconfigured Devices
Misconfigured devices are a leading cause of security incidents. A firewall that's been disabled. Antivirus that's been turned off. Security updates that haven't been applied. Settings changed by users, malware, or simply by accident.
Faronics Cloud addresses misconfiguration risk through automatic remediation:
Automatic remediation on reboot
With Deep Freeze, misconfiguration is temporary by design:
User disables security feature → Restored on next reboot
Malware modifies system settings → Restored on next reboot
Software installation corrupts configuration → Restored on next reboot
Accidental changes by IT staff → Restored on next reboot
Unknown cause of drift → Restored on next reboot
The remediation is automatic. No detection required. No manual intervention. No tickets to process. The machine returns to its correct configuration on reboot, regardless of what caused the deviation.
Preventing permanent misconfiguration
Some misconfigurations are intentional and malicious. Attackers often:
• Disable security software to avoid detection
• Modify firewall rules to enable lateral movement
• Change DNS settings to redirect traffic
• Install persistence mechanisms for long-term access
• Modify startup processes to ensure malware survives reboots
With Deep Freeze, none of these modifications persist. Attackers can't permanently compromise the machine's configuration. Their changes are wiped on the next reboot, forcing them to start over - if they can even execute malware past Anti-Executable.
Known-good state, always
Perhaps the biggest security benefit is certainty. With Deep Freeze:
• You know exactly what configuration each device has
• You know that configuration matches what you intended
• You know devices will return to that configuration automatically
• You know this is true for every frozen device, every reboot, every time
This certainty is rare in endpoint security. Most environments have some devices that have drifted, some configurations that aren't quite right, some uncertainty about actual state. Deep Freeze eliminates that uncertainty for frozen devices.
Reduced attack surface through restrictions
Beyond remediation, Faronics tools reduce the attack surface in the first place:
• Anti-Executable: Fewer executables can run = fewer attack vectors
• WINSelect: Less access to system tools = fewer ways to exploit the system
• Restricted storage: Limited write access = fewer places for malware to persist
A smaller attack surface means fewer opportunities for attackers. Combined with automatic remediation, this significantly raises the bar for successfully compromising managed devices.
Frequently Asked Questions
Does Faronics Cloud replace Group Policy for security settings?
They're complementary. Group Policy sets initial configuration; Deep Freeze ensures it persists. Use Group Policy to define your security baseline, then freeze that baseline with Deep Freeze. The combination is more robust than either alone.
What happens to security configurations during thaw periods?
During thaw (maintenance windows), the machine is modifiable. This is when updates apply and persist. It's also a brief window when configurations could theoretically change. Keep thaw windows short and scheduled during low-risk times. When the machine refreezes, the new state - including updates - becomes the protected baseline.
Can users disable Faronics protections?
Not without administrative credentials. Deep Freeze, Anti-Executable, and WINSelect require authentication to modify. Standard users can't disable them. Even users with local admin rights can't bypass Anti-Executable's whitelist or thaw Deep Freeze without the Faronics password.
How does this help with ransomware specifically?
Multiple layers: Anti-Executable blocks ransomware from executing if it's not whitelisted. If ransomware somehow runs, Deep Freeze wipes its changes on reboot - encrypted files are restored to their pre-encryption state. WINSelect can restrict access to storage, limiting what ransomware could encrypt. Together, these make ransomware attacks significantly less likely to succeed.
Does improved endpoint security reduce IT workload?
Yes. Automatic remediation means fewer tickets for "something's wrong with my computer." Guaranteed configurations mean fewer troubleshooting sessions for inconsistent behaviour. Blocked malware means fewer incident response efforts. The security improvements also improve operational efficiency.
The Bottom Line: Security Through Enforcement and Certainty
Faronics Cloud improves endpoint security through three mechanisms: policy enforcement that can't be bypassed, visibility into protection status across your fleet, and automatic remediation of any configuration drift.
The result is security certainty. You define the configuration. That configuration is enforced. Deviations are automatically corrected. Attackers can't permanently modify systems. Users can't permanently weaken security. Every reboot is a return to known-good state.
For shared-access environments - labs, libraries, kiosks, public PCs - this represents a fundamental improvement in security posture. Not through better detection or faster response, but through making persistent compromise essentially impossible.
Ready to Strengthen Your Endpoint Security?
Try Faronics Cloud free for 30 days. Experience enforced security that doesn't drift.
