Deploying Windows Updates using WSUS and MBSA (Windows-based HP Thin Clients)

Overview

This white paper describes the requirements and strategy recommended by HP for using Windows Server Update Services

(WSUS) and Microsoft Baseline Security Analyzer (MBSA) to deploy Windows updates to HP thin clients that are based on

Windows Embedded Standard 7 or Windows 10 IoT Enterprise.

Note

Windows Embedded Standard 7 includes Windows Embedded Standard 7E and Windows Embedded Standard 7P.

Deployment of Windows updates to thin clients is a challenge because of the volume of updates, the limited storage

available on thin clients, and the fact that many updates are not certified for embedded operating systems (which can cause

device reliability concerns). For these reasons, HP thin clients have the Windows Update service disabled by default.

Requirements for applying Windows security patches

HP supports periodically applying Windows updates to HP thin clients under the following conditions:

• You must configure the thin client’s operating system exactly as described in Windows Server Update Services.

• Each thin client must have at least 2 GB of free space in flash memory after the updates are applied.

• If a thin client’s operating system is Windows 10 IoT Enterprise, its total flash memory capacity must be at least 32 GB. If

additional flash memory must be added to the thin client to meet the requirement, you must purchase it.

Note

HP does not cover warranty issues for third-party parts.

• For Windows Embedded Standard 7, File-Based Write Filter (FBWF) must be used because of limitations in the behavior of

Enhanced Write Filter (EWF) regarding the protection of individual directories on a given volume, For Windows 10 IoT

Enterprise, Unified Write Filter (UWF) must be used. Usage of EWF and UWF must follow these guidelines:

– The write filter must be enabled during end-user (non- administrator) operation and should be disabled only

temporarily by an administrator needing to make changes to the system. The write filter should be re-enabled as soon

as the changes are completed.

– Never enable the Windows Page File feature unless the system is configured with a flash drive that has an endurance

sufficient for the high volume of writes this feature produces.

Additional precautions

HP recommends taking the following additional precautions when deploying updates to HP thin clients:

• Download the latest operating system (OS) image for your thin clients from HP. Updated images released by HP contain

software updates, including cumulative Critical and Important updates. If you use the latest image available, you do not

need to install as many updates through WSUS. In addition, updates integrated into the image are more streamlined and

generally take up less space than if the updates were deployed cumulatively through WSUS.

• Deploy updates in stages. Due to the disk size limitation, you should deploy only a few updates at a time, based on

update size. For example, when connecting a thin client to WSUS for the first time, there might be 50, 100, or more

updates available, depending on the creation date of the image and the life cycle of the Windows product. Deploying

updates in groups of 10 or less is recommended.

• Concentrate on updates marked Critical and Important first. These updates are the most necessary for security and

stability. Updates in other categories might not be necessary, depending on your usage scenario.

Windows Server Update Services

Windows Server Update Services (WSUS) allows you to manage the deployment of Windows updates to HP thin clients.

Because of the stateless nature of thin clients, you must make some configurations to integrate them into a WSUS-

managed environment.