Manualshelf

Using Microsoft Baseline Security Analyzer for QFEs

ManualsBrandsHP ManualsDesktopsHP ElitePad 1000 G2 Tablet
1234567
2
Overview
The purpose of this whitepaper is to outline the strategy recommended by HP for implementing Microsoft Security Updates,
or QFEs, on HP thin clients that are based on Windows Embedded Standard 7 or Windows 10 IoT Enterprise.
Note
Windows Embedded Standard 7 includes Windows Embedded Standard 7E and Windows Embedded Standard 7P.
Windows updates and security patches, or QFEs, are a challenge for thin clients because of the volume of updates, the
limited storage available on thin clients, and the fact that many updates are not certified for thin client operating systems,
which can cause device reliability concerns. For these reasons, HP thin clients have Windows Update disabled by default.
HP understands that there might be a need to apply particular updates, depending on device, environment, or compliance
requirements. It is important to verify the size of the update to make sure that at least 2 GB of free space will remain on the
device after applying the update and to thoroughly test the update before it is rolled out to all thin client devices.
Windows-based HP thin clients have a number of security features such as the write filter that help to make sure that the
devices remain secure and to prevent users or malware from making permanent changes to the device. Other tools include
firewall protection and support for anti-virus software.
Requirements for applying Windows security patches
There are certain system requirements and image changes that are necessary to support continual use of Windows Update.
HP supports customers running Windows Update and applying periodic updates under the following conditions:
The necessary image changes have been made using the following instructions.
The system meets the minimum flash requirement of 64 GB and has a minimum of 2 GB of free space after the updates
are applied.
Note
If the flash or SDRAM memory are not genuine HP parts, HP does not support or warranty issues with the third-party
parts.
If a larger flash memory is required, it is customer’s responsibility to purchase additional flash memory.
Enhanced Write Filter (EWF), File-Based Write Filter (FBWF), or Unified Write Filter (UWF) is enabled during end-user (non-
administrator) operation and is disabled temporarily by an administrator only when they need to make changes to the
system or the system is configured with a flash drive that has an endurance sufficient for a high volume of writes. HP
recommends using the UWF solution bundled with Windows 10 IoT Enterprise. Microsoft management solutions, such as
Microsoft® System Center 2012 R2 Configuration Manager used with Windows Server Update Services, can be used to
enable UWF Servicing Mode, where updates can be persisted to the thin client.
Windows Updates using Microsoft Baseline Security Analyzer
To install and run Microsoft Baseline Security Analyzer (MBSA):
1. Set the thin client RAM drive size to 512 MB.
A. In Control Panel, select HP RAMDisk Manager.