- This topic has 6 replies, 4 voices, and was last updated 4 years, 9 months ago by
.
-
Posts
-
I would like to know what is the best way to keep Wyse Windows 10 IoT devices current with MS updates and how can you automate the process since the devices have a write filter. Also, I would like to install Symantec AV, I know that windows definitions get updated often. I know you can send a command to update the definitions but how can I send a command from WMS to disable the write filter, then run a few commands and finally enable the writer filter. I know that with WDM you had the script tool that allowed you to create a script that you can later send to the devices.
Basically I would like to keep the Win1o IoT as secure as possible, I know that if the device gets a virus or spyware because of the Writer Filter I can always reboot and hope the virus gets removed, but I wanted to take some extra precautionary steps since this are a pretty much a Windows 10 and act like a Windows 10 device.
All packages sent to your client from WMS will be installed fine. WMS controls the Write Filter. If WF is enabled, WMS will disable it, reboot, install, reboot and enable it again.
If WF is disabled, WMS will only install the packages.
For virus pattern files I would recommend excluding a folder within the WF and store pattern files there.
However, most AV programs also store information about pattern files in the registry and this would fail, of course then.
Therefore, best practice would be to use a Next-gen AV program, which does not rely on pattern files anymore. A very good solution is available from Crowdstrike.CG
If you plan to use Windows Defender for antivirus, the device is already configured to allow the updates to apply without turning off the write filter. However, there are times where the update download is large enough to fill the write filter up and reboot the machine, depending on how long the machine has been running.
I wish it were easier to apply Windows updates to these devices. I find that deploying cumulative updates takes so long for download and installation that it’s too difficult to do on a regular basis. Have also had issues where the windows update required a reboot to finish installing so always build an extra reboot into your deployment package otherwise you may find your client trying to finish the install after the write filter has been re-enabled.
Currently I have configured a very large write filter ,proper write filter exclusion to hold the windows update and a daily reboot to flush a write filter.
This requires careful sizing on memory when buying Windows 10 IoT thinclient. It is too difficult to use Windows 10 IoT thinclient without 8GB ram, especially MS makes the monthly CU so large for LTSB 2015 (1GB) and LTSB 2016 (1.5GB).
Not to even mention the time required to perform WinSXS cleanup.
If I understand correctly, you have Windows Update setup to automatically download updates but not install them. You mention that you have the UWF exception for where the updates are stored but do you see any impact on the filter cache during the download process and, if yes, do you see the memory free up after the download completes?
How do you manage the install of the updates, do you do it from WMS or is it managed locally at the site. I’m very interested to hear any approach people are taking to keep the OS current.
We do not use WMS but we use W10IoT thinclient with SCCM CB.
For UWF you have two options
1. You can set Windows update service to manual, create a specific “green zone period” to disable UWF for monthly for a few hours. Run a script to start Windows update service during the “green zone period” download/update/reboot/winsxs cleanup the device. And then turn on UWF by the end of “green zone period” .
2. If you want keep Windows update service running, you do need to setup UWF exclusion carefully and ensure that UWF has enough space to hold the download and commit all the changes.
There is a very good Japanese article about UWF exclusion if you want to run winsxs cleanup with UWF enabled
https://blogs.technet.microsoft.com/askcorejp/2017/11/06/uwf-setting/
PS. my shop windows 10 IoT devices are all coming with at least 8GB ram with 2GB UWF ram overlay configured
- You must be logged in to reply to this topic.