Operating System Updates
General Information
To ensure your Brainlab system continues to operate as intended and to stay compliant with CE certification and/or FDA clearance, Brainlab recommends you follow these guidelines about Windows updates and anti-virus software. This policy applies to:
Brainlab Planning Systems (not used during patient treatment)
Brainlab Navigation and Positioning Systems (used during patient treatment)
Windows Updates
Per default, Brainlab systems are configured via local Group Policy settings. If your organization uses Windows Group Policy settings on any servers where Brainlab software is installed, do not change the configuration.
Only install Microsoft Security updates; both Monthly Rollups and Security-only Updates are allowed. Do not install service packs and optional updates. Medical device regulations require service packs to be tested and released by the medical device manufacturer. If you add the Brainlab system to the hospital domain, ensure the settings are effective.
Although Microsoft Security updates may be installed immediately after release from Microsoft, Brainlab recommends postponing the installation by five working days. Any revisions to Microsoft Security updates takes place within this time period.
For Windows 7 and later:
Disable Turn on recommended updates via Automatic Updates.
Disable Allow Automatic Updates immediate installation.
Enable No auto-restart with logged on users for scheduled automatic updates installations.
Set Configure Automatic Updates to Disabled.
Do not install updates during patient treatment.
The following Security updates cannot be installed:
KB2823324: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996): MS13-036
KB2984615: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2984615) MS14-045
KB4577051: 2020-09 Security Monthly Quality Rollup for Windows Embedded Standard 7 for x64-based systems
Driver Updates
Do not update drivers on Brainlab platforms.
Do not use manual setup or Windows updates to update drivers on Brainlab platforms. This policy is ensured by the following Group Policy settings, which should not be changed.
For Windows 7 and Windows 8.1:
Set Specify search order for device driver source locations to Do not search Windows Update.
Enable Turn off Windows Update device driver search prompt.
For Windows 10:
Set Specify search order for device driver source locations to Enabled and check the Do not search Windows Update checkbox.
In the Local Group Policy Editor, set Do not include drivers with Windows Updates to Enabled.
Applicable Group Policy Settings
If your organization uses Windows Group Policy settings on any servers where Brainlab software is installed, do not change the configuration.
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop Services*
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows PowerShell*
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsSoftware Restriction Policies*
User ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop Services*
User ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows PowerShell*
User ConfigurationPoliciesWindows SettingsSecurity SettingsSoftware Restriction Policies*
Anti-virus
Brainlab recommends protecting the system with state-of-the-art anti-virus software. System performance must be verified by a Brainlab service engineer after the first anti-virus software installation. Be aware that some malware protection software (e.g., virus scanner) settings can negatively affect system performance. For example, if real-time scans are performed and each file access is monitored, then access to patient data may be restricted. For best results:
Disable any extra anti-virus software features (e.g., browser or email scanners, additional firewall).
Disable anti-virus software pop-up messages.
Configure anti-virus software (e.g., by adding to folder exceptions) so that it does not scan or modify the following:
C:Brainlab, D:Brainlab and F:Brainlab, etc.
C:PatientData, D:PatientData and F:PatientData, etc.
Exception: The Media Storage Service folder must be scanned, and it is inside the Patient Data folder. If you have C:PatientDataMediaStorageService, D:PatientDataMediaStorageService, F:PatientDataMediaStorageService, etc., set the software to scan the folder.
For Planning Systems (except iPlan RT installations): Permanently activate on-access/real-time scans with the folder exceptions that are listed here correctly set up.
For iPlan RT installations and Navigation and Positioning Systems: Disable on-access/real-time scans. Schedule on-demand/scheduled scans to be performed at system shutdown or during non-clinical hours.
Third-Party Software
With the exception of anti-virus and Microsoft Security updates, do not install any third-party software without approval from Brainlab. If non-Brainlab software is installed, CE certification and FDA clearance become null and void unless Brainlab has specifically approved such installation in writing and confirmed it as being compatible. The medical device’s safety and effectiveness can no longer be ensured. Any claim for warranty shall be lost.
Third-Party Hardware
In case HPE ProLiant DL360 Gen9 or Gen10 servers have been purchased via Brainlab, then HPE SPP for these can be installed without previous approval by Brainlab. All components covered by the HPE SPP may be installed, including: firmware, drivers and system software.
Intel Meltdown Bug
Microsoft Updates related to Meltdown are considered safe to be deployed on all the Brainlab platforms.
Best Practice
For best results, Brainlab recommends the following:
Create a Domain Organizational Unit (OU) where all Brainlab Systems are registered to ensure that the above described policy is followed.
Scan storage devices and media (e.g., CD-ROM, DVD-ROM, USB HDD and USB flash memory drives) for malware contamination and remove the malware before using the device or media.
Enable System Restore for drive C: so a system can be restored to a previous state.
Schedule download and installation of Windows and anti-virus updates at system shutdown. Pay special attention to servers and VMs and ensure that the systems are fully rebooted afterwards.
If an on-access/real-time scan is not activated, schedule an on-demand/scheduled scan at system shutdown.
More Information
This policy supersedes all past and present product documentation. For further information, contact Brainlab customer support. See below to view information about settings and a list of Microsoft Security Updates blocked by Brainlab Support.
If you need further assistance don’t hesitate to call +4989991568-1044 Customer Care Europe, Customer Care US
or contact us per email at support@brainlab.com or us.support@brainlab.com.