CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate:ManagePr eviewBuilds HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate:ManagePr eviewBuildsPolicyValue

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Manage preview builds

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

Preview builds are prevented from installing on the device.

Default Value:

Disabled. (Preview builds are not installed on the device, unless the user opts-in through Settings -> Update and Security)

1175 | P a g e

Made with FlippingBook - Online magazine maker