CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.102.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This settings controls when Quality Updates are received.

The recommended state for this setting is: Enabled: 0 days .

Note: If the "Allow Telemetry" policy is set to 0, this policy will have no effect.

Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan , with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere withWindows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans againstWindows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links:

 Demystifying “Dual Scan” –WSUS Product Team Blog  Improving Dual Scan on 1607 – WSUS Product Team Blog

Rationale:

Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate:DeferQua lityUpdates HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate:DeferQua lityUpdatesPeriodInDays

1180 | P a g e