Detections
Analytics

18.10.94.2.1 Ensure 'Configure Automatic Updates' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them.

After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:

0: Notify the user before downloading the update.

1: Auto install the update and then notify the user to schedule a device restart.

2: Auto install and restart.

3: Auto install and restart at a specified time.

4: Auto install and restart at a specified time. (This option is the same as 3, but restricts end user controls on the settings page.)

5: Turn off automatic updates.

6: Updates automatically download and install at an optimal time determined by the device. (Default)

The recommended state for this setting is: Enabled: <Choose option from above> except for 5.

Note: The sub-setting 'Configure automatic updating:' has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement.

Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process.

Rationale:

Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed.

Impact:

Critical operating system updates and service packs will be installed as necessary.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Enabled <Choose option from above> except for 5.

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Custom)

Click Create

Enter a Name

Click Next

Configure the following Setting

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate
Data type: Integer
Value: 0 or 1 or 2 or 3 or 4 or 6 (depending on the option chosen above)

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Enabled: 3 - Auto download and notify for install. (Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to Windows Update, users can install them.)

See Also

https://workbench.cisecurity.org/benchmarks/14355

Item Details

References: CSCv7|3.4

Plugin: Windows

Control ID: 62e295ddd513432812a4cbbf1bb0628f2314e0f527fe45df5778bc2743b72fe3