18.10.93.4.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' - DeferFeatureUpdates

Information

This policy setting determines when Preview Build or Feature Updates are received.

Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information.

Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered).

Note: If the 'Allow Diagnostic Data' (formerly 'Allow Telemetry') policy is set to 0, this policy will have no effect.

Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links:

Demystifying 'Dual Scan' - WSUS Product Team Blog

Improving Dual Scan on 1607 - WSUS Product Team Blog

Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days.

Rationale:

In a production environment, it is preferred to only use software and features that are publicly available, after they have gone through rigorous testing in beta.

Impact:

Feature Updates will be delayed until they are publicly released to general public by Microsoft.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 180 or more days:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update\Select when Preview Builds and Feature Updates are received

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates.

Default Value:

Disabled. (Feature Update cadence will not be enforced by Group Policy.)

See Also

https://workbench.cisecurity.org/benchmarks/13204

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|2.4

Plugin: Windows

Control ID: f7adc23263002e7ba3579d81bc9366d4113c1fb750571fcde520ca1402868452