18.9.102.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'

Information

This policy setting determines the level of Preview Build or Feature Updates to receive, and when.

The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:

Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.

Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.

Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.

Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.

Semi-Annual Channel: Feature updates will arrive when they are declared Semi-Annual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment.




The recommended state for this setting is: Enabled: Semi-Annual Channel, 180 or more days.

Note: If the 'Allow Telemetry' policy is set to 0, this policy will have no effect.

Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links:

Demystifying 'Dual Scan' - WSUS Product Team Blog

Improving Dual Scan on 1607 - WSUS Product Team Blog

Note #3: Prior to Windows Server 2016 R1709, values above 180 days are not recognized by the OS. Starting with Windows Server 2016 R1709, the maximum number of days you can defer is 365 days.

Rationale:

Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible.

Impact:

Feature Updates will be delayed until 180 or more days after they are declared to have a Windows readiness level of 'Semi-Annual Channel'.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select when Preview Builds and Feature Updates are received

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates.

Default Value:

Disabled. (Feature Updates will not be delayed when released by Microsoft.)

See Also

https://workbench.cisecurity.org/files/3345

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7(1), 800-53|CM-8, 800-53|MA-3, CSCv7|2.4

Plugin: Windows

Control ID: c9e9b364e88caf399e02d39a58b44c65f28cf99721a7522b8490fe0050fb7e06