18.9.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'

Information

This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:
0 = HTTP only, no peering.
1 = HTTP blended with peering behind the same NAT.
2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
3 = HTTP blended with Internet Peering.
99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
100 = Bypass mode. Do not use Delivery Optimization and use BITS instead.
The recommended state for this setting is any value EXCEPT: Enabled: Internet (i.e. 3).
Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is Enabled: Internet, so on other SKUs, be sure to set this to a different value.
Rationale:
Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator.

Solution

To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet:
Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization\Download Mode
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Impact:
Machines will not be able to download updates from peers on the Internet. If set to Enabled: HTTP only, Enabled: Simple, or Enabled: Bypass, machines will not be able to download updates from other machines on the same LAN.
Default Value:
Enterprise, Enterprise LTSB and Education SKUs: Enabled: LAN (i.e. 1)
All other SKUs: Enabled: Internet (i.e. 3)
CIS Controls:
Version 6
4.5 Use Automated Patch Management And Software Update Tools
Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe. Patches should be applied to all systems, even systems that are properly air gapped.
Version 7
3.4 Deploy Automated Operating System Patch Management Tools
Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
3.5 Deploy Automated Software Patch Management Tools
Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

Item Details

Audit Name: CIS Microsoft Windows 10 Enterprise (Release 1803) v1.5.0 Level 1

References: CSCv6|4.5, CSCv7|3.4, CSCv7|3.5

Plugin: Windows

Control ID: c7c6cd6ed7e8e170275d8396c955d02ded5fd65bd9617a043267aaf05cbea1e0

Detections

Analytics

18.9.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'

Information

Solution

See Also

Item Details