18.8.21.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'

Information

This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers.

The recommended state for this setting is: Disabled.

Rationale:

This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy

Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Default Value:

Disabled. (Updates can be applied while users are working.)

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, 800-53|CM-6, CCE|CCE-35776-4, CSCv7|5.4, CSCv7|5.5

Plugin: Windows

Control ID: dbaa2ee367e1dd118a8e06c4d77caa6a807a3f7b67de471c18498fa072065a3f