83.1 (L1) Ensure 'Allow Auto Update' is set to 'Enabled'

Information

This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them.

After this this policy setting is set to Enabled, select one of the following options in the Configure Automatic Updates Properties dialog box to specify how the service will work:

- 2 - Auto install and restart.
- 3 - Auto install and restart at a specified time. (Default)
- 4 - Auto install and restart without end-user control.

The recommended state for this setting is: Enabled and never 'Turn off automatic updates'

Note: The sub-setting '

Allow Auto Update:

' has 6 possible values - not all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 2, 3, or 4 The only scored requirement is to not turn off automatic updates (5).

Note #2: Organizations that utilize a third--party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the third--party patching process.

Warning: If option 3 or 4 is not selected, then the ScheduledInstallDay recommendation will not take effect and an exception to that recommendation will be needed.

Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to anything other than 'Turn off automatic updates'.

Windows Update For Business\Allow Auto Update

Impact:

Critical operating system updates and service packs will be installed as necessary.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Windows

Control ID: f5d6db42c8fb0fd1e9c668f6324e50487a254b7d39766b1c1ae0bc51f2464a6e