83.3 (L1) Ensure 'Defer Quality Updates Period (Days)' is set to 'Enabled: 0 days'

Information

This policy settings controls when Quality Updates are received.

The recommended state for this setting is: Enabled: 0 days

Note: If the 'Allow Telemetry' policy is set to 0, this policy will have no effect.

Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured

or

configure the setting

Do not allow update deferral policies to cause scans against Windows Update

(added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links:

-

Demystifying 'Dual Scan' - WSUS Product Team Blog

-

Improving Dual Scan on 1607 - WSUS Product Team Blog

Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled:0 days

Windows Update for Business\Defer Quality Updates Period (Days)

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Windows

Control ID: 73666084ed85efe5ab526c6f65156a82e3762e85521153505ce0b11c7b9551da