18.10.16.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'

Information

This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:

- 0 = HTTP only, no peering.
- 1 = HTTP blended with peering behind the same NAT.
- 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 = HTTP blended with Internet Peering.
- 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
- 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead.

The recommended state for this setting is any value EXCEPT: Enabled: Internet (3)

Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is Enabled: Internet (3) so on other SKUs, be sure to set this to a different value.

Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received

its

updates from a trusted source and approved by the network administrator.

Solution

To establish the recommended configuration via GP, set the following UI path to any value

other than

Enabled: Internet (3) :

Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization\Download Mode

Note: This Group Policy path is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Impact:

Machines will not be able to download updates from peers on the Internet. If set to Enabled: HTTP only (0) Enabled: Simple (99) or Enabled: Bypass (100) machines will not be able to download updates from other machines on the same LAN.

See Also

https://workbench.cisecurity.org/benchmarks/16514

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Windows

Control ID: bd6a7a48a9b0337fbe74433909a8d434a92e0d272cedefc044c936fe3a00a97e