18.10.92.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'

Information

This settings controls when Quality Updates are received.

The recommended state for this setting is: Enabled: 0 days

Note: If the 'Allow Diagnostic Data' (formerly 'Allow Telemetry') policy is set to 0, this policy will have no effect.

Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured

or

configure the setting

Do not allow update deferral policies to cause scans against Windows Update

(added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links:

-

Demystifying 'Dual Scan' - WSUS Product Team Blog

-

Improving Dual Scan on 1607 - WSUS Product Team Blog

Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:0 days :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update\Select when Quality Updates are received

Note: This Group Policy path does not exist by default. An updated Group Policy template ( WindowsUpdate.admx/adml ) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17689

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Windows

Control ID: cdd5e6e35a4d5402ac8eb2acfb72b17b92632dca65bdee500e3521912d2d439c