18.10.16.1 Ensure 'Download Mode' is set to 'Enabled' (STIG only)

Information

This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.

The STIG recommended state for this setting is: Enabled with any option except 3 = Internet

The following list shows the supported values:

0 = HTTP only, no peering

1 = HTTP blended with peering behind the same NAT

2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2

3 = HTTP blended with Internet Peering

99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services

100 = Bypass mode. Do not use Delivery Optimization and use BITS instead

Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled with any option except 3 = Internet

Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization\Download Mode

Note: This Group Policy path may not exist by default. This Group Policy section is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Impact:

Microsoft updates will not be obtained via Internet peering.

See Also

https://workbench.cisecurity.org/benchmarks/15301

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Windows

Control ID: f50d371b0c47764927d8ff2c9573a0bb85d8013a4276e061e20fbc73117f5919