πΌ Management Samenvatting
automatische Edge updates essential voor patching browser vulnerabilities.
Aanbeveling
IMPLEMENT
Risico zonder
Critical
Risk Score
9/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
β Edge
Browser vulnerabilities exploited actively. Unpatched Edge is zero-day exploits, drive-by downloads. automatische updates Zorg ervoor dat patches installed immediately.
PowerShell Modules Vereist
Primary API: Intune/GPO
Connection:
Required Modules:
Connection:
N/ARequired Modules:
Implementatie
Policy: Edge automatische updates is ingeschakeld. Updates install automatisch Zonder user intervention.
- Intune β Edge policy: Update policy is altijd Sta toe updates
- UpdateStandaard is 1 (automatic)
- Restart notification: inform users maar auto-update
Vereisten
Edge browser deployed
Implementatie
- Intune β Edge policy: Update policy is altijd Sta toe updates
- UpdateStandaard is 1 (automatic)
- Restart notification: inform users maar auto-update
Compliance en Auditing
- CIS Edge
- BIO 12.06
- ISO 27001 A.12.6.1
- NIS2 Artikel 21
Monitoring
Gebruik PowerShell-script automatic-updates-enabled.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script automatic-updates-enabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 12.06 - kwetsbaarheidsbeheer
- ISO 27001:2022: A.12.6.1 - Technical kwetsbaarheidsbeheer
- NIS2: Artikel - Patch management
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Edge Updates: Automatic Updates Enabled - Zorgt voor automatische Edge updates
.DESCRIPTION
CIS - Automatic updates moeten enabled zijn voor security patches.
.NOTES
Filename: automatic-updates-enabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Edge\UpdatePolicy|Expected: 1
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate"; $RegName = "UpdateDefault"; $ExpectedValue = 1
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "automatic-updates-enabled.ps1"; PolicyName = "Automatic Updates Enabled"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = $ExpectedValue; Details = @() }; if (-not(Test-Path $RegPath)) { $r.IsCompliant = $true; $r.Details += "Default updates enabled"; return $r }; try { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Stop; $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Auto updates enabled" }else { $r.Details += "Auto updates disabled - SECURITY RISK" } }catch { $r.IsCompliant = $true; $r.Details += "Default enabled" }; return $r }
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Automatic updates enabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Critical: Critical - Unpatched browsers exploited via zero-days.
Management Samenvatting
Schakel Edge automatische updates. Immediate vulnerability patching. Voldoet aan BIO 12.06, NIS2. Setup: 30 min.
- Implementatietijd: 1 uur
- FTE required: 0.01 FTE