πΌ Management Samenvatting
Group Policy refresh interval bepaalt hoe vaak client devices nieuwe policy settings ophalen van domain controllers.
Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
2/10
Implementatie
0.5u (tech: 0.25u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows Server
β Windows 11
β Windows Server
Standaard refresh interval is 90 minuten (met 0-30 min random offset). CIS verificeert dat deze Standaard maintained blijft. Te lange interval is policy changes worden traag doorgevoerd (security updates delayed). Te korte interval is excessive netwerkverkeer, DC load. 90 minuten is proven balance. Verification control - Zorg ervoor dat Standaard NIET is overschreven naar problematic value.
PowerShell Modules Vereist
Primary API: Group Policy / Intune
Connection:
Required Modules:
Connection:
LocalRequired Modules:
Implementatie
Verifieer GroupPolicyRefreshTime is 90 minuten (of absent is Standaard OK). Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime. Note: Voor Intune-only (niet domain-joined): Deze policy niet relevant - Intune heeft eigen sync intervals.
- Standaard OK (90 min) - GEEN actie nodig
- If overschreven: Reset to Standaard via GPO
- Intune-only devices: Not applicable
Implementatie
Gebruik PowerShell-script group-policy-refresh-interval.ps1 (functie Invoke-Monitoring) β Verifieer GP refresh interval.
- Standaard OK (90 min) - GEEN actie nodig
- If overschreven: Reset to Standaard via GPO
- Intune-only devices: Not applicable
Monitoring
Gebruik PowerShell-script group-policy-refresh-interval.ps1 (functie Invoke-Monitoring) β Controleren.
- Registry check: GroupPolicyRefreshTime is 90 of absent
- For hybrid environments only
Compliance en Auditing
- CIS Windows Benchmark 18.9.36.1
- configuratiebeheer best practices
Remediatie
Gebruik PowerShell-script group-policy-refresh-interval.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control 18.9.36.1 (L1) - GP refresh interval verification
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune System Management: Group Policy Refresh Interval
.DESCRIPTION
CIS 18.9.36.1 - Group Policy refresh interval moet geconfigureerd zijn (90 min default).
.NOTES
Filename: group-policy-refresh-interval.ps1|Author: Nederlandse Baseline voor Veilige Cloud|OMA-URI: ./Device/Vendor/MSFT/Policy/Config/AdministrativeTemplates/System/GroupPolicy/GroupPolicyRefreshTime|Expected: 90 minutes
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System"; $RegName = "GroupPolicyRefreshTime"; $ExpectedValue = 90
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "group-policy-refresh-interval.ps1"; PolicyName = "GP Refresh Interval"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "$ExpectedValue min"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = "$($v.$RegName) min"; if ($v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "GP refresh: $($v.$RegName) min" }else { $r.Details += "GP refresh: $($v.$RegName) min (expected $ExpectedValue)" } }else { $r.IsCompliant = $true; $r.Details += "Default (90 min)" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "GP refresh interval: $ExpectedValue min" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Low: Low risk - misconfigured refresh interval kan policy deployment delays veroorzaken.
Management Samenvatting
Verifieer GP refresh is 90 min (default). voor hybrid environments only. Intune-only: N/A. Implementatie: 15-30 min verification.
- Implementatietijd: 0.5 uur
- FTE required: 0.005 FTE