L1 BIO 12.06.01 ISO A.12.6.1 CIS Windows - Allow updates

Intune: Allow Windows Update (Automatic Updates Enabled)

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Allow Windows Update = enable automatic updates - **FUNDAMENTAL** security control (unpatched systems = #1 ransomware/exploit target).

Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Windows Update = patch security vulnerabilities: Critical vulnerabilities: EternalBlue (WannaCry), PrintNightmare, BlueKeep β†’ exploited WITHIN HOURS of disclosure, Unpatched systems: Attacker scans network β†’ finds vulnerable Windows β†’ exploit β†’ ransomware/backdoor, Patch Tuesday: Monthly security updates (second Tuesday) - MUST install immediately. Disabled updates = security disaster: Months/years unpatched β†’ trivial exploits succeed β†’ full system compromise.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Allow updates: Policy: Allow update service: Enabled, Effect: Windows Update service runs (downloads + installs updates), Automatic: Security patches install automatically (user-transparent), Combined with: Quality update deferral 0 days (immediate), Feature update deferral 180 days (testing).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Network: Internet connectivity (download updates)
  4. Active hours: Configure (non-disruptive restart times)

Implementatie

Intune: Windows Update ring β†’ Allow Windows Update: Enabled. Quality deferral: 0 days. Feature deferral: 180 days. Active hours: 9 AM - 5 PM (no forced reboots during work).

Compliance

CIS Windows Benchmark L1, Microsoft Security Baseline, BIO 12.06, ISO 27001 A.12.6.1, NIS2 Art. 21, NIST SI-2.

Monitoring

Gebruik PowerShell-script allow-update-is-set-to-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script allow-update-is-set-to-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Update Management: Allow Windows Update .DESCRIPTION CIS - Windows Update moet enabled zijn. .NOTES Filename: allow-update-enabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Service: wuauserv|Expected: Running/Automatic #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $ServiceName = "wuauserv" function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "allow-update.ps1"; PolicyName = "Windows Update Service"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Automatic"; Details = @() }; function Invoke-Revert { Set-Service -Name $ServiceName -StartupType Manual } try { $svc = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue; if ($svc) { $startup = Get-CimInstance -ClassName Win32_Service -Filter "Name='$ServiceName'" | Select-Object -ExpandProperty StartMode; $r.CurrentValue = $startup; if ($startup -eq 'Auto' -or $startup -eq 'Automatic') { $r.IsCompliant = $true; $r.Details += "Windows Update: $startup" }else { $r.Details += "Windows Update: $startup (moet Automatic)" } }else { $r.Details += "Service niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { Set-Service -Name $ServiceName -StartupType Automatic -ErrorAction SilentlyContinue; Start-Service -Name $ServiceName -ErrorAction SilentlyContinue; Write-Host "Windows Update enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-Service -Name $ServiceName -StartupType Manual } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK: Disabled updates = unpatched systems β†’ WannaCry, PrintNightmare, BlueKeep (game over).

Management Samenvatting

Allow Windows Update (automatic updates). FUNDAMENTAL security. Unpatched = #1 ransomware target. Configure active hours. Implementatie: 1-2 uur.