💼 Management Samenvatting
Defer quality updates 0 days = IMMEDIATE security patches - quality updates contain critical vulnerability fixes (NO delay acceptable).
Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows 10
✓ Windows 11
✓ Windows 11
Quality updates vs Feature updates: Quality updates (monthly): Security patches, bug fixes, critical vulnerability fixes (PrintNightmare, BlueKeep, etc.), Feature updates (annual): New features, UI changes. Security patches = URGENT: Critical vulnerabilities actively exploited (ransomware, RCE), Time-to-exploit: Hours/days after disclosure (attackers scan for vulnerable systems), Delay = exposure window: 30-day deferral = 30 days vulnerable (unacceptable). CIS/Microsoft: Quality updates = 0 days deferral (immediate), Feature updates = 180 days OK (stability testing).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
0-day quality deferral: Policy: Defer quality updates: 0 days, Effect: Security patches install ASAP (next update cycle - typically Tuesday 'Patch Tuesday'), Deployment: Automatic (no delay), Maintenance windows: Configure active hours (user-friendly timing - maar patches still immediate).
Vereisten
- Intune subscription
- Windows 10/11
- Active hours configured (non-disruptive update times)
Implementatie
Intune: Windows Update ring → Quality update deferral period: 0 days (immediate). Feature update deferral: 180 days (testing). Active hours: Configure (9 AM - 5 PM no forced reboots).
Compliance
CIS Windows Benchmark L1 (0 days), Microsoft Security Baseline, BIO 12.06, NIS2 Art. 21.
Monitoring
Gebruik PowerShell-script defer-quality-updates-period-days-is-set-to-enabled-0-days.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script defer-quality-updates-period-days-is-set-to-enabled-0-days.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Quality update deferral (L1) -
- BIO: 12.06.01 -
- NIS2: Artikel -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Update Management: Defer Quality Updates 0 Days
.DESCRIPTION
CIS - Quality updates (security) moeten direct geïnstalleerd (0 dagen defer).
.NOTES
Filename: defer-quality-updates.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays|Expected: 0
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "defer-quality-updates.ps1"; PolicyName = "Defer Quality Updates"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "0 days"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name "DeferQualityUpdatesPeriodInDays" -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name "DeferQualityUpdatesPeriodInDays" -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = "$($v.DeferQualityUpdatesPeriodInDays) days"; if ($v.DeferQualityUpdatesPeriodInDays -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Quality updates immediate" }else { $r.Details += "Quality updates deferred $($v.DeferQualityUpdatesPeriodInDays) days" } }else { $r.IsCompliant = $true; $r.Details += "Default: immediate" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name "DeferQualityUpdatesPeriodInDays" -Value $ExpectedValue -Type DWord -Force; Write-Host "Quality updates immediate (0 days)" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name "DeferQualityUpdatesPeriodInDays" -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Critical: KRITIEK: Quality update delay = extended vulnerability window (PrintNightmare, BlueKeep exploited within hours).
Management Samenvatting
Quality updates: 0 days deferral (IMMEDIATE security patches). Feature updates: 180 days OK. Active hours: Non-disruptive. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE