๐ผ Management Samenvatting
Windows Update scheduled install: Every day - allows daily update installation window (fastest patch deployment).
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
2u (tech: 1u)
Van toepassing op:
โ Windows 10
โ Windows 11
โ Windows 11
Update schedule options: Specific day (Tuesday only): Updates install ONLY on Tuesdays โ if device offline Tuesday: waits until NEXT Tuesday (7-day delay), Every day (RECOMMENDED): Updates install ANY day device is online โ fastest deployment. Security: Critical patch released โ Every day: Installs within 24 hours, Specific day: May wait 7 days (unacceptable for critical vulnerabilities). CIS: Every day schedule (fastest patch compliance).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Every day schedule: Policy: Scheduled install day: 0 (Every day), Effect: Windows checks for updates daily โ installs when available, Active hours respected: Updates install outside 9 AM - 5 PM (non-disruptive), Fastest patching: Device online ANY day โ updates install (no weekly wait).
Vereisten
- Intune subscription
- Windows 10/11
- Active hours configured (9 AM - 5 PM)
- Auto-updates enabled
Implementatie
Intune: Windows Update ring โ Scheduled install day: Every day (0). Active hours: 9 AM - 5 PM. Effect: Updates install daily (outside active hours).
Compliance
CIS Windows Benchmark L1, BIO 12.06, NIST SI-2.
Monitoring
Gebruik PowerShell-script scheduled-install-day-is-set-to-every-day.ps1 (functie Invoke-Monitoring) โ Controleren.
Remediatie
Gebruik PowerShell-script scheduled-install-day-is-set-to-every-day.ps1 (functie Invoke-Remediation) โ Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Update schedule (L1) -
- BIO: 12.06.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Update Management: Scheduled Install Every Day
.DESCRIPTION
CIS - Updates moeten elke dag geรฏnstalleerd kunnen worden.
.NOTES
Filename: scheduled-install-every-day.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay|Expected: 0 (Every Day)
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; $RegName = "ScheduledInstallDay"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "scheduled-install-daily.ps1"; PolicyName = "Scheduled Install Day"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Every Day (0)"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Scheduled: Every Day" }else { $r.Details += "Scheduled: Day $($v.$RegName)" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Updates scheduled every day" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: Weekly schedule = 7-day delay (critical patches delayed).
Management Samenvatting
Windows Update: Every day schedule (not weekly). Fastest patch deployment. Active hours respected. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE