L1 BIO 12.06.01 ISO A.8.8 CIS Windows Update - automatische Updates

Windows Automatische Updates Ingeschakeld

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Windows automatische Updates moet ingeschakeld zijn om security patches, bug fixes en feature updates automatisch te downloaden en installeren, waardoor systems up-to-date blijven en vulnerability exploitation wordt voorkomen door tijdige patching van known security issues.

Aanbeveling
IMPLEMENT
Risico zonder
Critical
Risk Score
9/10
Implementatie
8u (tech: 4u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11
βœ“ Windows Server

Unpatched Windows systems zijn PRIMAIRE TARGET voor attackers die known vulnerabilities exploiten: ZERO-DAY EXPLOITATION binnen UREN waarbij: Microsoft releases security patch (Patch Tuesday - 2e dinsdag van maand), Reverse engineers analyseren patch om vulnerability te identificeren, Exploit code wordt ontwikkeld binnen hours/days, Attackers scan internet voor unpatched systems, Mass exploitation binnen 24-48 hours na patch release; KNOWN VULNERABILITY EXPLOITATION van: EternalBlue (MS17-010) - WannaCry ransomware (2017) affected 200K+ systems die NIET gepatched waren, BlueKeep (CVE-2019-0708) - RDP vulnerability allowing wormable attacks, PrintNightmare (CVE-2021-34527) - Print Spooler exploits, ProxyLogon/ProxyShell - Exchange server exploits. Real-world data: Verizon DBIR toont 60%+ of breaches exploit KNOWN vulnerabilities waarvoor patches BESCHIKBAAR waren maar NIET installed. Average time attacker exploits vulnerability NA patch release: 7-30 dagen. Organizations zonder automatische updates: handmatige patching delays (weeks/months), missed critical patches (overwhelming volume), vulnerable systems (attacker playground). automatische updates provides: IMMEDIATE security patch deployment (within days of release), NO handmatige intervention vereist (scaling to 1000s devices), CONSISTENT patching over organization (no stragglers), REDUCED aanvalsoppervlak (vulnerabilities closed voordat exploitation). Trade-off: automatische updates kan leiden tot: unexpected reboots (Configureer maintenance windows), compatibility issues (rare, Test met deferral rings), bandwidth usage (WSUS/WUfB optimization). HOWEVER: Security risk van unpatched systems >>> inconvenience van automatische updates.

PowerShell Modules Vereist
Primary API: Intune / Windows Update voor Business
Connection: N/A
Required Modules:

Implementatie

Windows automatische Updates configuration via Intune Windows Update voor Business policies of Group Policy: (1) Schakel in automatische updates: NoAutoUpdate registry is 0 (ingeschakeld) of Not geconfigureerd (Standaard ingeschakeld), (2) Update behavior: Download en install automatisch (aanbevolen), of Download automatische maar waarschuwen voordat install (less veilige - user may postpone); (3) Deployment rings voor staged rollout: Pilot ring (IT team): 0 day deferral - immediate updates, Early adopters (10%): 3-7 day deferral, Broad deployment (80%): 7-14 day deferral, Critical systems (10%): 14-21 day deferral (extra caution); (4) Maintenance windows: Active hours configuration: Users specify work hours (no reboots tijdens), automatische restart buiten active hours (minimal disruption), Deadline enforcement: Max days voordat forced reboot (balance security vs. user control). Windows Update voor Business (Intune) provides: Centralized update management, Deferral policies (staged deployment), automatische approval of quality updates (security patches), Feature update control (major version upgrades - slower cadence), compliance rapportage (patching status per device), Bandwidth optimization (Delivery Optimization P2P). Best practice: automatische updates ingeschakeld voor alle devices (no exceptions), Deferral rings voor staged deployment (catch issues in pilot), Maintenance windows geconfigureerd (minimize user disruption), Forced reboot deadlines (security >> user convenience voor critical patches), monitoren compliance: Target 95%+ patched binnen 7-14 days of release.

Vereisten

  1. Windows 10 Pro/Enterprise, Windows 11, of Windows Server 2016+
  2. Intune subscription voor Windows Update voor Business policies
  3. Endpoint Administrator rol in Intune
  4. Internet connectivity: Devices moeten Windows Update servers kunnen bereiken
  5. Bandwidth planning: Update downloads (WSUS/WUfB Delivery Optimization)
  6. Deployment rings defined: Pilot, Early adopters, Broad, Critical
  7. Testing process: Pilot group validates updates voordat broad deployment
  8. User communication: Active hours configuration guidance, reboot expectations

Implementatie

Implementatie via Intune Windows Update voor Business (aanbevolen):

Gebruik PowerShell-script windows-update-automatic-updates.ps1 (functie Invoke-Remediation) – PowerShell script voor registry verification en remediation.

  1. Microsoft Intune admin center β†’ Devices β†’ Windows β†’ Update rings
  2. Maak aan update ring: 'Pilot Ring - IT Team'
  3. - Quality updates (security): 0 days deferral
  4. - Feature updates: 180 days deferral (Test voordat broad)
  5. - automatische updates: ingeschakeld
  6. - Restart behavior: Auto restart buiten active hours
  7. - Assign to: Pilot group (IT team)
  8. Maak aan update ring: 'Production Ring'
  9. - Quality updates: 7 days deferral (pilot tests first)
  10. - Feature updates: 180-365 days
  11. - automatische updates: ingeschakeld
  12. - Restart checks: Restart deadline 3 days max
  13. - Assign to: alle users
  14. Monitor deployment: Device compliance rapportage

Group Policy implementation (on-premises):

  1. GPMC β†’ Edit GPO β†’ Computer Configuration β†’ Administrative Templates
  2. Windows Components β†’ Windows Update
  3. configureer: 'Configureer automatische Updates' is ingeschakeld
  4. - Option 4: Auto download en schedule install (aanbevolen)
  5. configureer: 'Specify intranet Microsoft update service location' (if WSUS)
  6. Link GPO, gpupdate /force

Monitoring

Gebruik PowerShell-script windows-update-automatic-updates.ps1 (functie Invoke-Monitoring) – Controleert NoAutoUpdate registry setting.

  1. Intune Update compliance: Device patch status dashboard
  2. Target: 95%+ devices patched binnen 14 days of release
  3. Failed updates: Investigate devices met update failures
  4. Update deferral: Devices postponing updates excessively
  5. Missing patches: Critical vulnerabilities unpatched (high priority)
  6. Windows Update logs: C:\Windows\WindowsUpdate.log voor troubleshooting
  7. Security baselines: Microsoft Defender kwetsbaarheidsbeheer

Compliance en Auditing

automatische updates zijn mandatory voor: CIS Microsoft Windows Benchmark - automatische Updates ingeschakeld, BIO 12.06.01 (Kwetsbaarheden - Tijdige patching vereist), ISO 27001:2022 A.8.8 (Management of technical vulnerabilities), NIS2 Artikel 21 (kwetsbaarheidsbeheer en patching), PCI-DSS Requirement 6.2 (Zorg ervoor dat alle systems beschermde van known vulnerabilities), NIST SP 800-40 (Patch Management). Auto updates is baseline security requirement.

Remediatie

Gebruik PowerShell-script windows-update-automatic-updates.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Update Management: Automatic Updates Enabled .DESCRIPTION CIS - Automatic updates moeten enabled zijn. .NOTES Filename: windows-update-automatic-updates.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate|Expected: 0 (Enabled) #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; $RegName = "NoAutoUpdate"; $ExpectedValue = 0 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "windows-update-automatic.ps1"; PolicyName = "Automatic Updates"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled (0)"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Automatic updates enabled" }else { $r.Details += "Automatic updates disabled" } }else { $r.IsCompliant = $true; $r.Details += "Default: enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Automatic updates enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK VULNERABILITY EXPLOITATION RISICO: Unpatched systems is low-hanging fruit voor attackers. WannaCry, NotPetya, BlueKeep - alle massive exploits van KNOWN vulnerabilities waarvoor patches available waren. Attackers exploit binnen 24-48 hours na patch release. Average breach cost via unpatched vulnerability: €3.5M. handmatige patching is delays (weeks), missed patches, inconsistent deployment. automatische updates is immediate security, consistent patching, minimal management overhead. Organizations zonder auto updates: 60%+ of systems unpatched 30+ days na release.

Management Samenvatting

Schakel in Windows automatische Updates via Intune Update Rings. Security patches deployed binnen 7-14 days. Staged deployment via rings (pilot β†’ production). Configureer maintenance windows (minimal disruption). Voldoet aan CIS, BIO 12.06, ISO 27001 A.8.8, PCI-DSS 6.2. Implementatie: 4-8 uur voor ring configuration. MANDATORY voor kwetsbaarheidsbeheer - NO exceptions.