L1 BIO 12.06.02 ISO A.12.6.1 CIS Windows - Feature update deferral

Intune: Defer Windows Feature Updates (180 Days)

πŸ“… 2025-10-30
β€’
⏱️ 4 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Defer Windows feature updates 180 days - testing period voor major OS updates (stability over bleeding-edge).

Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
3/10
Implementatie
13u (tech: 3u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Feature updates = major changes: Feature update: Semi-annual (22H2, 23H1) - new features, UI changes, driver updates, Risks: Breaking changes (app compatibility, driver issues), Early adopter problems (bugs in new features), Business impact: Productivity loss (broken apps, user retraining). Deferral benefits: Microsoft testing: 180 days β†’ millions of early adopters find bugs β†’ Microsoft patches, Enterprise testing: Pilot group tests deferred update β†’ app compatibility verification β†’ production rollout. CIS recommendation: 180+ days deferral (balance: stability vs security).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Defer feature updates: 180 days: Production devices receive feature updates 6 months after release, Quality updates: NOT deferred (security patches immediate), Pilot group: 0-30 days deferral (early testing), Production: 180 days (stability), Deployment rings: Pilot (IT - 0 days) β†’ Early adopters (30 days) β†’ Production (180 days).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Deployment rings: Pilot + Production groups
  4. App compatibility testing process

Implementatie

Intune: Devices β†’ Windows Updates β†’ Update rings β†’ Create ring 'Production' β†’ Feature update deferral: 180 days, Quality update deferral: 0 days (immediate security patches). Assign to: Production devices. Pilot ring: 0-30 days deferral (IT team).

Compliance

CIS Windows Benchmark (180 days), BIO 12.06 (Change management), ISO 27001 A.12.6.1.

Monitoring

Gebruik PowerShell-script windows-update-defer-feature.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script windows-update-defer-feature.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Update Management: Defer Feature Updates .DESCRIPTION CIS - Feature updates moeten gedeferred worden voor stabiliteit. .NOTES Filename: windows-update-defer-feature.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates|Expected: 1 #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; $RegName = "DeferFeatureUpdates"; $ExpectedValue = 1 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "defer-feature.ps1"; PolicyName = "Defer Feature Updates"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Feature updates deferred" }else { $r.Details += "Feature updates NOT deferred" } }else { $r.Details += "Niet geconfigureerd" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Feature updates deferral enabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: No deferral = early adopter bugs (app breakage, productivity loss).

Management Samenvatting

Defer feature updates: 180 days (production). Pilot: 0-30 days (testing). Quality updates: Immediate (security). Stability over bleeding-edge. Implementatie: 3-13 uur.