L1 BIO 12.06.01 ISO A.12.6.1 CIS Windows - Pause updates

Intune: Block User Ability To Pause Windows Updates

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Block users from pausing Windows Updates - prevents users delaying critical security patches (patch compliance enforcement).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Pause updates = security risk: Windows 10/11 feature: Users can pause updates 35 days (Settings β†’ Windows Update β†’ Pause updates), User behavior: 'I'm busy' β†’ pause updates β†’ forget to resume β†’ 6 months unpatched, Security impact: Critical vulnerability (e.g., PrintNightmare) β†’ Microsoft patches β†’ user paused updates β†’ vulnerable for months. Attack: Attacker scans network β†’ finds unpatched device (user paused updates) β†’ exploit β†’ ransomware. Enterprise requirement: Patch compliance (100% devices patched within SLA - 30 days).

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Block pause ability: Policy: SetDisablePauseUXAccess: Block, Effect: Settings β†’ Windows Update β†’ 'Pause updates' option REMOVED, Users: Cannot pause (updates install per schedule), Admin control: Intune Update rings (centralized pause for maintenance windows - controlled).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Maintenance windows: Scheduled via Intune (user-friendly update times)

Implementatie

Intune: Windows Update ring β†’ Block user from pausing updates: Block. Effect: 'Pause updates' removed from Settings. Maintenance: Configure active hours (non-disruptive update times).

Compliance

CIS Windows Benchmark L1, BIO 12.06 (Patch management), ISO 27001 A.12.6.1, NIS2 Art. 21.

Monitoring

Gebruik PowerShell-script block-pause-updates-ability-is-set-to-block.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script block-pause-updates-ability-is-set-to-block.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Update Management: Block Pause Updates .DESCRIPTION CIS - Users mogen NIET updates pauzeren. .NOTES Filename: block-pause-updates.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetDisablePauseUXAccess|Expected: 1 #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; $RegName = "SetDisablePauseUXAccess"; $ExpectedValue = 1 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "block-pause-updates.ps1"; PolicyName = "Block Pause Updates"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Blocked"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Pause updates blocked" }else { $r.Details += "Pause updates allowed" } }else { $r.Details += "Niet geconfigureerd" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Pause updates blocked" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Users pause updates β†’ months unpatched β†’ critical vulnerabilities exploited.

Management Samenvatting

Block user pause updates ability. Enforce patch compliance. Configure active hours (user-friendly). Implementatie: 1-3 uur.