Update Management - Intune | Nederlandse Baseline

BIO

Intune: Allow Store Apps To Update

Allow Store apps to update = enable automatic updates for Microsoft Store apps (IF Store is enabled - security patches).

| ⏱️ 2 min | 🎯 Should-Have

L1BIONIS2ISO

Intune: Allow Windows Update

Allow Windows Update = enable automatic updates - **FUNDAMENTAL** security control (unpatched systems = #1 ransomware/exploit target).

CIS Windows - Allow updates | ⏱️ 3 min | 🎯 Must-Have

L1BIONIS2ISO

Intune: Block User Ability To Pause Windows Updates

Block users from pausing Windows Updates - prevents users delaying critical security patches (patch compliance enforcement).

CIS Windows - Pause updates | ⏱️ 3 min | 🎯 Must-Have

L1BIOISO

Intune: Defer Feature Updates 180+ Days

Defer feature updates 180+ days - enterprise testing period voor major OS releases (stability over bleeding-edge).

CIS Windows - Feature deferral | ⏱️ 2 min | 🎯 Should-Have

L1BIONIS2

Intune: Defer Quality Updates 0 Days

Defer quality updates 0 days = IMMEDIATE security patches - quality updates contain critical vulnerability fixes (NO delay acceptable).

CIS Windows - Quality update deferral | ⏱️ 3 min | 🎯 Must-Have

L1BIO

Intune: Encryption Oracle Remediation - Force Updated Clients

Encryption Oracle Remediation = force patched CredSSP clients - fixes CVE-2018-0886 (RDP/WinRM credential relay attack).

CIS Windows - CredSSP | ⏱️ 3 min | 🎯 Must-Have

L1BIOISO

Intune: Disable Windows Insider Preview Builds

Disable Windows Insider Preview builds on production devices - prevents beta software (unstable, buggy, data loss risk).

CIS Windows - Preview builds | ⏱️ 3 min | 🎯 Must-Have

L1BIO

Intune: Windows Update Scheduled Install - Every Day

Windows Update scheduled install: Every day - allows daily update installation window (fastest patch deployment).

CIS Windows - Update schedule | ⏱️ 2 min | 🎯 Should-Have

L1

Intune: Turn Off Search Companion Content File Updates

Turn off Search Companion updates = disable legacy Windows XP search feature updates (irrelevant on Windows 10/11).

CIS Windows - Search Companion | ⏱️ 2 min | 🎯 Should-Have

BIOISO

Intune: Turn Off 'Upgrade To Latest Windows' Prompts

Turn off 'Get the latest Windows' prompts - prevents Windows from nagging users to upgrade to newer major version (enterprise controls upgrades centrally).

| ⏱️ 3 min | 🎯 Should-Have

L1BIONIS2ISO

Windows Automatische Updates Ingeschakeld

Windows automatische Updates moet ingeschakeld zijn om security patches, bug fixes en feature updates automatisch te downloaden en installeren, waardoor systems up-to-date blijven en vulnerability exploitation wordt voorkomen door tijdige patching van known security issues.

CIS Windows Update - automatische Updates | ⏱️ 8 min | 🎯 Must-Have

L1BIOISO

Intune: Windows Update Branch Readiness Level

Windows Update branch readiness = servicing channel selection - General Availability Channel (recommended voor production).

CIS Windows - Servicing channel | ⏱️ 3 min | 🎯 Should-Have

L1BIOISO

Intune: Defer Windows Feature Updates

Defer Windows feature updates 180 days - testing period voor major OS updates (stability over bleeding-edge).

CIS Windows - Feature update deferral | ⏱️ 4 min | 🎯 Should-Have

L1BIONIS2

Intune: Defer Quality Updates

Defer quality updates 0 days (NO deferral) - security patches install IMMEDIATELY (deferral = extended vulnerability window).

CIS Windows - Quality deferral | ⏱️ 2 min | 🎯 Must-Have

BIOISO

Intune: Configure Windows Update Pause Behavior

Configure Windows Update pause behavior via Intune - ADMIN-controlled pause (maintenance windows) vs USER pause (blocked via separate policy).

| ⏱️ 3 min | 🎯 Should-Have