πΌ Management Samenvatting
Turn off 'Get the latest Windows' prompts - prevents Windows from nagging users to upgrade to newer major version (enterprise controls upgrades centrally).
Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
3/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
Upgrade prompts = user-initiated chaos: Windows prompts: 'Get Windows 11!' (on Windows 10 devices), 'Upgrade to 24H2!' (on Windows 11 23H2), User clicks: Immediate upgrade download β installation β NO enterprise testing/approval, Risks: App compatibility breaks (untested upgrade), Driver issues (hardware incompatibility), Helpdesk flood (users upgrade β problems β support tickets). Enterprise approach: Centralized upgrades (Intune feature update deployment rings - tested, phased rollout), User prompts: BLOCKED (no self-service upgrades).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Disable upgrade prompts: Policy: Turn off the offer to update to the latest version of Windows: Enabled, Effect: Windows does NOT show 'Get Windows 11' / 'Upgrade' prompts, Upgrades: Controlled via Intune Update rings (admin-initiated, tested), User: Cannot self-upgrade (centralized control).
Vereisten
- Intune subscription
- Windows 10/11
- Feature update deployment: Intune Update rings (controlled rollout)
Implementatie
Intune Settings Catalog: Windows Update β Turn off the offer to update to the latest version of Windows: Enabled. Effect: No upgrade prompts. Intune controls upgrades (deployment rings).
Compliance
BIO 12.06 (Change management - controlled upgrades), ISO 27001 A.12.6.1.
Monitoring
Gebruik PowerShell-script turn-off-the-offer-to-update-to-the-latest-version-of-windows-is-set-to-enabled.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script turn-off-the-offer-to-update-to-the-latest-version-of-windows-is-set-to-enabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 12.06.02 -
- ISO 27001:2022: A.12.6.1 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Update Management: Turn Off Windows Version Upgrade Offers
.DESCRIPTION
CIS - Windows version upgrade aanbiedingen moeten disabled in enterprise.
.NOTES
Filename: turn-off-version-upgrade-offers.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore\DisableOSUpgrade|Expected: 1
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"; $RegName = "DisableOSUpgrade"; $ExpectedValue = 1
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "disable-upgrade-offers.ps1"; PolicyName = "Upgrade Offers"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Upgrade offers disabled" }else { $r.Details += "Upgrade offers enabled" } }else { $r.Details += "Niet geconfigureerd" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Upgrade offers disabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Low: Low: User-initiated upgrades = untested (app breakage, helpdesk chaos).
Management Samenvatting
Turn off Windows upgrade prompts. Centralized Intune control. No user self-upgrades. Tested rollout only. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE