Disable: 'Configure Automatic Updates' for NoAutoUpdate This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - Notify before downloading any updates and notify again before installing them. - Download the updates automatically and notify when they are ready to be installed. (Default setting) Automatically download updates and install them on the schedule specified below. If you disable this policy setting, you will need to download and manually install any available updates from Windows Update. Counter Measure: Configure the Configure Automatic Updates setting to Enabled and select 4. Automatically download updates and install them on the schedule specified below from the Configure automatic updating list box. Potential Impact: Critical operating system updates and service packs will automatically download and install at 3:00 A.M. daily.

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate,AUOptions,ScheduledInstallDay,ScheduledInstallTime