UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Prevent Automatic Updates from being run.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14250 2.119 SV-25200r1_rule DCSL-1 Medium
Description
This check verifies the system is configured to prevent Automatic Updates from being run unless directed to a DoD Windows Server Update Services (WSUS) server.
STIG Date
Windows 7 Security Technical Implementation Guide 2012-07-02

Details

Check Text ( C-39116r1_chk )
If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: \Software\Policies\Microsoft\Windows\WindowsUpdate\AU\

Value Name: NoAutoUpdate
Type: REG_DWORD
Value: 1

If the site is using a DoD WSUS server to distribute software updates, and the computer is configured to point at that server, then this can be set to "Enabled". In this instance, the setting will not be considered a finding.
To determine whether WSUS is being used, verify the following registry key value exists and is pointing to an organizational or DoD WSUS URL:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: \Software\Policies\Microsoft\WindowsUpdate\

Value Name: WUServer

Type: REG_SZ
Value: “URL of DoD WSUS”
Fix Text (F-34265r1_fix)
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> “Configure Automatic Updates” to “Disabled”.

If the site is using a DoD WSUS server to distribute software updates, the policy setting to configure the WSUS URL is Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> “Specify intranet Microsoft update service location”.