Windows Update | Harden System Security¶
Windows updates are extremely important. They always should be installed as fast as possible to stay secure and if a reboot is required, it should be done immediately. Threat actors can weaponize publicly disclosed vulnerabilities the same day their POC (Proof-Of-Concept) is released..
In Windows by default, devices will scan daily, automatically download and install any applicable updates at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away.
The following policies the app configures make sure the default behavior explained above is tightly enforced.
Enables Windows Update to download and install updates on any network, metered or not; because the updates are important and should not be suppressed, that's what bad actors would want. 
CSP
- Enables "Receive Updates for other Microsoft products" (such as PowerShell)
Enables "Notify me when a restart is required to finish updating". CSP
- Specifies the number of days before quality updates are installed on devices automatically to 1 day. CSP
- Specifies the number of days before feature updates are installed on devices automatically to 1 day. CSP
- Sets the number of grace period days before feature updates are installed on devices automatically to 1 day. CSP
- Sets the number of grace period days before quality updates are installed on devices automatically to 1 day. CSP
- Configures the automatic updates to happen every day, automatically be downloaded and installed, notify users for restart. CSP
- Enables features introduced via servicing that are off by default so that users will be able to get new features after having Windows Update settings managed by Group Policy as the result of running this category. CSP