Are all updates applied for operating systems by enabling auto updates?
Section A6: Security Update Management · Cyber Essentials Danzell
What this question is really asking
Confirm whether automatic updates are enabled for operating systems across your in-scope devices. Auto-updates are the simplest way to meet the 14-day patching requirement. For managed devices, enforce auto-updates via Group Policy, MDM, or configuration management — user-managed auto-updates are not a reliable control for a formal assessment.
What satisfies this requirement
Yes or NoAuto updates must be enabled where possible.
What to prepare before your assessor visit
Automatic updates are the simplest way to meet the 14-day requirement. If you manage your own WSUS or update rings, check your deferral settings carefully — a 30-day deferral ring will fail this question. Test the actual update deployment timeline from a recent update cycle rather than assuming your configured policy translates directly to compliant patch timing.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.