2.9.6 Managing Windows updates

If the OSs running on the computers in your organization are Windows, Windows updates must be installed as necessary to fix errors or security problems. JP1/IT Desktop Management 2 can automatically install Windows updates released from Microsoft according to the security policy.

Important: The support services contract is required to automatically acquire the latest information about Windows updates and install the updates on your computers.

Tip: If notification is not suppressed in an agent for UNIX, OS patches can be acquired from the agent for UNIX (AIX, HP-UX, Solaris) as software information. However, you cannot automatically obtain the latest OS patch information and apply the latest OS patch to computers with the UNIX agent installed.

Tip: For Mac agents, the security policy item for automatic program update evaluates whether automatic checking for App Store updates is active. However, you cannot automatically obtain program updates and apply them to Mac agents

Using JP1/IT Desktop Management 2, you can reduce the efforts of managing Windows updates by using convenient functions as follows:

Checking the release of Windows updates
Automatically distributing and installing Windows updates on computers
Installing different combinations of Windows updates for individual groups

You can manage Windows updates in the Windows Update view of the Security module. The following figure shows the concept of managing Windows updates.

[Figure]

After Windows updates are released from Microsoft, information about the updates is automatically acquired from the support service site. At this time, the administrator can be automatically notified by email. After the information about the updates is acquired, the update list is automatically updated.

When All updates are installed is set in a security policy, the Windows update information added to the list is applied to the security policy, and the latest status of whether the updates have been installed is judged. If updates have not been installed on some computers, the updates can be automatically distributed and installed on those computers.

By creating update groups, you can change how Windows updates are judged for each security policy. By creating a test group, you can first test whether updates will cause problems on the computers in your organization. Then, you can automatically install only the safe updates.

You can also register and distribute Windows updates manually.

For details on acquiring information from the support services, see the JP1/IT Desktop Management 2 Administration Guide.

Tip: You can use both the function of automatically distributing Windows updates using a security policy and the Windows automatic update function (Windows Update or Microsoft Update) at the same time. However, you cannot use JP1/IT Desktop Management 2 to control which function is to be used for installing Windows updates. If you want to install all the mandatory updates provided by Microsoft, we recommend that you enable Windows automatic update. If you want to install only the special updates, we recommend that you use the JP1/IT Desktop Management 2 function to distribute the updates.

Tip: Security judgment for cumulative updates and Security Monthly Quality Rollup for Windows is possible even when the latest update has been released but the update information posted on the support service site has not yet been updated. Security judgment can also be performed taking into consideration the grace period given to apply updates. However, the automatic distribution of the latest cumulative updates and Security Monthly Quality Rollup by means of a security policy is not possible. For details, see the description of judgment for cumulative updates and Security Monthly Quality Rollup for Windows in the manual JP1/IT Desktop Management 2 Administration Guide.

Tip: You can package and distribute Windows updates and a feature update to Windows 10 by using Remote Install Manager. For details, see the description of managing updates in the manual JP1/IT Desktop Management 2 Distribution Function Administration Guide.

Creating an update group

When you set Selected updates are installed in a security policy, you can use an update group to apply only the Windows updates allowed by the administrator for installation to the security policy. For details about update groups, see (9) Managing update groups.

Related Topics:

(1) Prerequisites for acquiring and distributing Windows updates
(3) Types of Windows updates for which information can be automatically acquired
(2) Notes on acquiring Windows updates
(6) Checking the status of Windows updates

Organization of this subsection

(1) Prerequisites for acquiring and distributing Windows updates
(2) Notes on acquiring Windows updates
(3) Types of Windows updates for which information can be automatically acquired
(4) Automatically registering Windows Update files
(5) Manually registering Windows Update files
(6) Checking the status of Windows updates
(7) Updating the update list
(8) Mail notification of updating the update list
(9) Managing update groups
(10) Judging the results of distributing Windows updates
(11) Importing and exporting the updated program list

(1) Prerequisites for acquiring and distributing Windows updates

The following shows the prerequisites for acquiring Windows updates from the Microsoft website based on the Windows update information acquired from the support service site, and for automatically distributing the update to computers.

Prerequisites for automatically acquiring information about Windows updates from the support service site:

The support services contract is made.
MSXML 4.0 Service Pack 2 or MSXML 6.0 is installed.
The management server can connect to the Internet.

Tip: To acquire information about Windows updates from the support service site, the settings for connecting to the support service site are required.

Tip: Even in an environment where the management server cannot connect to the Internet, if another computer can connect to the Internet, you can manually acquire and then register Windows update information from the support service site.

Prerequisites for automatically acquiring Windows updates from the Microsoft website and distributing the updates:

The management server can connect to the Internet.
The management server and the distribution-destination computer are connected.
An agent is installed on the distribution-destination computer.

Tip

To distribute Windows updates to computers, Windows update files are required. In an environment where the management server can connect to the Microsoft website via the Internet, Windows updates are automatically downloaded, and the Windows update files are registered.

Even in an environment where the management server cannot connect to the Internet, if you use another computer that can connect to the Internet to acquire Windows updates (execution files) from the Microsoft website, you can manually register the Windows update files.

To Page Top

(2) Notes on acquiring Windows updates

The following notes give restrictions related to acquiring Windows updates:

When you distribute acquired Windows updates to other computers, do so after making sure that the updates can be properly distributed and installed on the target computers. Depending on the computer environment, distribution or installation of updates might fail.
You cannot acquire the following Windows updates:
- Windows updates provided earlier than January 1 2006 by Microsoft
- Windows updates provided by Microsoft Security Advisory
- Windows updates corresponding to the PC-98 series computers
The files related to the information about Windows updates are stored in JP1/IT Desktop Management 2-installation-folder\mgr\OSPATCH. Do not change or delete the files in this folder. If you change or delete the files in this folder, correct operation of JP1/IT Desktop Management 2 is not guaranteed.
If the Windows Automatic Updates option for Auto Enforce is enabled in a security policy for Windows Updates, when Windows Updates are executed to the target device has been turned OFF, the device will be turned ON automatically. Once the Windows Updates are complete, the target device will be turned OFF.

Related Topics:

(1) Prerequisites for acquiring and distributing Windows updates

To Page Top

(3) Types of Windows updates for which information can be automatically acquired

By connecting to the support service site, you can acquire information about Windows updates released from Microsoft, and automatically apply the information to security-judgment targets. Also, by setting automated countermeasures in a security policy, you can automatically distribute and install Windows updates to computers.

Information about Windows updates for the following programs can be automatically acquired from the support service site.

Program	Type or version
Windows	Windows Server 2019
	Windows Server 2016
	Windows 10
	Windows 8
	Windows 7
	Windows Server 2012
	Windows Server 2008
	Windows Vista
	Windows Server 2003
	Windows XP
	Windows 2000
Internet Explorer	9.0 or later

Information about Windows updates can be acquired only for the updates that satisfy the following conditions:

The class (the type of Windows update) is Windows Update.
The security number is set (not empty).
The severity is Critical or Important.
There is information about the service pack number or version of the target OS.

To Page Top

(4) Automatically registering Windows Update files

The Windows updates and installation scripts that are necessary for distribution are automatically downloaded from the Microsoft website and the support service site, and then the Windows Update files are registered. By using this function, the administrator can reduce the efforts of regularly downloading Windows updates because the latest updates can always be acquired and distributed automatically.

Important: A support services contract is required to automatically download Windows updates and installation scripts.

The following figure shows the flow of automatically registering the Windows Update files.

[Figure]

Note that registered Windows Update files are not added to the Package List view of the Distribution (ITDM-compatible) module. Windows Update files can be distributed only by automated countermeasures for a security policy. You cannot manually create a task for distributing Windows updates. You can check the executed tasks in the Distribution (ITDM-compatible) module.

To Page Top

(5) Manually registering Windows Update files

By downloading the Windows updates necessary for distribution from the Microsoft website, the administrator can add Windows updates to the management server at any time and register the Windows Update files. The added updates are automatically installed on users' computers. This function is convenient when you want to immediately distribute Windows updates that are important for security without waiting for automated countermeasures of JP1/IT Desktop Management 2.

When manually registering Windows Update files, the administrator must perform all tasks for downloading Windows updates and registering the Windows Update files.

The following figure shows the work flow for manually registering Windows Update files.

[Figure]

Tip

In an environment where the Administrator's computer cannot connect to the Internet (when the update list is updated offline), use another computer that can connect to the Internet to register the Windows Update files.

In this case, on a computer that can connect to the Internet, display the operation window. On the Windows Update Information tab of the Windows Update view, download the Windows updates from Execution File Download URL. After that, from the Action menu, select Register Windows Update File, and then specify the downloaded updates. Thus, you can register the Windows Update files.

Note that the created Windows Update files are not added to the Package List view of the Distribution (ITDM-compatible) module. The Windows Update files can be distributed only by automated countermeasures for a security policy. You cannot manually create a task for distributing Windows updates. You can check the executed tasks in the Distribution (ITDM-compatible) module.

Tip

Security updates that were manually registered cannot be judged if the expected status of a security policy is All updates are installed. To judge the security status, manually register security updates to Update Group and then configure the following settings in Windows Update of the security policy. Judgment will be performed for Windows updates that were manually registered and, if violations are found, automated countermeasures will be executed.

Configuration Item: Check the Install Updates.

Expected Status: Select a Windows update group in Mandatory Update Group: under the Selected updates are installed.

Automated countermeasure: Select the check box and then select Distribute Windows Update.

To Page Top

(6) Checking the status of Windows updates

You can check whether Windows updates have been installed in the following ways.

Checking for Windows updates that have not been installed on some computers:

In the Windows Update Status report (under Security Detail Reports), you can check Windows updates. The Windows updates are listed in the order of the number of computers on which the update has not been installed.

[Figure]

Checking the violation level for each security policy:

On the Windows Update tab of the Security Policy List view (under the Security module), you can check violation levels. If there is a problem related to violation level, there might be computers on which one or more Windows updates have not been installed.

[Figure]

Checking the status of whether Windows updates have been installed for each device:

On the Windows Update tab of the Computer Security Status view (under the Security module), you can check the status of whether Windows updates have been installed on each device. If one or more Windows updates have not been installed on a computer, those updates are displayed.

[Figure]

Checking for computers on which Windows updates have not been installed:

On the Not Applied Computers tab of the Update List view (under the Security module), you can check for computers on which Windows updates have not been installed.

[Figure]

To Page Top

(7) Updating the update list

JP1/IT Desktop Management 2 can automatically update the list of registered old Windows updates by regularly accessing the support service site. This is done based on support contract information or a schedule set by the administrator. This enables the administrator to check whether the latest Windows updates have been installed on all computers, or to check for Windows updates that have not been installed, without the need of performing special operations.

The update list is automatically updated once a day. The time it is updated is the same as the time the setup processing (which is performed immediate after JP1/IT Desktop Management 2 is installed) was completed. The minutes are rounded up to the nearest later hour. For example, if the setup for JP1/IT Desktop Management 2 finishes at 10:30, the update list is updated at 11:00 every day.

Important: A support services contract and an environment where the management server can connect to the Internet are required.

Important: The update list is automatically updated about 10 business days after the latest Windows updates are released from Microsoft. This is because it takes about 10 days from the release of Windows updates until the update of the information on the support service site. If you want to immediately add the information about the released Windows updates, the administrator must acquire the Windows updates and the information about Windows updates from the Microsoft website, and then manually add them to the update list.

Related Topics:

(3) Types of Windows updates for which information can be automatically acquired
(5) Manually registering Windows Update files

To Page Top

(8) Mail notification of updating the update list

When the update list is automatically updated, the updated contents can be reported to the administrator by email. In the email, information about the added Windows updates is described. The administrator can understand the details about the added Windows updates just by reading the email.

Important: The mail server settings and the support service settings are required in advance.

The following is an example email report.

[Figure]

To Page Top

(9) Managing update groups

When you want to judge only whether specific Windows updates have been installed, create an update group that groups the target Windows updates. Since an update group is specified in the security policy, only the Windows updates registered in the group will be judged.

By using an update group, you can centrally manage which Windows updates will be judged by different security policies.

The following figure shows the concept of managing Windows updates to be judged by using an update group.

[Figure]

For example, even when different security policies are used for the sales department and the development department, you can configure the settings so that the same Windows updates are installed. By specifying an update group common to the sales department and the development department for the judgment-target Windows updates, you can centrally manage the updates to be installed while using different policies for different departments.

Also, you can use an update group when you want to distribute Windows updates after making sure that installing the updates causes no problems in your organization. Even if you acquire information about Windows updates from the support service, the information is not automatically applied to the update group. By additionally registering Windows updates in the update group, you can add the judgment-target updates without the need of editing a security policy. Therefore, by registering the Windows updates that have already been tested in the update group, only the updates allowed by the administrator can be installed and managed.

To Page Top

(10) Judging the results of distributing Windows updates

Whether a Windows update is successfully distributed is judged by the return value when the update is installed. The following shows the values returned when a Windows update is installed.

Return value	Description
0	Installation successfully finished.
1	Installation failed.
2	The environment is invalid (such as memory shortage or invalid file).
3	An internal error occurred.
4	The installation status of Windows Script Host (WSH) is invalid.
5	An internal error occurred.

To Page Top

(11) Importing and exporting the updated program list

A list of updated programs registered with a management server can be exported to a CSV file. The exported CSV file containing the updated program list is called a patch information CSV file. The exported patch information CSV file can be imported to the source management server or other management servers.

The following table lists commands to import and export the updated program list:

Command	Description
`ioutils exportupdatelist`	Exports a patch information CSV file containing a list of updated programs that were manually registered with a management server.
`ioutils importupdatelist`	Imports a patch information CSV file containing the updated program list that was exported from a management server.

When multiple management servers exist, you can use these commands to ensure that the same updated programs are registered with every management server.

To Page Top