1.7.3 General procedure for automatically distributing updates
When the OS of computers in your organization is Windows, to correct malfunctions or security problems, you must apply updates if necessary. JP1/IT Desktop Management 2 can automatically distribute and apply updates released by Microsoft to computers according to a security policy.
To automatically apply updates to computers:
- 1. Obtain the latest information about updates.
-
You can automatically obtain the latest information about updates released by Microsoft from the support service site. Check the information about the added updates and judge the necessity of their application.
- 2. Automatically distribute updates to computers.
-
When you set the necessity of application of updates as a security policy judgment item, according to the result of judgment by a security policy, the updates that have not been applied to computers are automatically distributed.
- 3. Check the application status of updates.
-
Check the application status of updates. If you find a problem, identify the cause and take necessary measures.
Updates have been applied to computers. The computers securely maintain their expected state.
- Organization of this subsection
(1) Obtaining the latest information about updates
To apply the latest updates to computers, you need to keep track of information about released updates.
You can automatically obtain the latest information about updates released by Microsoft from the support service site. You can check the obtained information about the updates in the Update List view of the Security module.
In addition, you can set the configuration in such a way that an email is automatically sent to you when an update has been added. By mail notification, you can check the added updates and also directly log in from the URL written in the email to check the Update List view.
- Important
-
To obtain the latest information about updates, you must have a support contract.
- Important
-
It takes about 10 working days for the information on the management server to be updated after updates are released by Microsoft.
- Tip
-
Information about updates released on or after January 1, 2006 is registered in the Update List view by default.
- Tip
-
If you cannot access the support service site because the management server cannot connect to the Internet (or other reason), you can distribute the updates as follows: By using a computer that can access the support service site, manually download updates and related information, and then upload the updates and information to the management server.
Related Topics:
(2) Automatically distributing updates to computers
When you set the necessity of application of updates as a security policy judgment item, if a particular computer violates that security policy judgment item, you can take measures against the violation by automatically distributing the updates that have not yet been applied to the computer.
There are two methods for distributing updates. One is applying all the updates released by Microsoft and the other is applying specific updates only.
- To apply all the updates
-
When you obtain information about updates from the support service site, the obtained information is applied to a security policy and the security state is determined based on the security policy. If some updates have not yet been applied to computers, these updates are automatically distributed to the computers. By specifying the update group in which the updates you want to exclude from application have been registered, you can also exclude specific updates from application.
- To apply specific updates only
-
After you select the update group in which the mandatory updates have been registered, the updates included in the selected update group are distributed to computers according to the determination of the security status based on a security policy.
If you want to test updates before distributing them so as to avoid interference with operation in your organization, select the method for applying specific updates only.
How to set each method is described below.
- Tip
-
You can specify the automatic distribution of updates on a security-policy basis. For example, if you want to apply all the updates to computers in the Sales Department and apply only specific updates to computers in the Development Department, create a security policy for each department. Then, set the appropriate application method of updates to each security policy.
To apply all the updates
Edit a security policy in the Security Policy List view of the Security module.
In Windows Update under Security Configuration Items, select All updates are installed for Install Updates. In addition, select the Auto Enforce check box, and then select Distribute Windows Update (ITDM-compatible distribution).
Based on information about all the updates registered in the management server, the application status of each computer is determined. If any updates that have not yet been applied are found, the updates are automatically distributed.
- Tip
-
If you want to exclude some updates from application, create an update group in advance in the Update List view of the Security module. Then, specify the created update group in Excluded Update Group:.
To apply specific updates only
- 1. Select the updates applicable to computers.
-
Create an update group in the Update List view of the Security module.
At the beginning of operation of JP1/IT Desktop Management 2, register in the update group the updates that have already been applied to computers and the updates that you judge as applicable among the updates registered by default.
- Tip
-
There are many updates registered by default. It is useful for you to select all the updates and then clear the check boxes for the unnecessary updates when you want to apply most of the updates.
- 2. Set a security policy.
-
Edit a security policy in the Security Policy List view of the Security module.
In Windows Update under Security Configuration Items, select Selected updates are installed for Install Updates. At this time, specify the group created in step 1 for the update group. In addition, select the Auto Enforce check box, and then select Distribute Windows Update (ITDM-compatible distribution).
If you make the settings above, only the updates registered in the update group become security policy judgment targets. In addition, if some updates are judged as unapplied, the updates are automatically distributed.
- 3. Check for newly added updates.
-
When you obtain information about new updates from the support service site, judge the necessity of application of the updates.
If you judge the updates as applicable, register the updates in the update group. If you make this registration, you can add the updates as security policy judgment targets. If you judge updates as not applicable, enter the reason in the Notes tab of the Update List view.
- Tip
-
When you test whether an update is applicable, it is useful for you to set an update group and a security policy for testing purposes and then assign that security policy to a computer for testing purposes. Simply by registering an update to be tested in the update group for testing, you can automatically distribute that update to the computer for testing.
The updates registered in the update group are automatically distributed to computers according to the determination of the security status based on the security policy.
(3) General procedure for checking the application status of updates
Using the Windows Update tab in the Security Policy List view of the Security module, you can check whether there is any problem with the application status of updates.
After checking the device security status, if you find that the violation level is Safe, there is no problem. However, if the violation level is Important or Critical, some updates might not have been applied. Keep track of the status and take necessary measures as follows:
- 1. Keep track of the application status of updates.
-
In the Security Policy List view, you can only check whether a problem exists. Therefore, to check the application of which update has a problem, display the Windows Update Installation Status report in Security Detail Reports. In this report, you can identify the update that has not been applied to computers.
- 2. Check for the cause of non-application.
-
After checking the report, if you find that some update has not been applied to computers, distribution of that update might have failed. In the Task List view of the Distribution (ITDM-compatible) module, select the task whose type is Policy Based Task(Windows Update), and then check the status of the computer to which the update was not distributed. By checking the details of the task status at this time, you can check the cause of distribution failure.
- 3. Take measures against the non-application of the update.
-
You can redistribute the update to the computers to which the update has not been applied.
In the Security Policy List view of the Security module, select the Windows Update tab, and under Action, click the Distribute Windows Update (ITDM-compatible distribution) button. The update is redistributed to the computers to which that update has not been applied.
- Tip
-
You can also redistribute an update by using the Enforce button in the Computer Security Status view.
You have now finished checking the application status of the update and taken necessary measures. If there are multiple updates that have not been applied, repeat this procedure to take necessary measures.
- Tip
-
You can also check the distribution status of updates by using the task execution result. If an update distribution failed, check the task status in details to correct the cause. Check the status of update application to computers by using the Not Applied Computers tab in the Security Policy List view of the Security module.