15.3.5 Judgment for cumulative updates and Security Monthly Quality Rollup for Windows

JP1/IT Desktop Management 2 - Manager determines whether cumulative updates or Security Monthly Quality Rollup (rollup updates) for Windows has been applied by using the following methods:

Expiration date of security judgment for cumulative updates and Security Monthly Quality Rollup for Windows

An expiration date is set for security judgment for cumulative updates and Security Monthly Quality Rollup for Windows so that after the expiration date, the security status is not determined.

Security judgment for unknown updates

When unknown updates^# not present in the update information posted on the support service site are applied, it is assumed that the latest updates are applied.

#: Unknown updates are only which classification is the security fix program.

Security judgment for updates taking into consideration the grace period

If a grace period is set, which is a time period between the release of new updates and the successful application of the updates, even when the latest rollup updates have not been applied, the security status of managed computers is not assessed as "Not applied" during the set grace period.

Important: The security judgment for updates taking into consideration the grace period must be used together with the security judgment for unknown updates.

Important: If you use the security judgment for unknown updates, you cannot use the expiration date of security judgment for cumulative updates and Security Monthly Quality Rollup for Windows.

Important: If you use the expiration date of security judgment for cumulative updates and Security Monthly Quality Rollup for Windows, you cannot use the security judgment for unknown updates.

Important

If the version of JP1/IT Desktop Management 2 - Agent installed on a managed computer is earlier than 12-00, even when the use of the security judgment for unknown updates is enabled on this computer, this setting is disabled.

Also the setting the expiration date of security judgment for cumulative updates and Security Monthly Quality Rollup for Windows is disabled.

Important: Even when Microsoft releases rollup updates, these updates cannot be automatically distributed to computers until the latest update information is posted on the support service site. To distribute rollup updates under this circumstance, you have to manually distribute them.

Tip: If you manually add rollup updates to the list, the updates are treated as normal updates instead of as rollup updates subjected to the security judgment.

Organization of this subsection

(1) Expiration date of security judgment for cumulative updates and security monthly quality rollups for Windows
(2) Security judgment for unknown updates
(3) Security judgment for updates taking into consideration the grace period

(1) Expiration date of security judgment for cumulative updates and security monthly quality rollups for Windows

When a cumulative update or security monthly quality rollup (called monthly rollup) is installed on Windows, the last month's rollup is removed from Windows. Normally, JP1/IT Desktop Management 2 - Manager judges that the security level of a device is in danger if a target monthly rollup is not installed on the managed device. To prevent security judgment from being affected by removed monthly rollups, JP1/IT Desktop Management 2 - Manager no longer checks for a monthly rollup after a specified period expires.

For example, monthly rollups are released in April and May, 2017. Microsoft releases a monthly rollup on the second Tuesday of every month (in US time), which falls on April 11, 2017. The support service site releases a patch information file in late April so that JP1/IT Desktop Management 2 - Manager can import the file to start security judgment. In May, Microsoft releases a monthly rollup on the 9th of the month. JP1/IT Desktop Management 2 - Manager no longer checks for the April rollup on May 9 or later.

[Figure]

To change the expiration date, you need to edit the configuration file (jdn_manager_config.conf).

To change the expiration date for monthly rollup:

Add the property described below to the configuration file.

The configuration file (jdn_manager_config.conf) exists in the following location:

JP1/IT-Desktop-Management-2-installation-folder\mgr\conf
Restart the JP1/IT Desktop Management 2 service.

The following table describes the property to be added to the configuration file:

Property	Description	Value	Default
RollUpPatch_ExpirationDate	Expiration date for a monthly rollup judgment. The security judgment for a monthly rollup is no longer made after the specified date. The specified value is interpreted as a date in the Eastern Standard Time in US.	Specify 0 or a value in the format: `nth-week`,`day-of-week`. `nth-week` can be 1 to 5. `day-of-week` can be 1 to 7. The `day-of-week` value represents: 1: Sunday 2: Monday 3: Tuesday 4: Wednesday 5: Thursday 6: Friday 7: Saturday When 0 is specified, no expiration date is set on the judgment.	2,3 (The second Tuesday)

Property

Description

Value

Default

RollUpPatch_ExpirationDate

Expiration date for a monthly rollup judgment.

The security judgment for a monthly rollup is no longer made after the specified date. The specified value is interpreted as a date in the Eastern Standard Time in US.

Specify 0 or a value in the format: nth-week,day-of-week. nth-week can be 1 to 5. day-of-week can be 1 to 7. The day-of-week value represents:

1: Sunday

2: Monday

3: Tuesday

4: Wednesday

5: Thursday

6: Friday

7: Saturday

When 0 is specified, no expiration date is set on the judgment.

2,3

(The second Tuesday)

For example, the value 3,1 (the third Sunday) means that the judgment period expires on May 21, 2017.

To Page Top

(2) Security judgment for unknown updates

If you use security judgment for unknown updates^#, JP1/IT Desktop Management 2 - Manager determines the security status even on the managed computers on which the unknown rollup updates not present in the update information posted on the support service site are applied.

#: Unknown updates are only which classification is the security fix program.

If you are using security judgment for unknown updates, open the Settings module, and select Security and then Security Judgment Settings for Update Programs. In the displayed view, select the Include unsupported monthly rollups and cumulative updates when judging the security status of a computer check box.

When rollup updates that are of a newer version than that of the update information posted on the support service site are installed on a computer, the rollup updates are treated as unknown rollup updates. Until the latest support service update information is reflected in JP1/IT Desktop Management 2 - Manager, it is assumed that the latest rollup updates have been applied as long as either the latest rollup updates registered in the support service update information or the unknown rollup updates are applied.

If, on the other hand, the rollup updates applied to a computer are of an older version than that of the latest rollup updates registered in the update information posted on the support service site, it is assumed that the latest rollup updates have not been applied.

Rollup updates manual registration file

When there are serious flaws in rollup updates, modified rollup updates may be released. Adding the modified information to the rollup updates manual registration file described below enables the judgment of the updates with JP1/IT Desktop Management 2.

JP1/IT Desktop Management 2-installation-folder\mgr\conf\jdn_manager_security_patch.properties

The following table describes the specifications of the rollup updates manual registration file:

Item	Description
File format	Comma-separated values (CSV) file
Encoding	UTF-8 (without BOM)

Information inside the rollup updates manual registration file is processed according to the following rules:

Spaces and tabs at the beginning or end of each line are ignored.
A line starting with a hash mark (#) is ignored as a comment.

The following table describes the information specified in the rollup updates manual registration file:

Row	Field	Required or optional	Description	Acceptable value
1	Type	Required	Specify `replace`.	replace This means that the flawed rollup updates have been replaced by the modified rollup updates.
2	The article ID of the flawed rollup updates	Required	Specify the article ID of the flawed rollup updates.	A 1- to 10-digit number
3	The article ID of the modified rollup updates	Required	Specify the article ID of the modified rollup updates.	A 1- to 10-digit number
4	The date on which the modified rollup updates are released	Required	Specify the date on which the modified rollup updates are released. Specify the release date in U.S. time that is posted on Microsoft Knowledge Base.	`YYYY`/`MM`/`DD` format, where `YYYY` denotes the year, `MM` the month, and `DD` the date.
5	Exclusion setting	Optional	Specify whether JP1/IT Desktop Management 2 is to assess the security status as "Not applied" when the flawed rollup updates have been applied.	1 The security status is assessed as "Not applied" (rollup updates are not yet applied) when the flawed rollup updates have been applied. Values other than 1 or blank Even when the flawed rollup updates have been applied, the security status is not assessed as "Not applied" (rollup updates are not yet applied). When a grace period is set, the security status is assessed as "Applied" (rollup updates are applied) during the set grace period.

Important

If the rollup updates manual registration file has any lines that have an incorrect format or that are not correctly specified, the lines in question are ignored.
This is valid only when "The article ID of the flawed rollup updates" is included in the update information posted on the support service site.
If there are multiple lines specifying "The article ID of the flawed rollup updates", only the first line is valid.
If "The article ID of the modified rollup updates" is already included in the update information posted on the support service site, the following operation is performed:
- If 1 is specified as the "Exclusion setting", the flawed rollup updates are excluded from assessment.
- "The date on which the modified rollup updates are released" remains unchanged.
- If the flawed rollup updates are identical to the latest rollup updates and the modified rollup updates provided to address the flawed updates are identical to the old rollup updates, it is assumed that the specified information is incorrect and the line in question is ignored.

The following is an example of how information is specified in the rollup updates manual registration file:

replace,123456,55555,2018/01/04
replace,55555,22222,2018/06/07,1
replace, 987654,1543566,2018/07/01,0

To Page Top

(3) Security judgment for updates taking into consideration the grace period

It takes a certain period of time to apply updates. Security judgment can be performed by treating this period of time as a grace period. A grace period refers to a time period between the release of new updates from Microsoft and the successful application of the updates.

If you set a grace period, even when the applied rollup updates are not the latest ones, the security status is not assessed as "Not applied" (the latest rollup updates are not yet applied) during the set grace period.

You can set a grace period by using the Settings module. In the Settings module, select Security, and then Security Judgment Settings for Update Programs. In the displayed view, select the Include unsupported monthly rollups and cumulative updates when judging the security status of a computer check box and also the Set the grace period for judging the security status of updates check box. For Grace Period, set a value in the range from 1 to 180. 7 is set by default.

Important: To set a grace period for applying updates, you have to use the security judgment for unknown updates.

Important: If you set a grace period, the updates that have not been applied yet are the latest ones.

To Page Top