How to determine which computers require what updates

book

Article ID: 179665

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

 

Resolution


Question

What are the best Patch Management Reports to run in order to determine which computers require what updates?

Answer
 

Compliance reports:

These reports are the cornerstone for discovering what computers are vulnerable within the environment and which bulletins need to be distributed.  Here you will see the following list of reports:

Go to the Console and from the menu bar go to ReportsAll Reports> Software > Patch Management > Compliance

  • Windows Compliance by Bulletin: Shows a list of Bulletins and details for vulnerability. Right-click the bulletin to view vulnerable computers or other details in the drop down.
  • Windows Compliance by Computer: Shows a list of Computers and details for vulnerability. Right-click the computer to view vulnerable bulletins or other details in the drop down.
  • Windows Compliance by Update: Shows a list of multiple Updates within the bulletin and details for vulnerability. Right-click the bulletin to view vulnerable computers or other details in the drop-down.

Compliance Summary: Is used when reporting on child servers in a hierarchy. It offers a drill down to the three reports above. These reports are run on the child server in real time and the results are transferred to the parent when opening them from this report.

 Best practices for running reports:

  •  Configure the reports to render accordingly via the following parameters:
    • Specific 'Computer' to target any Organization Unit or Group and the Filtered By for any Target or Filter 
    • Release Date From: Certain years of released updates 
    • Vendor: Any, or specifically select Microsoft or other vendor listed 
    • Operating System: Any, or specifically select Windows 8 or other OS listed
    • Category: Any, or Security Update, Non-Security Update, Security Tool or Service Pack
    • Distribution Status
      • Active / Downloaded – Updates that have been staged / Downloaded
      • All – Updates listed in the Manage Software Updates Page / Patch Remediation Center

Note: Report results may appear inconsistent if the same parameters are not supplied in each, or the data being evaluated is based on different information.  Pay close attention to the parameters being used and what data the report is showing.

Reviewing Compliance Report Data:

  •  All Compliance Reports render with the following similar column headers:
    • Applicable: Displays the total count of managed clients that the update count applies to
    • Installed: Displays the total count of managed clients that the update is installed on
    • Not Installed: Displays the total count of managed clients that the update is still vulnerable to
    • Compliance: Displays the percentage of total managed clients that the update is installed on in comparison to the 'Applicable' count (e.g. Applicable=100, Installed=75, so Compliance=75%)
       
  • Individual Compliance Reports will render with other column headers pertinent to that report as follows:
    • Bulletin: Displays the name of the Bulletin as provided by the vendor
    • Update Name: Displays the name of the update as provided by the vendor
    • Severity: Displays the Severity rating of that complete Bulletin as outlined by the vendor
    • Custom Severity: Displays the Custom Severity as set by the Admin (Configured on the Console > Settings > All Settings > Software > Patch Management > Core Services > Custom Severity tab)
    • Name: Displays the managed client name 
    • Release Date: Displays the release date of the update/bulletin
    • Restart Pending: Displays if the managed client is in need of a reboot

 

Additional Information:

Seeing Specific Data: Once the results have been obtained the rows can be sorted clicking the column names, in addition to this the Search field is very helpful to showing desired results.  For example: to see only Critical bulletins the enter the word 'critical' in the search field or a custom severity, to see all bulletins from 2009 type MS09 in the search field and only those items will be loaded into the grid.

Saving options: The reports for Patch, like any reports from NS, can be saved to a Webpart, Snapshot, Spreadsheet, HTML File, Static Filter or XML File. This is done by selecting the Save As option in the top tool bar.

Custom Reports: Support does not assist with creating Custom Reports; however, support is willing to assist with the tables needed to show the desired data.