Understanding Patch Compliance in IT Management Suite (ITMS)
Article ID: 417793
Updated On:
Products
Issue/Introduction
The Patch Management Solution for IT Management Suite (ITMS) provides detailed reports to track patch deployment compliance. However, the terminology used in reports like "Software Bulletin Details" (under the SMP Console: Home>Patch Management> Bulletins and Updates) and "Windows Compliance by Bulletin" (under the SMP Console: Home>Patch Management> Compliance by Bulletin) can sometimes be confusing. Understanding the meaning of key report columns like Applicable, Applies To, Installed (Count), and Not Installed (Count), and how they relate to the client's internal patch status is crucial for accurate compliance reporting.
This article clarifies the meaning of key patch status columns, such as Applicable, Applies To, Installed (Count), and Not Installed (Count), and recommends using the more straightforward "Compliance by" reports for a clear compliance overview.
Environment
IT Management Suite (ITMS)
Patch Management Solution for Windows or Linux operating systems.
Cause
The Patch Management Solution relies on a multi-step workflow where client computers determine their own patch requirement status. The compliance columns in the console reports are a direct result of the Applicability Scan and the Compliance/Installed Scan results reported back from managed computers.
The Patch Management Solution uses an Applicability Scan (Windows System Assessment Scan (WSAS)) to determine which managed computers are applicable to a specific software update (patch,) and if applicable, is it installed, effectively installed, or missing. The report columns are a direct reflection of the data collected during this scan and the subsequent deployment status.
The column names derive from internal logic:
- Applicable / Applies To: Determined by the applicability rules of the software update.
- Installed / Not Installed: Determined by the installed rules of the software update.
The Patch Management Workflow
Understanding this workflow is key to interpreting the report data. This process ensures that computers are only targeted with patches they truly need.
- PMImport (Data Import): The Patch Data is downloaded to the Symantec Management Platform (SMP) Server. This includes all the metadata, applicability rules, and installed rules for the patches.
- Software Update Policy: The administrator enables the Software Update Policy, which distributes the patch metadata and rules to the targeted client computers via the Patch Management Agent.
- Applicability Scan (IsApplicable Check): The client computer runs the Applicability Scan (often using the IsApplicable check). The client compares the patch's applicability rules against its local system configuration and inventory. This scan determines if the patch is required. The resulting data populates the Applicable and Applies To counts in the reports.
Core Checks: The client verifies:
-
- OS Type and Architecture: Does the OS (e.g., Windows 10, Server 2019) and architecture (e.g., x64) match the patch requirement?
- Prerequisites: Is the prerequisite software (e.g., a specific product version or service pack) already installed?
Result:
-
- If the patch is required, the status is set to NEEDED (or Applicable).
- If the patch is NOT required (e.g., wrong OS or already superseded), the status is set to NOT APPLICABLE.
-
- Software Update Cycle: If the patch is applicable (If the patch is NEEDED), the client downloads and executes the package.
- Compliance/Installed Scan (IsInstalled Check): After the installation attempt, the client runs the Installed Scan (using the IsInstalled check). This confirms if the patch's installed rules (e.g., checking registry keys, file versions) are now satisfied (this confirms if the patch is present).
- Result: This scan determines if the patch is Installed or Not Installed. This data populates the respective count columns.
- If the patch is confirmed present, the status is set to INSTALLED.
- If the patch is still missing, the status remains NEEDED.
Resolution
Table of Contents
The mentioned reports below can be accessed under Home > Patch Management
1. Understanding Key Report Columns
The columns provide two different perspectives on the patch status:
|
Column Name |
Report Location |
Meaning (What does it count?) |
Patch Status Check |
|
Applies To |
"Software Bulletin Details" |
The total number of unique computers that the patch's applicability rules determined may need this update. This count is for all discovered patches for a given bulletin. |
Applicability (Is this patch necessary / could apply?) |
|
Applicable |
"Compliance by Bulletin" |
The number of computers that the patch's applicability rules determined need this update. (Equivalent to Applies To in the other report). |
Applicability (Is this patch necessary?) |
|
Installed (Count) |
"Compliance by Bulletin" |
The number of computers where the patch's installed rules determined the update has been successfully applied, has had a superseding update installed, or otherwise does not need to actually install the update. |
Installed Status (Is the patch or superseding patch installed?) |
|
Not Installed (Count) |
"Compliance by Bulletin" |
The number of computers that are Applicable but where the patch's installed rules determined the update is not yet present. This is your primary metric for non-compliance. |
Installed Status (Is the patch missing?) |
|
Updates |
"Software Bulletin Details" |
The total number of individual patches (Software Update resources) within a single Bulletin. A Bulletin may contain one or many individual patches. |
Metadata (How many patches in the bulletin?) |
|
Available |
"Software Bulletin Details" |
The total number of patches that have been successfully downloaded and are ready for deployment. |
Readiness (Is the patch ready to deploy?) |
2. Using "Software Bulletin Details" vs. "Compliance by Bulletin"
- "Software Bulletin Details" is best used for Patch Release Management and troubleshooting download issues. It shows the list of all available bulletins, how many individual updates they contain, how many are available for deployment, and the total computers the bulletin “Applies To” (may need). It also shows which bulletins have a status indicating there are downloaded updates stored on the Notification Server (and Package Servers if they exist).
- "Compliance by Bulletin" is best used for Patch Compliance Reporting. It clearly shows the percentage and count of computers that are Applicable and how many have the patch Installed versus Not Installed. This report provides a clearer, at-a-glance view of your current patch compliance status.
3. Recommendation for Compliance Reporting
For management and compliance tracking, it is strongly recommended to use the "Compliance by Bulletin" or "Compliance by Computer" reports.
These reports use the Compliance Percentage which is calculated as:
This provides the most accurate and easily understandable metric for your patching success.
Additional Information
For additional troubleshooting and related information, refer to these Knowledge Base articles:
How a patch is determined to be Installed on a computer
Patch Compliance Status does not seem to match the report data
Patch Management Solution: Understanding Patch Statuses and how they are calculated in the Console
Is the Installed column in the Compliance by Bulletin report accurate?
Software Updates failing to deploy in Patch Management v8.x (Workflow and Troubleshooting)
Definitions for each main Software Update status in IT Management Suite
Feedback
