Patch Management Reports show conflicting applicable numbers
Last Updated August 20, 2018
Seeing the following discrepancies between canned reports and from other patching software:
Patch Management Compliance Reports show different applicable update counts than the Software Bulletin Details Report. Generally the Software Bulletin Details Report total targeting Client count is higher than the Applied To count from the Compliance Reports.
Patch Management Reports show different vulnerabilities than other tools used to check vulnerabilities.
Summary of cause:
Software Bulletin Details report displays all targeting data and does not include the same filters, included in Views, Tables and Stored Procedures, as the Compliance Reports when it renders. This page will often show superseded updates as applicable to computers; however, Patch Management will not actually install superseded updates on clients.
Note: The Software Updates are unable to be deployed from this report. This is because it is merely a 'Details' report and not meant for targeting and reviewing Compliance.
Shavlik, WSUS, Windows Update Tool and Altiris may all scan for different vulnerable files / segments within the software.
The following will help with understanding differences between the reports:
It is best practice to utilize the Compliance by Bulletin, Update and Computer reports when targeting for vulnerable Software Updates. These reports were designed for this specific reason; however, the Software Bulletin Details report was designed for a raw overall view of the Updates in the environment without any filtering and that includes the Superseded targeting.
Patch Management will check for everything vulnerable documented by the vendor for the update to be applicable.
Note: Patch Management will only roll out the Security Update(s) for the executable will run and perform as designed by the vendor.
Deployment for Software Updates is managed mainly on the Console > Actions > Software Patch Remediation Center:
View TECH198736 if there are any problems confirming the presence of a Software Update
Other reasons that 3rd party tools will find different vulnerabilities:
Windows Updates will check for OS vulnerabilities. So the updates for Exchange, SQL, etc are not checked by this tool.
WSUS, Shavlik, and others also perform different checks and may find vulnerabilities that differ from Altiris.
Specifically: MBSA, for part of the checks made are from the MSI Tables for confirmation - The MSI Table may not be refreshed when Altiris installs the update. Therefore, the update shows compliant for Altiris but not for MBSA. Manual installation will resolve this if needed.
Advisory: One tool may view a Software Bulletin as vulnerable, but another tool showing it is installed. This could be due to a different vulnerable Software Update within the Bulletin and the tool could be limited to only displaying the Bulletins without being granular to display Updates. Be sure to research the details pertaining to the vulnerable update.
An easy method to check this; manually install the Software Update on a test machine and view the results. Then contact the vendor of that tool which appears to be inaccurate for review of the Rule targeting. If there is a question of Patch Management Solution targeting; review HOWTO95427.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe