How to interpret your Suite3 MSP Patch Report

As mentioned in previous blogs, we’ve been working on new report formatting and have been going live with these new reports on a rolling basis through Q1. One of these new reports is titled the “Suite3 MSP Patch Report” which is to serve as an executive summary of the overall patch health status of your environment. This report provides data on one page, in two parts.

The first portion of the report shows the patch percentage of systems in the environment.  In a recent report of our environment, 67.4% of all systems were 100% patched – pretty cool – and they were represented in a big green pie wedge.  However, 11.6% of our systems were missing over 30% of available patches.  This is usually for a reason, but in general, we strive for at least 70% of all systems to be 100% patched, and <10% of systems to be under 70% patched, so we have a little work to do in our example to improve those percentages. 

The 2nd part of the report is presented as a matrix and shows the percentage of the available approved patches which have been applied, based on the age of the patch.  There are two things to look for in this data – first, the natural assumption would be that the older the patch, the higher we’d expect to see the percentage, so it seemingly makes sense that in our report, patches over a year old were at 99.1% deployed, while patches released in the current month were only 86% deployed – they’re still in the process of rolling out.  Keep in mind, however, that Microsoft will regularly release a new patch with an old date. Why? The full answer would require a blog of its own, so let’s move on and just accept that even patches that are over a year old will rarely ever be at 100%.

Examining further, the overall percentage is 96.8%, meaning that nearly 97% of all available updates are applied across all systems.  In general, we strive for this overall percentage to be over 95%, and should typically land in the 97% range as an expectation from report to report.

Both of these sections are critical in examining overall patch health. For example, let’s say an environment has 10 systems being patched, and each system as 10 available patches, meaning 100 total for the installed base. The overall patch percentage is 97%, meaning there are 3 missing patches out of 100. We’d have to look at the top of the report to figure out if that’s 3 patches missing on 1 system, or if that may be 1 patch missing on 3 systems.

And there’s a lot more to it than that, so clients that have been receiving our detailed patch report will continue to receive those as well. Keep in mind this summary is a snapshot in time – it’s something to verify we are continually working to keep the patch health of every client environment moving forward – and is offered as a verification of our accountability to keeping our client’s data secure. Managing updates is a moving target, and we are committed to keep moving right along with it.