Why isn’t everything on my patch report 100% patched?

Clients who receive our automated patch management service receive regular patch health reports, and as a result, there are questions which are posed on a regular basis: “Why aren’t all systems in the report 100% patched?” “Shouldn’t 100% patching be the goal?” In theory, 100% patch delivery does seem like a reasonable expectation, but in practice there are a number of factors that routinely get in the way of a client’s patch report from hitting that target.

Examples of reasons why systems may not be reporting 100% patched include:

  1. Systems turned off or sleeping that we can’t wake up during the patch window(s); Wake-On-LAN must be properly configured in order to work, and systems with wireless-only network access cannot be woken up remotely if they’re off or sleeping.
  2. Unsupported operating systems – Those OSes (like Windows XP, Vista, or Server 2003) might technically be up-to-date to the last updates they were eligible to receive, but they’re not supported, so we flag those as grey.
  3. New software was just installed that needs patches that the system didn’t need before.
  4. Windows Updates are broken, or Windows Update Agent is out-of-date. Microsoft constantly revises their code for Windows Update mechanisms; this makes it more difficult to score reliable update when the goalposts move so frequently.
  5. Computer no longer exists / has been retired. When you take a system out of service, it never hurts to tell us! This may also affect client billing.
  6. Patching is disabled deliberately either at the request of the client or for maintenance by our tech staff. New systems built as part of a project may temporarily be placed in this state.
  7. (third-party updates only) Third party application recently released a new version that hasn’t made its way out to all targets yet.
  8. The patch report was issued directly after approval of new Windows Updates for distribution; of course, they’ll still be missing everywhere. Also happens when Microsoft re-issues a patch that previously broke stuff.

As part of our patch report generation process, we have created counters for various review codes to try to identify problems before reports are generated. However, the scale and scope of offending systems can be quite large, even for relatively simple and benign reasons. For example, a recent query from our RMM database showed that 296 systems of our over 4,000 managed devices have been off-line for over two weeks. These may be laptops used only occasionally for presentations, PCs in training rooms or unused cubicles, or systems for employees on extended leave. These will all impact a client’s patch health, as it’s not possible to patch a system that is never available to receive updates.

With all these factors considered, we find that a 97% or better average across an installed base is a fair and attainable average for which to strive on a rolling basis.