Hi Everyone
I need to find the systems that haven’t been patched since last 6 months.
Is there any method or relevance where we can find list of computers that haven’t been patched?
Please help!
Thank You in advance.
1 Like
There are a few different ways to approach this depending on what exactly you mean by “haven’t been patched since last 6 months”. Would you like to report on systems that:
- haven’t had any patches deployed in the last 6 months (OS, Application, etc…), including potentially older patches
- or haven’t had patches from the last 6 months installed (i.e. has applicable/relevant patches that were released within the last 6 months)?
With that information, we can perhaps provide further guidance. That said, if you haven’t already seen it, BigFix Compliance’s Patch Reporting capabilities may be of interest as well: https://www.ibm.com/support/knowledgecenter/en/SS6MCG_9.5.0/com.ibm.bigfix.compliance.doc/Compliance/SCA_Users_Guide/c_reporting_patch.html
Hi @Aram
Thank you for the reply…
Here my condition is related to the 1st option that you have mentioned.
And i would like to mention here that we have only patch management module…
This might be achieved by Compliance Patch Reporting if the custom had the Compliance product. Compliance Patch Reporting does not have a report for this particular use case, but you can get an idea by observing the ‘remediation required’ and ‘% remediated’ trending on the computer grid report of Compliacne Patch Reporting. For any specific computer, if the former keeps going up or stays flat (if no new patch has been available during the last 6 months) and the latter keeps going down or stays flat (again if no new patch in the last 6 months), then we can safely say this computer has not been patched for 6 months (otherwise the trending curve would have shown at least some downward or upward changes).
The complexity here is that, by default, a superseded patch has its relevance changed so that it will appear to be “Not Relevant” in order to maintain faster client performance. It’s not possible for the reporting integrations to determine whether the fixlet became “Not Relevant” because the patch was installed, or because the patch was superseded and the fixlet was modified to coerce the “false” result.
You can configure your endpoint to continue evaluating these superseded fixlets with the “enable superseded evaluation” client setting described at Pre-Announcement: Superseded patch changes for Patches for Windows , but understand that this can have some impacts on client performance (as the client will spend time evaluating superseded fixlets that should no longer be deployed). But that should at least give an idea of how many older/superseded patches are still missing from the server.
Hi @play2win,
This might help you.
q: (it <= (now - (365/2*day))) of (maximum of last write times of keys whose (name of it contains ".KB" or name of it contains "_KB" or name of it starts with "KB") of keys( "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\";"HKEY_LOCAL_MACHINE \Software\Microsoft\WindowsNT\CurrentVersion\Hotfix") of (registry; native registry))
Refered from https://www.ibm.com/developerworks/community/forums/html/topic?id=c0c35c13-dc67-4328-ba65-0f0ba7952723
1 Like
I tried running this relevance and it is evaluating to False on a machine which is patched on 17 Aug is there any modification in this relevance ??