Overview
Even with a Windows Update Policy in place, patches can be missed, devices may be offline during scheduled update windows, users may have postponed restarts, or a policy association may have been skipped for newly enrolled endpoints.
Zecurit’s Missing Patch Detection gives you real-time visibility into which devices have not received specific security or feature updates, enabling you to act before vulnerabilities are exploited.
Why Missing Patch Detection Matters
According to industry research, the majority of successful cyberattacks exploit known vulnerabilities for which patches already exist. The gap between a patch being released and it being applied to every device in your organization is your window of risk.
Missing Patch Detection closes this gap by:
- Continuously scanning enrolled endpoints for absent patches
- Categorizing missing patches by severity (Critical, Important, Moderate, Low)
- Highlighting devices that are most at risk
- Enabling targeted remediation without waiting for the next scheduled update cycle
Prerequisites
- Devices must be enrolled in Zecurit and actively checking in.
- The Zecurit agent must be installed and running on target endpoints.
- Appropriate permissions to view inventory, patch management and reports.
How Missing Patch Detection Works
When a device checks in with the Zecurit platform, the agent queries the local Windows Update service and reports:
- The current patch level of the operating system
- A list of available but not-yet-applied updates (by KB article number)
- The severity classification of each missing patch (based on Microsoft’s MSRC data)
- The date the patch was released and how long it has been pending
This data is aggregated in the Zecurit dashboard, giving you a fleet-wide view of patch compliance.
Step 1 : Navigate to the Patch Status View
- In the left sidebar, click Patch.
- Select the device or device group you want to inspect.
- Open the Patch Views
You will see a list of all enrolled devices with a summary of their current patch compliance state:
| Column | Description |
|---|---|
| Device Name | Hostname of the endpoint |
| Last Check-in | When the device last communicated with Zecurit |
| Missing Patches | Number of missing patches (by severity) |
| OS Version | Current Windows version and build |
| Compliance Status | Compliant / At Risk / Critical |
Step 2 : Drill Into a Specific Device
Click on any device name to open the device detail view. Navigate to the Missing Patches section to see a full list of patches the device has not yet applied.
For each missing patch, you will see:
- KB Number : the Microsoft Knowledge Base article identifier (e.g., KB5034439)
- Title : a short description of what the patch addresses
- Severity : Critical, Important, Moderate, or Low
- Release Date : when Microsoft released the patch
- Days Pending : how long the patch has been available but unapplied
- Category : Security Update, Cumulative Update, Feature Update, Driver, etc.
Use Case: A compliance audit requires you to prove that no device in the Finance department is missing any Critical security patch released in the last 30 days. Drill into the Finance device group, filter by Severity: Critical and Days Pending: > 0, and export the results as evidence.
Step 3 : Filter and Sort Missing Patches
Use the filter options at the top of the Missing Patches view to narrow your focus:
Filter by Severity
- Critical : Patches for vulnerabilities that can be exploited remotely without user interaction. Remediate immediately.
- Important : Patches that reduce risk significantly. Remediate within your standard SLA (e.g., 14 days).
- Moderate / Low : Lower-risk updates. Include in your next scheduled maintenance window.
Filter by Category
- Security Updates
- Cumulative Updates
- Feature Updates
- Driver Updates
Filter by Device Group Quickly isolate missing patches for a specific department or location group.
Sort by Days Pending Sorting by days pending surfaces the oldest unapplied patches — these represent the highest risk since the vulnerability has been publicly known the longest.
Step 4 : Take Remediation Action
Once you have identified devices with missing patches, you have several options:
Option A : Force an Immediate Update Check
Trigger an on-demand update scan and installation on the device:
- Select the device(s) from the list.
- Click Remote Actions → Run Windows Update.
- The device will immediately check for and apply pending updates, regardless of the scheduled policy window.
Option B : Update the Windows Update Policy
If multiple devices in the same group are consistently missing patches, the underlying policy may need adjustment:
- Navigate to Configurations → Profiles and open the relevant profile.
- Review the Windows Update Policy settings — check if deferrals are too long or if active hours are preventing restarts.
- Adjust settings and re-publish. Changes will take effect at the next check-in.
Option C : Reassign the Profile
If a device is missing patches because it was never associated with a patch profile:
- Go to Groups and Devices and locate the device.
- Click Assign Profile and select the appropriate patch profile.
- The policy will be applied at the next check-in.
Step 5 : Generate a Missing Patch Report
For compliance, auditing, or management reporting:
- Navigate to Reports in the left sidebar.
- Select Patch Compliance or Missing Patches from the report library.
- Configure the report parameters:
- Date Range : e.g., last 7 days or last 30 days
- Device Group : all devices or a specific group
- Severity Filter : all severities or Critical only
- Click Generate Report.
- Export as CSV or PDF for record-keeping.
Use Case: Your CISO requires a monthly patch compliance report for all 200 endpoints. Schedule the Patch Compliance report to run automatically on the first of each month and email it directly to your security team.
Understanding Patch Severity Levels
Zecurit uses Microsoft’s severity classifications directly:
| Severity | Definition | Recommended Action |
|---|---|---|
| Critical | Remote code execution with no user interaction | Remediate within 24–48 hours |
| Important | Privilege escalation, data exposure, or denial of service | Remediate within 7–14 days |
| Moderate | Requires unusual conditions or user interaction to exploit | Include in next maintenance window |
| Low | Very limited impact or extremely difficult to exploit | Patch at next scheduled opportunity |
Common Reasons Patches Are Missing
Understanding why patches are missing helps you fix the root cause rather than just the symptom.
Device was offline during the update window Laptops used by remote workers may be powered off or disconnected during the scheduled update window. Enable Power Management for Scheduled Installs in your Windows Update Policy to wake sleeping devices.
User postponed the restart If a patch is downloaded but requires a restart, the user may keep postponing it. Reduce the Grace Period in your policy or enable a firm Restart Deadline to enforce the restart within a set number of days.
Device is not associated with a patch profile Newly enrolled devices may not have been assigned a profile yet. Regularly audit Groups and Devices for any device without an assigned profile.
Deferral period has not elapsed If you have a 7-day or 30-day deferral configured, patches will show as “available but not yet applied” during this window. This is expected behavior, not a gap.
WSUS server is unreachable If your update source is a WSUS server and it goes offline or is misconfigured, devices will fail to retrieve updates. Monitor your WSUS server health and review device-level update logs if a device consistently shows missing patches despite being active.
Use Case: Full Walkthrough – Post-Patch-Tuesday Compliance Check
Scenario: It is the Wednesday after Microsoft’s monthly Patch Tuesday. Your IT policy requires that all Critical patches be applied within 48 hours. You need to identify any device that has not yet received this month’s Critical security updates and force immediate remediation.
- Go to Patch → Select your
All-Devicesgroup. - Open the Missing Patches tab.
- Filter by Severity: Critical and Release Date: Last 7 days.
- Review the list : any device shown is non-compliant with your 48-hour SLA.
- Select all non-compliant devices.
- Click Remote Actions → Run Windows Update to trigger immediate patching.
- Wait for devices to check in (typically within 15–30 minutes for online devices).
- Refresh the view : previously listed devices should now show as compliant.
- Export the final compliance report from Reports → Patch Compliance and archive it.