It depends on the patches requirement for a reboot.
If a patch does not require a reboot - it will drop off the list usually right away.
If the patch requires a reboot - then it will require the reboot to occur and for the client to send a vulscan update confirming it is no longer vulnerable.
If you want to run a report on systems that have the patch installed vs not - then use the inventory data and do a query that looks at the Detected Patch info and look at the install status, attempt, etc. I would review a few systems and get familiar with the inventory data available there then create your query. For currently installed status - usually "-1" = removed, 0 = not installed, 1 = installed. For the actual installation attempt status, 0 = hasnt tried, 1 = failed, 2 = success.
Hope this helps,
1 of 1 people found this helpful
YEP - Peter's answer has most of it.
Essentially, the common situation is as follows:
1 - Device shows up as vulnerable
2 - Device gets patched. (Yay).
3 - Device MAY (usually does) need 1+ reboot(s).
4 - Device MAY need additional patches to be installed and further reboots. This may happen a few times, depending on the patch & so on.
5 - After (4) has taken place, the device will need to re-scan against the vulnerabilities, to make sure it *IS* indeed patched. We do this automatically after a patch has been installed (but "stuff - such as IIS may go wrong and the results file may not make it to the Core).
6 - Only once the Core has got the updated results (all saying that "yep - this is patched" hopefully) will the relevant device no longer be shown as vulnerable.
Does this breakdown help you understand what happens / what needs to happen?
phoffmann, thanks for your reply. Yes I understand what happens. It must be the reboot that was keeping computers from getting off the affected list because I didn't reboot mine till today and it is no longer listed.
Is there a way to know if certain machines are waiting for a reboot or if the reboot is required for certain Patch?
Carlos, I don't know of a way to tell. Maybe someone else can answer this question.