How Does Manage Engine/Desktop Central determine if a patch is applicable to a machine or not?
For example:
KB4580325: Security update for Adobe Flash Player (October 2020)
According to our Tenable.IO scans, this patch is missing on a little over 200 PC's in our environment. But according to Desktop Central, it's only missing on 21 machines.
When you look at the report from Tenable and the Microsoft patch, it gives me an output of what i am supposed to see/do to remedy the vulnerability.
For example, one of the computers has this output.
Path : C:\Windows\System32\Macromed\Flash\Flash.ocx
Installed version : 32.0.0.255
Fixed version : 32.0.0.445
This has been manually checked on a dozen machines, to where the file version is incorrect. But yet Desktop Central is telling me, these computers do not require this patch.
Even if i make a Custom Group and attempt to deploy this patch to the machines, it tells me it's Not Applicable and doesn't do anything. So essentially, I am blocked in deploying the vulnerability fix.
So how does Desktop Central determine if the Computer does or does not need a patch? It can't be looking at file versions for each patch. And is there a way to fore deploy a patch to a machine, even though Desktop Central states it's Not Applicable.
This also goes for testing patches against a test groups of computers. in a group of 120 test machines, usually about 1/2 say that none of the months patches are applicable. Which i can understand if said patches are for a different version of windows or program they don't have installed.
So either the computer already has the patch, which in most cases isn't true, or something tells DC that it doesn't need it.