SCCM used to patch the server (OS level) , based on the missing KB's identified on the server and report the compliance level . However, it missed to check whether the DLL or registry change updated /happened successfully or not. In some cases , due to multiple reason ( improper reboot, network issue) . DLL or registry files not update and due to which trace of older version and vulnerability exists on the system.
Case # 2. Vulnerability like Meltdown and Spectra require patch + registry changes , when server admin pushes the KB through SCCM , it only patches and leave the registry changes unattended . Due to which the vulnerability exists .
How can we improve this.