Patch drift refers to an endpoint’s noncompliance with security policies over time, wherein missed patches, failed deployments, and a lack of centralized control gradually corrode your security posture. However, you can mitigate the risk by tracking drift with built-in capabilities and the best RMM tools available.
This article explains how to perform a patch audit for enterprise-wide solutions and accountability reports.
How to diagnose patch drift severity
Follow the steps below to collect, analyze, and monitor patch compliance over time with PowerShell.
📌 Prerequisites:
- Administrator privileges
- Windows 10/11 or Server 2016+
- PowerShell 5.1+ or later
- WSUS, Intune, or Microsoft Update configured
- Optional: NinjaOne RMM integration
- Optional: Baseline patch level list (KB numbers, CVEs, or release dates)
- GPO-based patch policy for enforcement
📌 Recommended deployment strategies:
| Click to Choose a Step | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Step 1: Define a patch baseline | ✓ | ✓ |
| Step 2: Query installed updates with PowerShell | ✓ | ✓ |
| Step 3: Use CMD for lightweight manual verification | ✓ | |
| Step 4: Store patch drift metadata in registry for RMM visibility | ✓ | |
| Step 5: Track patch compliance trends over time | ✓ |
Step 1: Define a patch baseline (Critical updates to check)
Start by creating a custom script that represents patch compliance.
📌 Use Cases: Establish compliance standard.
- Press Win + R, type powershell, and press Ctrl + Shift + Enter.
- Build or import a list of critical Knowledge Base updates (KB) that need to be seen on a system for full compliance.
E.g., $baselineKBs = @("KB5030211", "KB5029263", "KB5034122")
- Export a .txt file listing your KBs for posterity.
E.g., $baselineKBs | Out-File "C:\Scripts\CriticalPatchBaseline.txt"
Step 2: Query installed updates with PowerShell
Retrieve and compare installed updates with your compliance criteria.
📌 Use Cases: List successful updates and compare them with your baseline.
- Press Win + R, type powershell, and press Ctrl + Shift + Enter.
- To list installed patches, run the following:
$installed = Get-HotFix | Select-Object -ExpandProperty HotFixID
- To detect patch drift, run the following:
$missing = $baselineKBs | Where-Object { $installed -notcontains $_ }
if ($missing.Count -gt 0) {
$patchDriftReport = [PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
MissingKBs = $missing -join ", "
Timestamp = (Get-Date).ToString("u")
}
}
- To export a patch drift report, run the following:
$patchDriftReport | Export-Csv "C:\Reports\PatchDrift_$env:COMPUTERNAME.csv" -NoTypeInformation
💡 Tip: Query Sessions.xml in C:\Windows\Servicing\Sessions to include all update types.
While PowerShell queries can list installed patches, modern RMM platforms like NinjaOne can grant deeper insights while consolidating patch drift details in a single pane of glass.
Step 3: Use CMD for lightweight manual verification
📌 Use Cases: Quickly check endpoints running legacy systems when PowerShell access is restricted.
- Press Win + R, type cmd, and press Ctrl + Shift + Enter.
- To list installed updates on a lightweight shell, run the following:
wmic qfe get HotFixID
💡 Note: WMIC commands are being phased out to support safer PowerShell scripts.
Step 4: Store patch drift metadata in the registry for RMM visibility
Leverage endpoint management platforms like NinjaOne to extract more insights on baseline compliance.
⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.
📌 Use Cases: Create registry-based metadata for Remote Monitoring and Management (RMM) integration.
- Press Win + R, type powershell, and press Ctrl + Shift + Enter.
- To store patch metadata in an endpoint’s registry, run the following sequentially:
New-Item -Path "HKLM:\SOFTWARE\Org\PatchDrift" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\PatchDrift" -Name "LastChecked" -Value (Get-Date).ToString("u")
Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\PatchDrift" -Name "MissingKBs" -Value ($missing -join "; ")
- To verify added values, run the following with CMD:
reg query HKLM\SOFTWARE\Org\PatchDrift
Step 5: Track patch compliance trends over time
Here’s how to schedule hands-free patch drift checks.
📌 Use Cases: Automate drift detection and control where reports are stored.
- Press Win + R, type powershell, and press Ctrl + Shift + Enter.
- Utilize NinjaOne or run Task Scheduler cmdlets manually to plan patch drift checks (e.g., daily, weekly):
schtasks /create /tn "PatchDriftAudit" /tr "powershell.exe -File C:\Scripts\PatchDriftAudit.ps1" /sc weekly /ru SYSTEM
- To log your results into a stored .csv file, run the following:
$patchDriftReport | Export-Csv "\\server\compliancelogs\DriftLog.csv" -Append -NoTypeInformation
Instead of scripting scheduled tasks by hand, you can integrate NinjaOne’s unified endpoint management (UEM) features into your routine to continuously monitor compliance while alerting system admins in real time.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Out-of-date KB list | Missed patch drift | Regularly refresh baseline KBs using trusted sources. |
| Corrupted endpoint registry | Incorrect data displayed on RMM tools | Restore the registry and export backup .reg files before applying changes. |
| Scheduled task fails | Patch drift compliance gaps | Use real-time alert features for failed executions. |
Important considerations for measuring patch drift
Here are key factors to keep in mind while tracking patch drift across your fleet.
Superseded updates
When old patches are replaced with new ones, they become superseded. When building your patch baseline, implement supersedence logic to eliminate compliance confusion.
CVSS-based prioritization
While inoculating your system is vital, certain apps take precedence if their vendors have poor track records and release slow updates. A Common Vulnerability Scoring System score—or CVSS—is used to gauge the severity of potential incidents, guiding patch prioritization.
Multi-vendor patches
Most organizations use multiple third-party apps to support their workflows. Streamlined dashboards exist for centralized control, but you should also code your tools to accept data from diverse sources.
Hybrid environments
Coexisting physical and cloud-based systems can make system patching more complex. Manage and automate your PowerShell patch audit with cost-effective solutions that do half the work.
Troubleshooting patch audit errors
Here’s how to solve the most common patch drift monitoring issues IT pros face today.
Missing KBs that are installed
Sometimes, an installed update may not be reflected in Get-Hotfix scripts. This occurs when the installation wasn’t tracked by WMI, or when certain registry entries go missing.
Fill the gap by checking CBS logs and registry data located under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages for patch data you might’ve missed.
Access denied
PowerShell scripts that run HKLM require elevated permissions. If you encounter this error, validate UAC settings and double-check if you have all the correct prerequisites.
HotFixID returns an incomplete list
Products not installed via third-party tools may not be listed when running Get-Hotfix or wmic qfe. For a bird’s-eye view, run DISM /Online /Get-Packages or query the CBS logs.
Registry write errors
Permission issues or locked keys can cause errors when storing metadata in the registry. To resolve this, use Test-Path and Try/Catch blocks in PowerShell to view and analyze registry write failure logs.
You may also try checking permissions with Get-Acl and verifying registry key inheritance.
How NinjaOne can help track patch drift
NinjaOne improves your patch compliance journey after less than an hour of setup. Built-in features like centralized dashboards and automated reporting allow you to optimize procedures and position yourself above other competitors. Here’s how:
| Aspect | Manual method (Powerhell, CMD, GPO) | With NinjaOne RMM |
| Setup time | Takes hours to write and test baseline scripts and manually schedule tasks | Only needs 15 minutes to set up automated workflows with built-in script library. |
| Baseline maintenance | Device list spreadsheets require constant manual updates. | In-platform baselines update automatically. |
| Scheduling | Technicians must configure GPO policies and Task Scheduler. | Built-in, automated patch scheduling. |
| Data visibility | CSV exports or registry edits are needed. | Centralizes all endpoint metrics into one, simplified dashboard. |
| Drift detection | Runs during script execution. | Devices are continuously monitored via lightweight agents. |
| Patch context | Manually tracking supporting details over time can be arduous. | Patch Intelligence pre-emptively flags risky patches based on global data. |
| Actionability | Manual review and follow-ups can delay workflows. | Automated alerts and QBR-ready compliance reports. |
Why NinjaOne is the smarter alternative
Patch compliance reports give clients more context into how healthy their infrastructure is. As such, RMM platforms like NinjaOne give a 360-degree view of your fleet’s security posture while condensing everything into a single dashboard.
NinjaOne’s Patch Intelligence also leverages worldwide feedback and known issues to proactively flag potential compliance risks for you, reducing resource strain and improving workflows.
Mitigate failed deployment scenarios with real-time alerts
Patch drift is the silent killer of system health, and taking preventative measures early with best-of-class platforms can make all the difference. Always make sure to prepare backups before modifying low-level settings for safe and sustainable patch drift management.
Related topics:
