Table of content
- Introduction
- Inactive Computers
- Shelved computers
- Seasonality
- Impact on Inventory
- Conclusion
- References
Introduction
I am working with a customer that manages a lot of computers world-wide since last year, and this involvement can be directly seen here on Connect (I implemented and tested aila2 [1] there, added some features to Zero Day Patch [2] to suits their need, created the Patch Trending Toolkit [3], SWD Trending [4] and a few other tools that are not Connect ready yet [5]).
One of the recent challenges I faced was to explain why Inventory Data quality is not at the expected levels (this customer is quite demanding, so expectations generally start at 100% success). In order to explain why 100% data return is not possible, I have come up with a small graphic that I will explain here (the graphic is generic and uses some patch trending data).
Inactive Computers
I added a monitoring module in Patch Trending to account for inactive computers over time back in September 2013. The reason for this was simple: you can't patch computers that are not on the network, and if you don't know how many are off, you can't understand as they impact your compliance.
The inactive computer module records computers counts based on the 'Computers to purge' criteria at 7 days and 17 days. 7 days takes care of anyone that is out of office for a week, whilst the 17 days threshold takes care of holidays that are longer than 2 full weeks (that is leaving on a Friday evening and returning the 3rd Monday after that).
With 6 month of data behind us we can estimate that percent of inactive computers is as follow:
| Region | Inactive (17 days+) | Inactive (7 days+) |
| NALA | 5% | 8% |
| EMEA | 6% | 10% |
| APAC | 3% | 6% |
These are the low points rounded up, so the percent of inactive computers is often above this with some impressive peaks. So let's look at those and their root cause in the section.
Shelved computers
But before we get there we have to look at another type of inactive computers that are not necessarily present in your environment but found in large enterprises: shelved machine. In our case we have a small but regular flow of computers that are received, imaged, added to the CMDB and put back in a box or on a shelf for a certain period of time. The impact can be fractional for Inventory solution but rather bad on Patch Management Solution. These computers are not so difficult to detect, but they can impact your inventory results and patch compliance very quickly.
Recently we found out with a customer that 1% of the computer estate could be considered as boxed (with an active time span of less than 3 days) and accounted for over 10% of the entire estate Vulnerabilities. 10% of vulnerabilities that are not exploitable from a security perspective (as long as the machines are off net) but that have no chances of being fixed either (until they come on net).
Seasonality
Computers are used by people like you and I, so there are a lot of trends that are related to human behavior. Some of those are visible thru the IIS log files (start-up / login time between 0800 and 0900) and thru the inactive computer reports.
Let's look a graphs from each of the regions afore-mentioned and discuss the event that are the cause of the peaks seen there.
North America Latin America (NALA):
The first bump seen on this graph (pretty much centered) is related to the Thanks Giving holiday, and the massive peak seen on its right hand side is the year end holiday (Christmas and New Year). At peak we had ~48% of the computers out for more than 7 days and ~13% computers out for more than 17 days.
Europe Middle East Africa (EMEA):
In this regions (largely dominated by European countries) we have a lot of small variations up to the 1st of November (All Saints bank holiday) and much less until we reach the year end break, with a peak between Christmas and New Year at ~74% inactive computers for 7+days and 29% inactive for more than 17 days.
Asia Pacific (APAC):
This region is dominated by China so the seasonal event's are dominated by the main Chinese holidays: the Moon Festival in October and Chinese New Year (end of January this year) but we can see the Christmas / New Year celebration (most likely from Australia).
The peaks for 7 days + are 56% and 57% respectively, with only a marginal increase in the count of inactive computers at 17 days +.
Consolidated view of the peaks per region:
| Region | 17 days + peak | 7 days + peak |
| NALA | 13% | 48% |
| EMEA | 29% | 74% |
| APAC | 6% | 57% |
Impact on Inventory
Inventory and Patch Management are impacted by inactive computers and seasonality, but the impact on Inventory is generally higher because they run with a larger interval than the Windows Assessment scan and Software Update installation window (both happening daily or multiple times per day versus bi-monthly for a full inventory).
With a full inventory running every 2 weeks (so we have a sliding inventory age ranging from 0 to 13 days) we can visualize the impact of inactive computers on the data quality / update rate:
We can see in green the 2 weeks full inventory window, where the big green circle will travel to the right as days go by and t is coming closer to the full inventory schedule.
Whilst this is happening we have computers that are built and should be running their full inventory (it has a schedule starting the the past to it should run asap) however some may not have the time to do so.
The computers inactive between 7 and 17 days are still showing an up-to-date inventory (i.e. Inventory last modified within the last 4 weeks) however computers inactive for 17 days + have missed 2 or 3 inventory schedules so they will be flagged in our inventory trending reports [6].
We are only plotting the full inventory, but delta inventory do not run any better on inactive computer, regardless of their more frequent interval ;).
Conclusion
Inventory data is greatly impacted by inactive computers and seasonality, to a greater extent than Patch Management, whilst boxed / or shelved computers (new or upgraded) can have a very serious impact on your patch compliance.
So in all cases, it's very important to monitor your environment to understand how the human factor impacts inventory, patch and other Altiris related solutions.
And here is the final graph made from the above data:
References
[1] Altiris IIS log analyzer 2
[3] Patch Trending
[4] SWD Trending