The current 'Critical Patch Report' mixes vulnerabilities, with old patches, with old vulnerabilities and can't be used for this (it does some odd reverse chain linking, then forward linking of patches), ie: reports 3 year old 'missing' patches that were actually patched 3 years ago because of a new patch...)
I am specifically looking to be able to do a monthly report for management, listing the top 10 vulnerabilities, based on how many vulnerabile endpoints.
ie: apply these ten patches/fix these 10 vulnerabilities and you will fix xx% of the vulnerabilities.
today, I start with the critical patch report, sort by severity and count, and then, MANUALLY VERIFY EACH AND EVERY ONE OF THEM, because of the way the patch report does it reporting .
Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011)
Microsoft Sync Framework Service Pack 1 Not Installed
VMware ESXi 6.0 Patch Release ESXi600-201706101-SG, ESXi600-201706102-SG, ESXi600-201706103-SG Missing (KB 2149954) (KB 2149961) (KB 2149970))
VMware Horizon View Multiple Vulnerabilities.(VMSA-2017-0008)
Microsoft Office 2000 Service Pack 3 Missing
Microsoft Office Dynamic Data Exchange (DDE) Vulnerability (KB 4053440)
Microsoft Windows .NET Framework Information Disclosure Vulnerability (MS16-065)
Cisco IOS and IOS XE Autonomic Networking Infrastructure Denial of Service Vulnerability (cisco-sa-20170726-anidos)
Microsoft Windows Security Update December 2017
VMware ESXi 6.0.0 Patch Release ESXi600-20161100 Missing (KB2146984)