Patch Manager Root Cause Breakdown and Patch Execution

Last updated: December 23, 2025

Overview

Patch Manager in Cyrisma is built around the concept of root cause–driven remediation. Rather than focusing on individual CVEs in isolation, Patch Manager groups vulnerabilities by their underlying cause, allowing users to remediate multiple vulnerabilities efficiently through targeted patch actions.

This article explains how the Root Cause Breakdown works, how patch execution is initiated, and how to interpret patch results.

Root Cause Breakdown Explained

The Root Cause Breakdown is the primary working view within Patch Manager. It aggregates vulnerabilities discovered during scans and organizes them by the software, configuration, or operating system issue responsible for those findings.

Each row in the table represents a single root cause that may affect one or more endpoints.

Root Cause Table Fields

Each root cause entry displays the following information:

Root Cause
The application, component, or configuration issue responsible for one or more vulnerabilities.

Number of CVEs
The count of unique CVEs associated with that root cause. Selecting this value opens a detailed CVE list.

Severity
Visual indicators representing the highest severity level associated with the root cause.

Workstations and Servers
Counts of affected endpoints, separated by asset type. Selecting either value displays the impacted targets.

Total Vulnerabilities
The total number of vulnerabilities across all affected assets for that root cause.

Action
The Patch button, when available, allows scheduling or executing remediation.

Root Cause Filters

The Root Cause Breakdown includes filters that change both visibility and behavior.

Third Party

Displays third-party software detected on Windows endpoints.

Some third-party applications are patchable by Cyrisma, while others are informational only.

Only patchable third-party root causes display the Patch action.

Windows

This filter presents two distinct data sets:

Patchable Windows KB Updates
Displays Windows KB articles that can be patched through Patch Manager.

Windows OS-Level Root Causes
Displays operating system vulnerabilities and configuration-related findings that are not patchable through Patch Manager.

Only the KB patch table supports patch execution.

Linux

Displays Linux operating system–level root causes.

Linux root causes are not currently patchable through Patch Manager.

macOS

Displays macOS operating system–level root causes.

macOS root causes are not currently patchable through Patch Manager.

When the Patch Button Is Available

The Patch button appears only when all required conditions are met.

The Patch button will not appear if:

  • The application or root cause is not supported for patching

  • The endpoint was not scanned by its local agent

  • A patch was already applied but no follow-up scan has occurred

  • The vulnerability is configuration-based rather than software-based

Patch availability is always determined by the most recent scan results.

Scheduling Patch Execution

When the Patch button is selected, users can schedule remediation.

Patch scheduling behavior includes:

  • A single date can be applied across all affected targets

  • Individual scheduling can be adjusted per target

  • Patch execution respects configured Blackout Hours

  • Patches scheduled for offline systems execute when the agent checks in

Patch execution does not require a reboot unless the patched application explicitly requires one.

Patch Execution Behavior

Patch execution is performed by the local Cyrisma agent on each endpoint.

Execution characteristics:

  • Patches run locally on the host machine

  • Execution depends on agent availability and system permissions

  • Failures are recorded with detailed logs

  • Pending patches remain queued until executed or canceled

If a patch is pending, it can be canceled directly from Patch History.

Patch History and Verification

Patch History provides a full audit trail of remediation activity.

Patch History includes:

  • Target name

  • Agent responsible for execution

  • Software patched

  • Execution result

  • Initiating user

  • Timestamp of execution

Patch History entries can be searched and exported for reporting or audit purposes.

Patch Execution and Scanning Relationship

Patch Manager does not automatically refresh vulnerability data after patch execution.

To reflect remediation results:

  • A new vulnerability scan must be run

  • Root Cause Breakdown will update based on new scan data

Until a follow-up scan occurs, previously detected root causes may remain visible even if patching was successful.

Common Scenarios and Clarifications

Patches appear successful but vulnerabilities remain visible
A new scan has not yet been run.

Patch button missing for a known application
The application may be unsupported or was not scanned locally.

Windows KB appears in vulnerability scan but not Patch Manager
The KB may be superseded by a newer cumulative update.

Patch remains pending
The endpoint may be offline or within blackout hours.

Summary

The Root Cause Breakdown is the operational core of Patch Manager in Cyrisma. It enables efficient remediation by grouping vulnerabilities intelligently and executing patches at scale.

Key concepts to remember:

  • Root causes drive remediation, not individual CVEs

  • Patch execution depends on local agent scans

  • Patch Manager does not replace scanning

  • Follow-up scans are required to confirm remediation

Used correctly, Patch Manager allows teams to move from detection to remediation with clarity, control, and audit-ready visibility.