IT Brief US - Technology news for CIOs & IT decision-makers
United States
Cluttered small business it office unattended windows laptops dust
#
IT Automation
#
Risk & Compliance
#
EDR

Slow patching leaves SMB endpoints exposed for weeks

Thu, 5th Mar 2026
Author image
By Shannon Williams, News Editor

Acronis reported that small and midsize businesses often install software patches within a week. However, a significant minority of devices remain unpatched for weeks, leaving systems exposed after vulnerabilities become public.

Analysis by the Acronis Threat Research Unit, based on telemetry from the second half of 2025, found a global median installation time of 185 hours (7.7 days) for Microsoft patches. The slowest 10% of deployments took 926 hours (38.6 days). Third-party application updates installed faster on average, with a median of 136 hours (5.7 days), but the long tail still reached 597 hours (24.9 days) at the 90th percentile.

The figures show a split between typical patching behaviour and what Acronis called "tail risk". This risk concentrates in endpoints that miss maintenance windows, stay offline, or do not complete reboots. Attackers often move quickly once a vulnerability is disclosed and fixes become available, increasing the impact of delayed patching in smaller environments.

Median versus tail

Acronis described the median as the experience of a typical endpoint, while the 90th percentile captures laggards that create the largest exposure window. It also pointed to operational causes of slow completion. Many updates require a restart to fully apply, and devices can sit in a "reboot required" state for long periods when users defer restarts.

The telemetry also tracked patch status. In the global snapshot, Microsoft patches most often appeared as "New / Pending" (49.6%) or "Obsolete" (44.9%). Only 3.6% were recorded as "Installed". A further 1.1% were in "Reboot required" and 0.7% were "Failed".

Third-party updates showed a similar distribution: "New / Pending" accounted for 51.9% and "Obsolete" 43.2%, while 4.0% were recorded as installed. A high obsolete share can reflect periodic catch-up waves rather than a steady patching cadence, since older updates can be superseded as catalogues advance.

SMBs and MSPs

The report focused on SMB environments and the managed service providers that administer endpoints for many smaller firms. Patch management remains one of the most effective controls for reducing known risk, but it competes with uptime requirements and user disruption. Line-of-business applications can also constrain update schedules. Devices that do not regularly check in, such as laptops outside the office, can extend deployment times.

Acronis linked slow patch cycles to reactive work for service providers, including escalations when high-profile vulnerabilities emerge and after-hours remediation. It contrasted this with more predictable approaches, including staged rollouts and planned maintenance windows.

Country variation

Median patch times differed across countries, ranging from about four days to nearly 15 days for Microsoft updates. Acronis also highlighted the size of the tail as a key point of variation. Some markets showed a tighter distribution, with even laggards completing within a few weeks. Others showed 90th-percentile values measured in months, suggesting routine processes do not reach a portion of endpoints.

Mexico, Germany, the United Kingdom and Spain were among the fastest median performers for Microsoft patch deployment in the dataset. Acronis said faster medians often align with standardised fleets and clear maintenance windows, and it emphasised preventing the slowest endpoints from drifting for long periods.

Operational friction

Third-party patching was typically faster than Microsoft patching in the telemetry. Acronis said the gap can be a useful diagnostic: organisations may find it easier to update applications quietly but struggle with operating system disruption, approval steps, or reboot coordination. It also warned that application vulnerabilities are a common entry point and should be tracked alongside operating system updates.

The recommendations focused on operational throughput rather than technical failures. Acronis reported low rates of failed installations, suggesting many endpoints can patch successfully when deployments are attempted. The bottlenecks instead come from scheduling, deferred restarts, and unreachable devices.

"Globally, the median time to install Microsoft patches is 185 hours (7.7 days), while the 90th percentile reaches 926 hours (38.6 days). Third-party patches install faster on median at 136 hours (5.7 days) but still show a long tail with a P90 of 597 hours (24.9 days)," the report said.

Related stories
Cambodia scam compounds linked to mobile banking fraud
Thoughtworks: The inside line on AI software development from the company that created Agile
Customer Science names first Chief Operating Officer
Hitachi Vantara named leader in GigaOm object storage
Adeptia Automate 5.2 adds AI access to integrations

Top stories

Android banking trojan linked to Cambodia scam compound
FintechOS launches AI platform for banks & insurers
Flashpass raises USD $4.1 million seed round for growth
Xero & Anthropic fuel AI battle in finance software
Why Legal Services demand is about to grow, not shrink