This supplemental to the Understanding your Site Security Dashboard is aimed specifically at the Patch Security and how it is calculated. There is a misconception that the Site Security Dashboard is an out of the box fully functional part of Managed Workplace. While it can be, it does require tweaking and upkeep on devices. This is most prevalent with the Patch Security section.
The Patch Security section does not work alongside Managed Workplace Patch Management but rather supplies a full snapshot of patches that devices do not have installed. This is something calculated from WSUS, which is emulated by Managed Workplace and not a clear reflection of what may be needed for a device to be up to date on patch security.
For example, the most common offender in this is the Update Rollups category. Inside the Update Rollups are all the language packs that are offered from Microsoft. If an end device does not have the various language packs set to install, WSUS does not factor this in. It simply says the device does not have the languages and that this can be an issue. While you might be syncing Update Rollups in Patch Management for hotfixes, having this on in Site Security could adversely reflect your score for Patch Security. It is the Managed Workplace team’s best practice to toggle off the Update Rollups category almost exclusively because of this.