How can I look at the criteria which a patch is using to determine what workstations are considered "not patched" vs. "patched" vs. "not applicable"?

I'm interested in deploying e.g. the Firefox 10 ESR across my entire organization, and since there is already a "Software Installer" patch available in ZPM for that, it would seem to make sense to just deploy the program that way via mandatory baseline - at least for initial installation. However, the patch is listed with only one "not patched" workstation.

At the moment, we have ZPM disabled in the Agent configuration (we initially disabled it when the DAU bundles started crashing due to a new-patch-information incompatibility), except in certain containers; we aren't planning to turn it back on until our current major deployments are done with - probably July or August at the earliest. It would therefore seem possible that this result is simply because the DAU bundles aren't getting a chance to do their scans and report the new applicability data back to the server.

However, the sole workstation listed as "not patched" is not in one of the containers where ZPM has been re-enabled, and at least one workstation which is in one of those containers and which has Firefox 3.5.2 (and thus should be eligible for patch-based upgrade) is not listed.

I want to try to figure out the reason for this behavior, but without knowing what criteria the applicability categorization is based on, I don't see any way to get started on doing that.