Why Some Windows KBs Appear in Vulnerability Scans but Not in Patch Manager
Learn why certain Windows KBs show up in vulnerability scans but are not visible in Patch Manager and how to address this discrepancy.
Written by Liam Downward
Updated at May 19th, 2025
- User Manual
- Self Onboarding Guide
- Agents
- The Cyber Risk Assessment Process
- PSA Integrations
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- API Documents
- CYRISMA Change Log
- Support Ticket SLA
- Billing Questions
Table of Contents
Issue Summary
You may encounter a scenario where a Windows KB article appears in the Vulnerability Scan results for an endpoint (e.g., Patch - KB5055528), but that same KB does not appear under the Windows tab in Patch Manager > Root Cause Breakdown or during a CVE search.
This can understandably create confusion, especially when trying to assess how many assets are impacted by a specific KB or root cause across your environment.
Root Cause Explanation
CYRISMA uses two different methods to identify missing patches, depending on where you're viewing the data:
| Area | Source of KB Data | Behavior |
|---|---|---|
| Vulnerability Scan Results | Uses a scanner that matches missing patches to CVEs | Shows the original KB associated with a known vulnerability |
| Patch Manager > Windows | Queries Windows Update directly on the endpoint | Shows the most current KB update that Windows reports as required |
Why the Discrepancy Happens
In many cases, Microsoft rolls up older KBs into a newer cumulative update. For example:
Vulnerability Scan Result: Identifies KB5055528 as the fix for a CVE.
Windows Update / Patch Manager: Only lists the newer cumulative update KB5058405, which includes all fixes from KB5055528 and more.
Therefore, you won’t see the original KB in Patch Manager because it’s superseded.
How CYRISMA Handles This
Vulnerability scans still display the original KB tied to the CVE.
Patch Manager relies on real-time Windows queries to identify the latest applicable update.
This ensures that you're applying what Microsoft currently recommends, not outdated KBs.
✅ What You Should Do
If you see a KB in the vulnerability scan that isn’t listed in Patch Manager, you should:
Search Patch Manager for the latest cumulative KB update from Microsoft (e.g., KB5058405).
Confirm that the device is flagged as needing that update.
Apply that update—it will address the vulnerabilities tied to the older KB noted in the scan.
💡 Pro Tip: When in doubt, treat the Patch Manager as your source of truth for which updates still need to be applied.
Summary
| Observation | Why It Happens | What to Do |
|---|---|---|
| KB shows in Vuln Scan, but not in Patch Manager | Windows rolled it into a newer cumulative update | Look for the newer KB in Patch Manager and apply it |
| CVE search doesn't return the KB | Vulnerability scan shows original KB, not newer one | Use Patch Manager to determine current patch needed |
| Root cause tracking is limited | Patch Manager doesn’t currently map old-to-new KB relationships | CYRISMA displays what Windows recommends now |