none
Windows 10 build 1903 not showing security updates in registry RRS feed

  • Question

  • Hello,

    I'm running into an issue with my vulnerability scanner Nessus showing false positives on some of my Windows 10 systems. It is flagging that the latest security updates (such as October 8, 2019—KB4517389 (OS Build 18362.418)) are not installed on the systems that are 1903 build, even though the patches are installed as shown in view installed updates as well as no new updates in Windows Update. 

    The weird thing is that some of my systems are on older builds such as 1809 and 1803, and those systems do not flag any false positives. After looking into where the Nessus scanner checks to see if updates are installed, it checks the registry 

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

    On the older build systems 1809 and 1803, I can find the latest KB security updates installed, but on the 1903 systems, I can't find similar entries that the latest security updates are installed.

    I've tried rolling back security updates multiple times and re-installing them, but that has had no effect. I'm wondering if there is a fix or something to resolve the registry installing those security updates on 1903 build Windows 10 systems.

    Wednesday, October 23, 2019 8:32 AM

All replies

  • Cumulative updates for 1903/1909 (and probably future versions) are direct updates to the system inbox packages (similar to service pack behavior)
    they don't have any external sub packages (e.g. Package_1_for_KB4517389*)

    CU KB number will not be anywhere in the registry
    the only way to check if certain CU is installed, is checking Package_for_RollupFix mum file(s) in C:\Windows\servicing\Packages

    e.g.
    findstr /i /m KB4517389 C:\Windows\servicing\Packages\Package_for_RollupFix*.mum

    so, Nessus should be updated with that fix
    Wednesday, October 23, 2019 11:41 AM
  • Hi KonWin, 

    Please run "winver" on Windows 10 1903 device to check the exact system build. Then feedback the number to us. 

    Then corresponding system build for KB4517389 should be 18362.418.

    Also we could run command line "wmic qfe list" as administrator to check the installed update package list. 

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 24, 2019 2:11 AM
    Moderator
  • Hello,

    I ran winver on all of the systems that were flagging and it came back with Version 1903 (OS Build 18362.418)

    For "wmic qfe list" it shows KB4517389 installed.

    Saturday, October 26, 2019 7:08 AM
  • Hi, 

    Thank you for your feedback.

    As wmic command line show as installed, so I think the update package is not need to install again. So please ignore Nessus's notification.

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, October 29, 2019 6:58 AM
    Moderator