Hey everyone,
I'm managing around **20,000 systems across various regions**, and we're using **SCCM** to push out Windows updates. Recently, during our **Nessus vulnerability scans**, we've noticed a number of hosts being flagged for **missing patches and KBs**, some dating back to 2020 or earlier.
The SCCM admin team is convinced that the latest patches have been deployed correctly, but Nessus continues to flag them as missing. We've double-checked credentials, scan configurations, and even conducted rescans but to no avail.
So I'm wondering: **Is it possible that Nessus is giving us false positives, or could SCCM be failing quietly on some hosts?** Have any of you run into this kind of mismatch between SCCM and Nessus? I'd love to hear your experiences and how you handled it.
Thanks!
5 Answers
If there's a discrepancy between Nessus and SCCM regarding missing patches, start by checking the last scan date in Nessus to ensure it’s recent. Then, take a representative device and manually check if the reported patches are indeed missing.
Sometimes when a KB gets flagged, it might be due to more than just the patch being installed. There could be registry keys or other settings that also need adjustment. Make sure to thoroughly check the Nessus report for these details.
Exactly! Reading the detailed results from Tenable is crucial. They often explain what specifically is missing or required to resolve the vulnerability.
Nessus usually provides clear detection logic for why it identifies a vulnerability. It's essential to verify the system file versions it detects against what's actually installed. In my experience, when Nessus flags something, it’s often accurate.
Totally! The scan details are key here. While I've seen Nessus miss vulnerabilities occasionally, when it does report something, it’s typically correct. Remember, after deploying a patch, sometimes a reboot is needed for the changes to take effect!
Also, make sure that old versions of software are correctly uninstalled if you’re pushing out updates. For instance, if you update .NET Core but leave the old version, that can cause issues.
I don’t usually work with Nessus, but I know that sometimes older user profiles can carry old DLLs that aren’t updated until the user logs in, causing a clutter of false flags.
Make sure you're deploying all required updates through SCCM correctly. I’ve seen issues where SCCM doesn’t pull down all necessary updates from the master list, leading to discrepancies. Also, check if any registry keys are needed for the patches to fully apply.
That’s what I did! I set up a system that catches about 90% of the patches while also deploying a wider range to ensure nothing gets missed.
Right! For example, some issues related to Spectre/Meltdown patches require both the patch and specific registry changes to be fully addressed.