Some learnings from recent patching exercise
.net - If your wsus and sccm do not show any patches that your vulnerability scanner says are missing, its probably because the .net version is EOL.
Java - make sure you remove old versions of Java before deploying the latest version. The vulnerability scanner will keep reporting on the older versions.
Also check if SCCM or any other patch deployment tools has both the 32 bit and the 64 bit version incase you have a fix of these in your environment.
It is faster to use powershell to check file versions that your vulnerability scanner checks to classify a machine as vulnerable. Running scans can be time consuming
....need to upload sample powershell check for file versions...