02-03-2026 02:06 PM
Hello,
In viewing this report I've noticed its still flagging servers that have been patched already and wondering how often that checks against all endpoints? I can go on a server and its not showing any updates needed and then look in the report and its in there showing it needs 68 updates which all come from a cumulative update (windows) but thats been installed already.
Can someone help me understand this?
02-04-2026 06:46 AM
Hello @JasonFerris ,
Greetings for the day.
The discrepancy between your endpoint's actual patch status and the Cortex XDR report is typically caused by data synchronization cycles and the schedule of vulnerability content updates.
Cortex XDR relies on a multi-step synchronization process to reflect endpoint changes:
Host Inventory Scan: The Cortex XDR Agent performs a full inventory scan of the endpoint every 24 hours. This scan collects the list of installed applications and Knowledge Base (KB) patches.
Data Transmission and Processing: Once the scan is complete, the agent transmits this data to the XDR server. The entire process of reporting and updating the console status can take up to 24 hours to fully synchronize.
Server-Side Recalculation: The XDR server runs a background task to recalculate vulnerability scores approximately every four hours based on the latest data received from agents.
The Vulnerability Assessment (VA) engine uses definitions from partners (such as Ivanti) and the NIST National Vulnerability Database (NVD). There are inherent delays in this pipeline:
Weekly Content Updates: Patch and vulnerability definitions are released via Content Updates (CU) on a weekly cycle, typically every Tuesday.
Design Delay: There is often a standard delay of approximately one week before new Microsoft patch definitions are incorporated into a Content Update. If you have recently installed a new patch, XDR may not yet have the definitions required to recognize it as a resolution for the associated CVEs.
Enhanced VA Engine Sync: If the Enhanced Vulnerability Assessment Engine is enabled, endpoints must download large data files. This synchronization can take up to seven days to complete across a large environment.
In Cortex XDR, the report counts CVEs (Common Vulnerabilities and Exposures) rather than individual KB installers. A single Microsoft Cumulative Update often fixes dozens of different security vulnerabilities. If the agent or server has not yet completed a recalculation cycle, the console will continue to list all individual vulnerabilities addressed by that KB as open or detected.
To manually accelerate the update for a specific server, follow these steps:
Force Agent Check-in: On the affected server, run the following command from an administrative command prompt to force the agent to sync with the server immediately:
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" checkin
Rerun Insight Collection: In the Cortex XDR console, navigate to Assets > Vulnerability Assessment, select the endpoint, right-click, and select Rerun insight collection.
Trigger Recalculation: In the same Vulnerability Assessment dashboard, click the Recalculate button at the top of the table to force the server to re-evaluate the status of the assets.
Allow approximately 30 minutes after these steps for the data to process and refresh in the UI.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
