Citrix EPA plug-in uses Microsoft-provided security severity ratings (Critical, Important, Moderate and Low) to determine security criticality for missing security patches. 
Microsoft has stopped assigning severity to some of its security patches. Because of this, some of the patches might have unspecified severity. https://support.microsoft.com/en-us/topic/changes-to-the-classification-of-security-content-in-advisories-and-bulletins-da0f54b4-465a-7a00-1a9e-77a9aa3617c4 
Due to the mentioned change from Microsoft, the EPA scan cannot filter security patches based on the severity levels. This causes the EPA to scan for missing Windows security patch updates to return a PASS result for some of the missing security patches. 
Citrix will be removing the non-working "Windows critical patch EPA check" scan from Admin UI as an immediate step in active releases. 

What this scan used to do? 

This feature used to scan for missing security patch scan for severity levels - Critical, Important, Moderate and Low on the Windows client. Admin had the option to configure a missing security patch EPA scan for these severity levels on the ADC Admin GUI, based on the severity level configured. The EPA scan used to FAIL if the client had any missing security patches. 
 

Why has the scan stopped working? 

Microsoft has stopped assigning severity to some of the security patches.  
 

What is the current behavior if the customers are still using it? 

EPA scan may PASS even if the windows client has missing security patch that does not have severity level assigned. 
 

What should the customers do? 

Customers can remove the EPA scan for missing Windows security patches from ADC as this EPA scan may give false positive results. However, customer can still use the following scan options to check for Windows update 
     a. Update installation type: AUTOMATIC, MANUAL 
     b. Last update check: <user machine should have run windows update check before these many days> 
 

What is the plan for removing the scan from ADC admin UI? 

This scan is deprecated and will be removed from ADC admin GUI starting from EPA library version 1.1.2.21. Customers can install this new EPA library on the ADC to see the admin GUI changes.  
 

What is the alternative plan for the future?  

As EPA cannot perform scan for missing security patches based on the severity level, Citrix is working on finding an alternative solution to scan missing Windows updates based on the Windows patch category ID.

Problem Cause

Due to Microsoft's change in assigning severity to some of their security patches, the EPA scan cannot filter security patches based on severity levels causing the EPA scan to miss Windows security patch updates to retun PASS result for some of the missing security patches