Identify missing patches direct from Microsoft Update
Unless you select all products and classifications in your configuration of Software Updates, it's possible you have computers on your network which require updates to Microsoft products but you'll never know about them.
Can ConfigMgr add a feature to alert you if you have clients that require updates which are not enabled in your software update configuration?
Otherwise you could be potentially leaving a big hole in your endpoint security.
Maybe this could be added as a management insight, or a report?
Nash Pherson commented
Had to go find 3 votes to reclaim from other ideas to throw towards this one...
The number of organizations that claim to be doing great at patching versus the number that are great at patching... let's just say there is a very big delta there. Between "deleting unhealthy and missing clients so they don't break my reports," to "we only sync Windows and Office patches", and even "we deploy the updates to this 1 collection... which doesn't have all the clients in it". We have to make it easier to get the data which shows the total enterprise view so we can change these awful behaviors.
Mads Lomholt commented
Maybe. So select all products until then. Just to see what's in the bushes :)
I did this on my own many years ago although I was told not to. I was told that "our organisation does not use This&That". Well, I selected all products in WSUS and guess what, we _had_ lots of This&That. And they were not patched. Maybe This&That should not be out there, but feed them updates! At least until some report or flag point out what you have in mind.