Hi, @sover steve
Thank you for posting in Microsoft Q&A forum.
We can use CMPivot to query missing patches like below:
SoftwareUpdate | where (Categories == 'Security Updates,Windows 10, version 1903 and later') | where (KBArticleIDs == 'KB4565627' ) | order by Device asc
After running the query, we get the details of the Windows 10 devices that are missing security updates, and we can create device collection directly with the result.
For your reference:
https://www.anoopcnair.com/find-devices-missing-patches-using-configmgr-cmpivot-query/
(Please Note: Since the website is not hosted by Microsoft, just for your reference.)
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".