Dalai wrote: Let's go through the updates that are shown as missing in the last install run (the previous install runs don't really matter).
I wasn't able to actually prove out that previous install runs showing missing updates don't really matter. Based on a spreadsheet I did comparing what is downloaded vs what get's installed, I show the below updates (that were not downloaded and consequently threw the Warning:) Not Found during the auto install runs). You can see from the log that most of them showed missing during the middle of the install runs.
Most are .NET related  I went thru them one by one to see what was and was not replaced. 
kb3021674-   missing/ not found on Earlier & last run. Not installed at all / Vulnerability in User Profile Svc. / Replaced by 2020-02 and later SOQU
kb4014985-   Update Catalog shows not replaced  / SOU- .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2
kb4019108-   Update Catalog shows not replaced  / SOU- .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2
kb4041083-   missing/ not found on Earlier & last run. Not installed at all/  EDIT: Replaced by not downloaded SQR kb4055532 for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.71 
kb4041090-   Update Catalog shows not replaced / SQR for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
kb4054518-   missing/ not found on Earlier & last run. EDIT: Not installed at all because is a Security Update Rollup
kb4099637-   Update Catalog shows not replaced / SOU for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.71 
kb4340004-   Update Catalog shows not replaced / SOU for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
kb4345679-   Update Catalog shows not replaced / SOU for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
kb4471981-   Update Catalog shows not replaced / SOU for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
kb4487121-   Update Catalog shows not replaced / SOU for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 
kb4498961-   Update Catalog shows not replaced / SOU for 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
kb4507411-   Update Catalog shows not replaced / SOU for 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
kb4534251-   missing/ not found on earlier & last run. Not installed at all / CSU IE11
kb4534310-   missing/ not found on Earlier & last run. Not installed at all. EDIT: Not installed at all because is a Security Update Rollup
kb4534976-   Update Catalog shows not replaced / SOU .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
kb4535102-   Update Catalog shows not replaced / SQR .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
kb4536952-   EDIT: Replaced by 2020-04 SSU kb4550738 (odd that what did install was the 2020-02 SSU despite not having the ESU License)
Dalai wrote:The install run does check if the system has a valid ESU license, and skips, or prunes out as Microsoft calls it, all updates that aren't applicable to the system (i.e. everything released in 2020-02 and later). So, this could prune out an update that superseded an older one, but the older one wasn't downloaded. You can see where this is going.
Update kb3021674:
If that really is replaced by the 2020-02 Security-Only update (didn't verify that), it's OK that it's marked as missing. Keep in mind that the download run doesn't check if the system is part of the ESU program (and rightfully so!), but the install run does via the Windows Update Agent (WUA). I'll explain it in a little more detail. The download run works like this: It downloads only the newest updates, skipping everything that's been superseded or replaced by newer updates. There are some exceptions to this, but this would only complicate my explanation 

.
In the concrete example, if KB3021674 was superseded/replaced by 2020-02 SecOnly, only the latter would be downloaded, but the installation would prune that out and instead want to try to install KB3021674.
Update kb4054518:
See explanation about KB3021674 above. EDIT: This one is the 2017-09 SMQRollup noted above. Should the instance be looking for a SMQR that old to install?
 
So basically, If I don't have an ESU license, I'd have to figure out what's missing and make a custom list?
Dalai wrote: Update kb4534251:
See explanation about KB3021674 above. AFAIK, the Cumulative updates for IE11 definitely supersede each other.  
EDIT: Problem is this is the 2020-01 IE cumulative update. Does that mean the tool can not be tailored to recognize if the ESU update is there or not?
Dalai wrote:Update kb4041083:
Not sure on that one. Maybe it's also been replaced/superseded by a newer update.
Update kb4534310:
IIRC, the Monthly Rollups don't supersede the Security-Only Quality Updates. That's why it's marked as missing by the WUA.
Whats confusing is the download instance was supposed to be for the security only monthly updates. Not sure why the Monthly Rollups are even being downloaded. No worries that the install log shows the 2017-12 & 2020-01 SMQR as Warning: Not found (or blacklisted).  But the instance did download the oversize 2020-04 SMQR. A more pressing question is should the instance have downloaded the below 6 (EDIT: 4) SOQU but not install them? They show up on the download log but not on the install log. I only found they (along with about another 145 that were downloaded but not installed by comparing on a spreadsheet).
2016-10 kb3192391 EDIT: Just found in the install log, my mistake
2016-11 kb3197867 EDIT: Just found in the install log, my mistake
2017-01 kb3212642
2018-01 kb4056897
2018-02 kb4074587
2018-03 kb4088878
Im still working thru what was downloaded update by update but much of what is not installed appears to have not been replaced. Maybe there is another reason they were not installed?
Dalai wrote:Perhaps a more knowledgable person could add to that, or correct me if I'm wrong on something.
Regards
Dalai
Please feel free to do the same for me. I'm still very new to how this tool works, what it is able to do inside the WU confines, and what it cant.