The KB endpoint checks are performed on the client machine by using a Windows API to obtain the OS patch info, transformed into a list, signed, transmitted to APM, then verified with whatever expression you have set up. So all BIG-IP does here is obtain a simple text string.
In your example you have:
expr { [mcget {session.windows_info_os.last.updates}] contains "123456" || [mcget {session.windows_info_os.last.updates}] contains "7891011" || [mcget {session.windows_info_os.last.updates}] contains "3247922"
Leaving aside the missing end square and curly-braces, this is essentially 3 IF statements joined by an OR (||) operator, so there is no precedence here, it's just "X contains A or X contains B or X contains C" If X has A, B, or C it'll match.
It may be that X (session.windows_info_os.last.updates) wasn't being transmitted to BIG-IP correctly. In that case, you'll have to check the session variable viewer or logs to obtain the raw value of that session variable.
There are also some rare cases where strings become malformatted due to the our TCL script interpreter, but this usually happens with non-ASCII characters.