Scanning machines against specific patches

Is there a way to get Microsoft Baseline Security Analyzer to scan a list of machines against specific patches? If so, what are the steps I'd take to perform this type of scan?
Sure, and you have a couple of different options for these types of scans. The -sus option for mbsacli.exe supports scanning for only a specific list of patches. If you have an existing SUS (Software Update Services) server, you supply the URL to your SUS server or the path to the Approveditems.txt file as the option to the -sus option. For example, mbsacli.exe -sus http://mysusserver. This option will cause MBSA to check only for updates approved at the specified SUS server or within the specified text file.

You can also use combinations of the -n option, which specifies the checks NOT to perform (for example, OS, SQL, Password, etc.). Using this option trims down the security and update checks that are performed and helps you tailor the tool to your specific needs.

To control the machines that MBSA is run against, use one of the following options:

  • -c -- scan a specific named computer

  • -i -- scan a specific IP address

  • -r -- scan a range of IP addresses

  • -d -- scan a specific domain
This was first published in March 2005

Dig Deeper on Patches, alerts and critical updates



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: