Ask the Expert

Scanning machines against specific patches

Is there a way to get Microsoft Baseline Security Analyzer to scan a list of machines against specific patches? If so, what are the steps I'd take to perform this type of scan?
Sure, and you have a couple of different options for these types of scans. The -sus option for mbsacli.exe supports scanning for only a specific list of patches. If you have an existing SUS (Software Update Services) server, you supply the URL to your SUS server or the path to the Approveditems.txt file as the option to the -sus option. For example, mbsacli.exe -sus http://mysusserver. This option will cause MBSA to check only for updates approved at the specified SUS server or within the specified text file.

You can also use combinations of the -n option, which specifies the checks NOT to perform (for example, OS, SQL, Password, etc.). Using this option trims down the security and update checks that are performed and helps you tailor the tool to your specific needs.

To control the machines that MBSA is run against, use one of the following options:

  • -c -- scan a specific named computer

  • -i -- scan a specific IP address

  • -r -- scan a range of IP addresses

  • -d -- scan a specific domain

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: