Scanning machines against specific patches
Is there a way to get Microsoft Baseline Security Analyzer to scan a list of machines against specific patches? If so, what are the steps I'd take to perform this type of scan?
Sure, and you have a couple of different options for these types of scans. The -sus option for mbsacli.exe supports scanning for only a specific list of patches. If you have an existing SUS (Software Update Services) server, you supply the URL to your SUS server or the path to the Approveditems.txt file as the option to the -sus option. For example, mbsacli.exe -sus http://mysusserver. This option will cause MBSA to check only for updates approved at the specified SUS server or within the specified text file.
You can also use combinations of the -n option, which specifies the checks NOT to perform (for example, OS, SQL, Password, etc.). Using this option trims down the security and update checks that are performed and helps you tailor the tool to your specific needs.
To control the machines that MBSA is run against, use one of the following options:
- -c -- scan a specific named computer
- -i -- scan a specific IP address
- -r -- scan a range of IP addresses
- -d -- scan a specific domain
This was first published in March 2005