Problem solve Get help with specific problems with your technologies, process and projects.

Scanning machines against specific patches

Is there a way to get Microsoft Baseline Security Analyzer to scan a list of machines against specific patches? If so, what are the steps I'd take to perform this type of scan?
Sure, and you have a couple of different options for these types of scans. The -sus option for mbsacli.exe supports scanning for only a specific list of patches. If you have an existing SUS (Software Update Services) server, you supply the URL to your SUS server or the path to the Approveditems.txt file as the option to the -sus option. For example, mbsacli.exe -sus http://mysusserver. This option will cause MBSA to check only for updates approved at the specified SUS server or within the specified text file.

You can also use combinations of the -n option, which specifies the checks NOT to perform (for example, OS, SQL, Password, etc.). Using this option trims down the security and update checks that are performed and helps you tailor the tool to your specific needs.

To control the machines that MBSA is run against, use one of the following options:

  • -c -- scan a specific named computer

  • -i -- scan a specific IP address

  • -r -- scan a range of IP addresses

  • -d -- scan a specific domain

Dig Deeper on Windows 10 security and management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.