New MS Baseline Security Analyzer 2.0

[Torgeir Bakken \(MVP\)]

This new version dropped the /hf and /v switches so I can no
longer do quick checks for patches for SQL, OS, XML, MDAC, etc.
For stand alone computers not using update services like SUS, MU,
etc, those switches were nice features for putting into a batch
file to just check for needed Microsoft updates then output to a
text file.

Does Microsoft have any alternatives to easily scan for above
patches for standalone computers? I know that
http://www.shavlik.com has full version of hfnetchk but I don't
believe I should have to pay for checking for Microsoft updates.

Hi,

For MBSA 2.0, Mbsacli.exe /xmlout is what you need to use.

For a couple of MBSACLI 2.0 /xmlout parsing scripts (one by me), take
a look at this thread:
http://groups.google.co.uk/group/mi...c8e8706cadc/5f39f26861db0c03#5f39f26861db0c03

If you want to copy/paste my script, you should do it from this link
to avoid Google encoding issues:
http://groups.google.co.uk/group/mi...lyzer/msg/0136a0ce0a233c61?dmode=source&hl=en


Note that Microsoft Update Agent 2.0 is required for MBSACLI 2.0,
so if your computers haven't got it yet (from the latest Windows
Update version or a WSUS server or a MBSA installation that have
installed it), you can download and install it from here:

For x86-based computers (WindowsUpdateAgent20-x86.exe)
http://go.microsoft.com/fwlink/?LinkId=43264

(will work for Win2k SP3 and SP4, WinXP RTM/SP1/SP2, and
Win2k3 RTM/SP1)

For x64-based computers (WindowsUpdateAgent20-x64.exe):
http://go.microsoft.com/fwlink/?LinkId=43265


Unattended installation command line switches:

WindowsUpdateAgent20-x86.exe /quiet /norestart

 

[Guest]

Thank you for your reply. Your script seemed to work for my Windows 2003 SP1
server but not for my Windows XP SP2 workstation.
Even though my workstation has latest WUA 5.8.0.2469 installed, I got this
error:

MBSA failed, error was:
The computer is assigned to a SUS 1.0 server. Scanning requires the assigned
server to be an Update Services server.

Nonetheless, the report still does not cover updates for SQL Server and show
versions of currently installed components.
I think I will go back to MBSA 1.2.1 which gives me a nice output such as:

----------------------------
SERVERNAME (55.55.1.100)
----------------------------

* WINDOWS SERVER 2003, STANDARD EDITION SP1

Patch NOT Found MS05-036 901214

* INTERNET INFORMATION SERVICES 6.0 SP1

Patch NOT Found MS05-037 903235

* INTERNET EXPLORER 6.0 FOR WINDOWS SERVER 2003 SP1

Information
All necessary hotfixes have been applied.

* MDAC 2.8 SP2

Information
There are no security updates available for this product.

* MICROSOFT VIRTUAL MACHINE (VM) GOLD
Information
All necessary hotfixes have been applied.

* MSXML 2.6 SP3

Information
There are no security updates available for this product.

* MSXML 3.0 SP7

Information
There are no security updates available for this product.

Warning
The latest service pack for this product is not installed.
Currently SP7 is installed. The latest service pack is SP5.

* MSXML 4.0 SP2

Information
There are no security updates available for this product.

* SQL SERVER 2000 SP4

Information
All necessary hotfixes have been applied.

This above format is better because it shows both the needed updates AND the
versions of currently installed components including SQL, JVM, XML, etc.
Also, the execution of the MBSA with /hf and output to a text file is
extremely fast.
I put the following in a batch file which executes quickly:
C:
CD "\Program Files\Microsoft Baseline Security Analyzer"
mbsacli.exe /hf /v /f results.txt
notepad results.txt