Microsoft Baseline Security Analyzer (MBSA) 2.1 is used to scan for and detect security vulnerabilities in Microsoft software installed on Windows computers. This article describes how to obtain and deploy the most recent Microsoft Baseline Security Analyzer 2.1 package for use with ManageSoft Security Manager 7.7 and later releases.
Please note that MBSA release 2.1 supersedes MBSA release 2.0.1. Therefore this KB article supersedes articles 100788 and 100819.
These instructions will help you download and deploy the packages needed to successfully run MBSA 2.1. You only need to perform these steps if the MBSA package you currently have saved in your software library is earlier than release 2.1.0000.2. The process outlined here updates your library to this release of the package.
The prerequisites for using MBSA 2.1 with ManageSoft Security Manager are as follows:
- ManageSoft Security Manager 7.7 or later must be installed on your administration server
- ManageSoft for managed devices 7.2 or later must be installed on all managed devices
- Windows Update Agent (WUA) 3.0 must be installed on managed devices for current Microsoft security bulletins to operate successfully (please see the Related articles section below for a link to an article about obtaining and deploying a package for WUA 3.0).
Downloading the MBSA
The MBSA download instructions depend upon which version of ManageSoft Security Manager you are using. For full details, please see the Related articles section for article 100900: "How to get the latest prerequisite packages for Security Manager".
Deploying the MBSA
- Ensure that the following packages are now available in the software library in the paths shown:
- Microsoft Baseline Security Analyzer #:
Microsoft\Baseline Security Analyzer\<Language>\2.1.0000.7\Rev1.0\Baseline Security Analyzer
- Microsoft KB835732:
- Microsoft Windows Installer:
Microsoft\Windows Installer\220.127.116.11\Rev1.0\Windows Installer
- Microsoft Windows Update Agent:
Microsoft\Windows Update Agent\7.2.6001.784\Rev1.0\Windows Update Agent
- Microsoft XML Parser #:
Microsoft\XML Parser\<Language>\8.50.2162.7\Rev1.0\XML Parser
- Microsoft Baseline Security Analyzer #:
- Distribute the above packages to all appropriate distribution locations.
- Remove any previous MBSA 2.x package releases from existing policies, and add the newly received MBSA package to relevant policies.
- Using the ManageSoft Configuration Tool, check (and change if necessary) that the Security Management > URL to Windows Update Agent setting is configured to be "http://go.microsoft.com/fwlink/?LinkId=74689" (without the quotes). Alternatively, this setting may be checked and configured in the registry entry HKLM\SOFTWARE\ManageSoft Corp\ManageSoft\SecurityPatch\CurrentVersion\WsusscanUpdateURL.
- Refresh bulletins in the Security Manager node of the ManageSoft administration console to ensure the latestwsusscan.cab file from Microsoft has been downloaded and deployed.
Frequently asked questions
I have Microsoft Baseline Security Analyzer 2.0 deployed. Do I need to deploy release 2.1?
It is strongly recommended that MBSA 2.1 now be deployed. Microsoft has ceased to support earlier releases of MBSA, and only the 2.1 release supports environments such as Vista and 64-bit platforms.
The wsusscan.cab file that is used by MBSA 2.0 to scan for compliance with security bulletins has not been updated by Microsoft since March 2007. In order to continue to use MBSA 2.x technology with ManageSoft Security Manager for scanning newly released and updated bulletins, you must deploy at least MBSA 2.0.1. See the Microsoft Baseline Security Analyzer 2.0 homepage for more details.
Do I need to use MBSA 1.2.1 for scanning after deploying release 2.1?
See ManageSoft Knowledge Base Article 100733 in the Related articles section.
Is the Windows Installer hotfix that is available from Microsoft to address high CPU usage during scanning by Windows Update still relevant if the latest MBSA and Windows Update packages are deployed?
The Microsoft hotfix discussed at http://support.microsoft.com/default.aspx/kb/927891 is still relevant, even if the latest packages available from this article are deployed. This is because the hotfix is for a Windows Installer component that is used by Windows Update, but Windows Update itself does not contain the hotfix. See ManageSoft Knowledge Base article 100798 in the Related articles section below for some additional information about this hotfix.