Microsoft Baseline Security Analyzer 2.2

Published: October 8, 2007 | Updated: August 20, 2010

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server (SBS).

Used by many leading third-party security vendors and security auditors, MBSA on average scans over 3 million computers each week. Join the thousands of users who depend on MBSA for analyzing their security state.

MBSA 2.2 is now available

In order to provide support for Windows 7, Windows Server 2008 R2, 64-bit scan tool and vulnerability assessment check support, Windows Embedded support, and compatibility with the latest versions of the Windows Update Agent (WUA), Microsoft Baseline Security Analyzer (MBSA) 2.2 is now available.

What is MBSA 2.2?

MBSA 2.2 is an update to MBSA 2.1.1 that builds on the previous MBSA 2.1.1 version that supports Windows 7 and Windows Server 2008 R2 and corrects minor issues reported by customers.

Will I notice a difference when I run MBSA 2.2?

Customers using the offline catalog (WSUSSCN2.CAB file) will no longer need to place the catalog file in a version-specific path since the “2.1” cache directory has been removed. The file should now be placed into C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache.

Also, automatic distribution of the latest Windows Update Agent (WUA) client to client computers scanned by MBSA has been disabled by default in MBSA. This may prevent MBSA from successfully scanning computers that do not have the latest WUA client installed. Administrators and security auditors will want to select the option to "Configure computers for Microsoft Update and scanning prerequisites" in order to improve security scan success which will allow MBSA to automatically distribute an updated Windows Update Agent if needed.

Note: Unless specifically noted, all references to MBSA 2.0 in the MBSA TechNet pages also apply to MBSA 2.2.

New features and improvements in MBSA 2.2

  • Added the option to choose offline mode from graphical and command-line interfaces
  • Added support for additional security catalogs (for future use)
  • Added /cabpath command-line option to obtain catalogs from a user-selected directory or network share
  • Corrected automatic fallback to offline mode if Microsoft Update or WSUS servers are unavailable
  • Removed download link in completed scan reports since it is no longer possible to accurately identify the correct package in a multi-package download
  • Removed product version from cache directory path when using offline catalog (CAB) file
  • Updated and revised help files to describe new and corrected features
  • Support for Windows 7 and Windows Server 2008 R2
  • Updated graphical user interface
  • Full support for 64-bit platforms and vulnerability assessment (VA) checks against 64-bit platforms and components
  • Improved support for Windows XP Embedded platform
  • Improved support for SQL Server 2005 vulnerability assessment (VA) checks
  • Automatic Microsoft Update registration and agent update (if selected) using the graphical interface or from the command-line tool using the /ia feature
  • New feature to output completed scan reports to a user-selected directory path or network share (command-line /rd feature)
  • Windows Server Update Services 2.0 and 3.0 compatibility

Additional Resources

  • TechNet WebCast: Microsoft Baseline Security Analyzer (MBSA) 2.0: Architecture and Scenarios (Level 300)
    MBSA provides many new and powerful features, including integration with the new Windows Server Update Services (WSUS) infrastructure. Learn about these new features and architectural changes to help make your IT infrastructure more organized and unified.
  • Microsoft Office Visio 2007 Connector for MBSA
    This utility allows you to view the results of a Microsoft Baseline Security Analyzer scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram.
  • How to script MBSA
    Features of the rollup sample scripts:
    • Ability to open the main report for a computer from within the rollup view
    • Roll up all security update results without listing each bulletin explicitly on the command line
    • Rollup view includes scanning errors, warnings, and restart required details
    • Summarize results for updates not yet approved on the WSUS server
    • Run up to 64 scans concurrently for increased throughput
    Download the MBSA Scripting Samples from the Microsoft Download Center.
  • For a complete list of products supported by MBSA based on Microsoft Update (MU) and Windows Server Update Services (WSUS) technologies, visit the Products Supported by WSUS page.

Frequently Asked Questions

Please refer to the MBSA Q&A for answers to commonly asked questions about MBSA and other Microsoft security tools.