deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into UCazure

Browse Source
This commit is contained in:
jaimeo
2018-10-04 11:46:43 -07:00
parent 09636f70c8 a7df98f041
commit 17f85a07f4
2 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -967,7 +967,7 @@
#### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
#### [Get support](get-support-for-security-baselines.md)
### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)

19
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -12,27 +12,28 @@ ms.date: 10/04/2018
### What is Microsoft Baseline Security Analyzer and its uses?
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since the Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available or as a compliance tool to ensure that all security updates were deployed to a managed environment. With MBSA version 2.3 support for Windows Server 2012 R2 and Windows 8.1 was added, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 support for Windows Server 2012 R2 and Windows 8.1 was added, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
### The Solution
A script can help you with an alternative to MBSAs patch-compliance checking:
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script.
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script.
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
For example:
[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/aa387290(v=vs.85))
[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85))
[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
The above scripts leverage the [WSUS offline scan file](https://support.microsoft.com/en-us/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update, it does not contain any information on non-security updates, tools or drivers.
The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
### More Information
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
- [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines)
- [Windows security baselines](windows-security-baselines.md)
- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319)
- [Microsoft Security Guidance blog
](https://blogs.technet.microsoft.com/secguide/)
- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/)