From 379c139679aa277f04dbc9f10a2e78f5d584a3bb Mon Sep 17 00:00:00 2001 From: andreiztm Date: Thu, 4 Oct 2018 16:59:11 +0300 Subject: [PATCH 1/3] Create mbsa-removal-and-guidance.md --- .../mbsa-removal-and-guidance.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 windows/security/threat-protection/mbsa-removal-and-guidance.md diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md new file mode 100644 index 0000000000..2aa57f6ab3 --- /dev/null +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -0,0 +1,38 @@ +--- +title: Microsoft Baseline Security Analyzer (MBSA) removal and guidance on alternative solutions +description: This article documents the removal of MBSA and alternative solutions +keywords: MBSA, security, removal +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: astoica +author: andreiztm +ms.date: 10/04/2018 +--- + +### What is Microsoft Baseline Security Analyzer and its uses? + +Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since the Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. + +MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available or as a compliance tool to ensure that all security updates were deployed to a managed environment. With MBSA version 2.3 support for Windows Server 2012 R2 and Windows 8.1 was added, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +### The Solution +A script can help you with an alternative to MBSA’s patch-compliance checking: + +- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script. +For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be). + +For example: + +[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/aa387290(v=vs.85)) +[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) + +The above scripts leverage the [WSUS offline scan file](https://support.microsoft.com/en-us/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. +The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update, it does not contain any information on non-security updates, tools or drivers. + +### More Information +For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. +- [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) +- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Security Guidance blog +](https://blogs.technet.microsoft.com/secguide/) From ec82754d278c49175aa66d048212b480e93aad21 Mon Sep 17 00:00:00 2001 From: Marc Shepard <37675325+marcshep-msft@users.noreply.github.com> Date: Thu, 4 Oct 2018 08:22:58 -0700 Subject: [PATCH 2/3] Update windows-analytics-azure-portal.md Fixed typo: workspaces's => workspace's --- windows/deployment/update/windows-analytics-azure-portal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 0d7862c02a..e06fcfd35f 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -33,7 +33,7 @@ To check the Log Analytics workspaces you can access, select **Log Analytics**. [![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) -If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspaces's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). +If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. From 287f078ee4e5a439598d7e07569880b7d6f17d4b Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 4 Oct 2018 17:43:33 +0000 Subject: [PATCH 3/3] Merged PR 11867: readded update toc section wiped out by merge conflict fix readded update toc section wiped out by merge conflict fix. Several weeks ago I added a new section to the TOC re: Update. A fix for a merge conflict wiped that section out, so I'm restoring it. --- windows/deployment/TOC.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 6577188cbc..c136d082ac 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -218,6 +218,13 @@ ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) +### [Get started with Windows Update](update/windows-update-overview.md) +#### [How Windows Update works](update/how-windows-update-works.md) +#### [Windows Update log files](update/windows-update-logs.md) +#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) +#### [Common Windows Update errors](update/windows-update-errors.md) +#### [Windows Update error code reference](update/windows-update-error-reference.md) +#### [Other Windows Update resources](update/windows-update-resources.md) ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)