How to Check for Missing Updates in Windows Server 2012 R2 and Windows 8.1

How can I find missing updates in Windows Server 2012 R2 and Windows 8.1?

Microsoft has updated the Baseline Security Analyzer (MBSA) to version 2.3, allowing IT administrators to scan networks for missing patches on Windows Server 2012 R2 and Windows 8.1.

While you can check for missing security updates on individual servers and PCs using Windows Update, the Microsoft Baseline Security Analyzer allows IT administrators to scan PCs and servers on a network for missing security updates, and vulnerabilities that might leave Windows exposed.

Downloading and Installing Microsoft Baseline Security Analyzer 2.3 (MBSA 2.3)

You can download Microsoft Baseline Security Analyzer 2.3 for free. The latest version adds support for Windows Server 2012 R2 and Windows 8.1, but drops support for Windows 2000. I recommend installing MBSA on a Windows 8 management PC, not on a server. Follow through the simple install procedure and then double-click the Microsoft Baseline Security Analyzer shortcut on the desktop.

Scanning Single Devices

Let’s start by scanning the computer on which MBSA is installed.

  • Under Tasks on the left of the main MBSA window, click Scan a computer.
  • On the Which computer do you want to scan? screen, the Computer name field should show the name of the current computer. Alternatively, you can chose another device or enter an IP address. In this example, I’m going to leave the current computer selected.
  • Leave all the default checks selected, and click Start Scan in the bottom right corner.

You may have noticed two options that are deselected. The Configure computers for Microsoft Update and scanning prerequisites option will update target devices with the latest Windows Update Agent (WUA) components to ensure scans are successful if required.

The Advanced Update Services options allow administrators to ensure that checks performed against computers managed by Windows Server Update Services (WSUS) return the correct results. If Scan using assigned Windows Update Services servers only is selected, devices not managed by WSUS are shown with an error message, so that unapproved security updates are not included in MBSA reports.

Viewing Reports

Once the scan has completed, you will be shown a summary of the collected information, with the option to review more details as required.

Microsoft Baseline Security Analyzer 2.3 (MBSA) report

To view existing reports from previous scans, you need to go back to the MBSA start page and click View security reports under Tasks in the left pane.

Scanning Multiple Computers

Before you can scan a remote computer, you must have access to the following services on the remote device:

  • Server service
  • Remote registry service
  • File and print sharing
  • Distributed COM (DCOM)

You must also run MBSA with an account that has local administrator permission on any remote devices being scanned.

  • Click Scan multiple computers under Tasks in the left pane of MBSA.
  • On the Which computers do you want to scan? screen, you can choose to scan all computers in a chosen domain or a defined IP address range.
  • When you have chosen the desired range, click Start Scan in the bottom right corner of MBSA.

All other scanning options are the same as for scanning a single device.