Microsoft has updated the Baseline Security Analyzer (MBSA) to version 2.3, allowing IT administrators to scan networks for missing patches on Windows Server 2012 R2 and Windows 8.1.
While you can check for missing security updates on individual servers and PCs using Windows Update, the Microsoft Baseline Security Analyzer allows IT administrators to scan PCs and servers on a network for missing security updates, and vulnerabilities that might leave Windows exposed.
You can download Microsoft Baseline Security Analyzer 2.3 for free. The latest version adds support for Windows Server 2012 R2 and Windows 8.1, but drops support for Windows 2000. I recommend installing MBSA on a Windows 8 management PC, not on a server. Follow through the simple install procedure and then double-click the Microsoft Baseline Security Analyzer shortcut on the desktop.
Let’s start by scanning the computer on which MBSA is installed.
You may have noticed two options that are deselected. The Configure computers for Microsoft Update and scanning prerequisites option will update target devices with the latest Windows Update Agent (WUA) components to ensure scans are successful if required.
The Advanced Update Services options allow administrators to ensure that checks performed against computers managed by Windows Server Update Services (WSUS) return the correct results. If Scan using assigned Windows Update Services servers only is selected, devices not managed by WSUS are shown with an error message, so that unapproved security updates are not included in MBSA reports.
Once the scan has completed, you will be shown a summary of the collected information, with the option to review more details as required.
To view existing reports from previous scans, you need to go back to the MBSA start page and click View security reports under Tasks in the left pane.
Before you can scan a remote computer, you must have access to the following services on the remote device:
You must also run MBSA with an account that has local administrator permission on any remote devices being scanned.
All other scanning options are the same as for scanning a single device.