Friday, May 9, 2014

How to deploy MBSA on offline computers

(1) Follow the instructions on Microsoft website on how to download offline copies of, WUA (see below), and (click to download). You need all 4 to fix the stupid error "cannot load security CAB file".

(2) run the MBSA, then press abort. This will create the offline folder under C:\documents and settings\(local username)\Local settings\application data\microsoft\mbsa [for windows 2003] or %SystemDrive%\Users\UserName\AppData\Local\Microsoft\MBSA\Cache [for windows 2008 and up]. Do not create the folder yourself.

(3) Put in the 4 cab files into the folder.

(4) Make sure that the following options are not selected, and then click Start scan.
  • Check for Windows administrative vulnerabilities
  • Check for weak passwords
  • Check for IIS administrative vulnerabilities
  • Check for SQL administrative vulnerabilities
Error # 1: "Computer has an older version of the client and security database demands a newer version. Current version is and minimum required version is ..."
This was a solution I read: the checkbox in the MBSA interface titled, "Configure computers for Microsoft Update and scanning prerequisites" needs to be checked for MBSA to automatically update the Windows Update Agent on the target machine (even if it's the local machine).
How I resolved? I used wsuoffline and updated everything. Then run the MBSA again. 

Personally I feel that WSUS Offline and MBSA are a solid pairing. WSUS Offline will help to expedite patch deployment on offline machines (as a Germanophile, I am delighted to say that this is a german-made freeware. I think the only German-made software I hate is SAP). MBSA will help to check for missing patches. The WSUS Offline is not fool-proof. You can keep running the software from the DVD after you burn the ISO but it doesn't patch completely sometimes. The best remedy is to copy the entire disc contents to the local drive, and run it for a more complete job.

Note: you only have to download MBSA once (unless there is a new version) but you should download and replace the wsusscn2 every month for the scan.

To download the 4:

No comments:

Post a Comment


Related Posts with Thumbnails