Conducting Checks On The Patch Status Of Microsoft Servers

It is a recommended practice to generate a patch status report for the respective servers to ensure that all required security updates/ rollups are applied to the servers.

1. First, download MBSA from http://technet.microsoft.com/en-us/security/cc184923.

2. Install it on the servers to be scanned (the default installation location is C:\Program Files\Microsoft Baseline Security Analyzer 2\).

3. Download the Microsoft latest wsusscn2.cab file from http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab. It contains details on all the latest updates from Microsoft.

4. Copy the wsusscn2.cab file to a directory (i.e. mbsa).

5. Open a command window, cd into the directory C:\Program Files\Microsoft Baseline Security Analyzer 2 and issue the following command:

mbsacli /catalog c:\mbsa\wsusscn2.cab /n os+iis+sql+password > c:\scanresults.txt

/n os+iis+sql+password -- to scan for updates only.
/catalog c:\mbsa\wsusscn2.cab –specifies the location of the CAB file that contains the available security update information.

The resulting scanresults.txt file should contain all Microsoft patches that are targeted towards that particular server, both installed and uninstalled.