Discussion:
Why is there a discrepancy between Windows Update and MBSA?
(too old to reply)
Mark
2009-04-25 03:24:01 UTC
Permalink
I'm reviewing the patch status of a Windows 2003 R2 server.

Windows Update lists KB967715 as a High Priority update and schedules it for
immediate installation.

MBSA 2.1 does not list KB967715 at all.

Why do these two tools report different results?

Thank you,

Mark
Doug Neal [MSFT]
2009-04-28 08:25:02 UTC
Permalink
Mark - thank you for posting this to the MBSA newsgroup!

MBSA only reports missing Security Updates, Update Rollups (UR) or Service
Packs (SP) - nothing else. There are many high priority updates,
non-security updates, tools, drivers and other updates that are offered by
Windows Update that - because they aren't one of the 3 critical security
classifications reported by MBSA - will not show up an an MBSA scan report.

967715 is a non-security update. And although released as a high priority
update, isn't an SP, UR or security update taht MBSA scans and reports
against. This is covered on the MBSA home page (www.microsoft.com/mbsa) and
the MBSA FAQ.

I hope that helps...
--
--
Doug Neal [MSFT]
***@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
link:
http://support.microsoft.com/default.aspx

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by Mark
I'm reviewing the patch status of a Windows 2003 R2 server.
Windows Update lists KB967715 as a High Priority update and schedules it for
immediate installation.
MBSA 2.1 does not list KB967715 at all.
Why do these two tools report different results?
Thank you,
Mark
Mark
2009-04-28 20:40:10 UTC
Permalink
Thank you Doug. I do see that information now in the FAQ, though not on the
MBSA home page.

Does Microsoft offer a product that will let me do a full analysis of _all_
installed and missing updates on a group of computers? I am thinking of the
scenario when I, as an outsourced IT provider, go to a new client and want to
run a comprehensive scan on all of their computers.

If MS does not offer this, are you aware of third-party tools that do?

Thank you,

Mark
Post by Doug Neal [MSFT]
Mark - thank you for posting this to the MBSA newsgroup!
MBSA only reports missing Security Updates, Update Rollups (UR) or Service
Packs (SP) - nothing else. There are many high priority updates,
non-security updates, tools, drivers and other updates that are offered by
Windows Update that - because they aren't one of the 3 critical security
classifications reported by MBSA - will not show up an an MBSA scan report.
967715 is a non-security update. And although released as a high priority
update, isn't an SP, UR or security update taht MBSA scans and reports
against. This is covered on the MBSA home page (www.microsoft.com/mbsa) and
the MBSA FAQ.
I hope that helps...
--
--
Doug Neal [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by Mark
I'm reviewing the patch status of a Windows 2003 R2 server.
Windows Update lists KB967715 as a High Priority update and schedules it for
immediate installation.
MBSA 2.1 does not list KB967715 at all.
Why do these two tools report different results?
Thank you,
Mark
Doug Neal [MSFT]
2009-05-15 16:18:55 UTC
Permalink
Mark - sorry for the delayed reply.



Since MBSA filters out updates that aren't of the three classes it supports
(service packs, rollups and security updates), MBSA wouldn't be helpful to
scan for all missing updates. For online scanning, Microsoft Update is the
best offering. WSUS Servers and SMS/SCCM will do the job well - but these
are likely dependencies you can't count on as an IT administrator unless
these are already part of your security and/or patch management strategy.



There are a number of 3rd party tools you could use. The Patch Management
Mailing List would be an excellent forum to get the best recommendations for
your specific needs. Consider subscribing to the mailing list at
http://www.patchmanagement.org/ for recommendations. I hope that helps...
--
Doug Neal [MSFT]
***@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
link:
http://support.microsoft.com/default.aspx

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by Mark
Thank you Doug. I do see that information now in the FAQ, though not on the
MBSA home page.
Does Microsoft offer a product that will let me do a full analysis of _all_
installed and missing updates on a group of computers? I am thinking of the
scenario when I, as an outsourced IT provider, go to a new client and want to
run a comprehensive scan on all of their computers.
If MS does not offer this, are you aware of third-party tools that do?
Thank you,
Mark
Post by Doug Neal [MSFT]
Mark - thank you for posting this to the MBSA newsgroup!
MBSA only reports missing Security Updates, Update Rollups (UR) or Service
Packs (SP) - nothing else. There are many high priority updates,
non-security updates, tools, drivers and other updates that are offered by
Windows Update that - because they aren't one of the 3 critical security
classifications reported by MBSA - will not show up an an MBSA scan report.
967715 is a non-security update. And although released as a high priority
update, isn't an SP, UR or security update taht MBSA scans and reports
against. This is covered on the MBSA home page (www.microsoft.com/mbsa) and
the MBSA FAQ.
I hope that helps...
--
--
Doug Neal [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by Mark
I'm reviewing the patch status of a Windows 2003 R2 server.
Windows Update lists KB967715 as a High Priority update and schedules
it
for
immediate installation.
MBSA 2.1 does not list KB967715 at all.
Why do these two tools report different results?
Thank you,
Mark
1Rosomak
2010-02-02 13:18:01 UTC
Permalink
Hi Doug,

How can I know what update is:
- security update
- update rollup
- service pack

... if it is not mentioned straight in the headline. I mean the easy way,
not to go to Knowledge base for each update to search for the type.
If I look at the Windows Update result, I simply don't see any determination
what update is for a type?

Thanks
Jan
Post by Doug Neal [MSFT]
Mark - thank you for posting this to the MBSA newsgroup!
MBSA only reports missing Security Updates, Update Rollups (UR) or Service
Packs (SP) - nothing else. There are many high priority updates,
non-security updates, tools, drivers and other updates that are offered by
Windows Update that - because they aren't one of the 3 critical security
classifications reported by MBSA - will not show up an an MBSA scan report.
967715 is a non-security update. And although released as a high priority
update, isn't an SP, UR or security update taht MBSA scans and reports
against. This is covered on the MBSA home page (www.microsoft.com/mbsa) and
the MBSA FAQ.
I hope that helps...
--
--
Doug Neal [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by Mark
I'm reviewing the patch status of a Windows 2003 R2 server.
Windows Update lists KB967715 as a High Priority update and schedules it for
immediate installation.
MBSA 2.1 does not list KB967715 at all.
Why do these two tools report different results?
Thank you,
Mark
Doug Neal [MSFT]
2010-02-09 02:01:52 UTC
Permalink
Thank you for your continued inquiries, Jan.

For those three classifications, the title will always tell you which of the
three types of updates they are:

Security Updates will always have 'security update' or the word
'vulnerability/vulnerabilities' in the title and can be found using the MSRC
Security Bulletin Search
(http://www.microsoft.com/technet/security/current.aspx)

Service Packs will always have 'service pack' in the title.

Update Rollups will always have the word 'rollup' in the title.

Anything else is one of the other classificaitions. I hope that helps...
--
--
Doug Neal [MSFT]
***@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
link:
http://support.microsoft.com/default.aspx

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by 1Rosomak
Hi Doug,
- security update
- update rollup
- service pack
... if it is not mentioned straight in the headline. I mean the easy way,
not to go to Knowledge base for each update to search for the type.
If I look at the Windows Update result, I simply don't see any
determination
what update is for a type?
Thanks
Jan
Post by Doug Neal [MSFT]
Mark - thank you for posting this to the MBSA newsgroup!
MBSA only reports missing Security Updates, Update Rollups (UR) or Service
Packs (SP) - nothing else. There are many high priority updates,
non-security updates, tools, drivers and other updates that are offered by
Windows Update that - because they aren't one of the 3 critical security
classifications reported by MBSA - will not show up an an MBSA scan report.
967715 is a non-security update. And although released as a high priority
update, isn't an SP, UR or security update taht MBSA scans and reports
against. This is covered on the MBSA home page (www.microsoft.com/mbsa) and
the MBSA FAQ.
I hope that helps...
--
--
Doug Neal [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
Post by Mark
I'm reviewing the patch status of a Windows 2003 R2 server.
Windows Update lists KB967715 as a High Priority update and schedules
it
for
immediate installation.
MBSA 2.1 does not list KB967715 at all.
Why do these two tools report different results?
Thank you,
Mark
Loading...