DokuWiki

Site Tools

Trace: mbsa_troubleshooting
guides:mbsa_troubleshooting

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
guides:mbsa_troubleshooting [2020/05/13 21:32] brett.zamoraguides:mbsa_troubleshooting [2020/05/13 22:42] (current) brett.zamora
Line 6: Line 6:
 Although the MBSA tool is not fundamentally supported under Windows 10, it does work, however, some tweaks may be required in order to obtain a clean (Strong Security) MBSA report. These tweaks are outlined below. Although the MBSA tool is not fundamentally supported under Windows 10, it does work, however, some tweaks may be required in order to obtain a clean (Strong Security) MBSA report. These tweaks are outlined below.
  
-Tip 1:+=== MBSA Tip 1: ===
  
 The MBSA tools must be able to communicate with a master Windows Update catalog. In some environments this catalog is served up from a Windows Server Update Services (WSUS) server. If the MBSA tools has difficulty communicating with the WSUS server, you will see an indication of this in your report. The MBSA tools must be able to communicate with a master Windows Update catalog. In some environments this catalog is served up from a Windows Server Update Services (WSUS) server. If the MBSA tools has difficulty communicating with the WSUS server, you will see an indication of this in your report.
Line 18: Line 18:
 If your are still not able to communicate with your WSUS server, you can select the option to Scan using 'Microsoft Update only' and this will cause the MBSA to get the update from the [[https://www.catalog.update.microsoft.com/Home.aspx]] website. If your are still not able to communicate with your WSUS server, you can select the option to Scan using 'Microsoft Update only' and this will cause the MBSA to get the update from the [[https://www.catalog.update.microsoft.com/Home.aspx]] website.
  
 +Once you have updated the setting, you will need to re-run the MBSA tool and generate a new report.
  
  
 +=== MBSA Tip 2: ===
  
 +
 +On Windows 10 workstations, you make get flagged that your Windows Updates are not set to automatic. By default Windows Updates in Windows 10 are automatic, so this error flag is a false/positive.
 +
 +If you get a false/positive about the Windows Update not being automatic, you can use Local Group Policy editor (gpedit) to set a registry property of the item that the MBSA tool uses to assess the Automatic Update setting:
 +
 +You must have the proper authority to run/use the Local Group Policy Editor.
 +
 +To start the Local Group Policy Editor, type gpedit and press enter from a Windows command prompt.
 +
 +The setting you want to update is in the following registry path: Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Windows Update
 +
 +The setting is Configure Automatic Updates and it should be set to Enabled as shown below:
 +
 +{{ :guides:images:mbsa_tips002.png |}}
 +
 +Once you have updated the setting, you will need to re-run the MBSA tool and generate a new report.
 +
 +
 +=== MBSA Tip 3: ===
 +
 +
 +The MBSA tool will flag all accounts that are configured with non-expiring passwords. It is not uncommon for IT groups manage the passwords of some user accounts outside of the normal Windows process. If you get flagged for 'Non-Expiring Passwords' there is a file that you can be used to indicate that certain user accounts should not be flagged.
 +
 +You can edit the following file:
 +
 +C:\Program Files\Microsoft Baseline Security Analyzer 2\NoExpireOk.txt
 +
 +Add the user accounts that are approved to have non-expiring passwords to the preceding file and then run the MBSA report again.
  
guides/mbsa_troubleshooting.1589405530.txt.gz · Last modified: by brett.zamora