DokuWiki

Site Tools

Trace: ws_payloads_retrieve_payload ws_payloads_send_payload mbsa_troubleshooting
guides:mbsa_troubleshooting

Microsoft Baseline Security Analyzer (MBSA) Troubleshooting Tips

Microsoft no longer supports the Microsoft Baseline Security Analyzer (MBSA) tool, however the tool still serves a meaningful purpose for CeRTNA's fundamental baseline security review.

Although the MBSA tool is not fundamentally supported under Windows 10, it does work, however, some tweaks may be required in order to obtain a clean (Strong Security) MBSA report. These tweaks are outlined below.

MBSA Tip 1:

The MBSA tools must be able to communicate with a master Windows Update catalog. In some environments this catalog is served up from a Windows Server Update Services (WSUS) server. If the MBSA tools has difficulty communicating with the WSUS server, you will see an indication of this in your report.

To overcome this condition you can use the Advanced update Services options checkbox:

If your are still not able to communicate with your WSUS server, you can select the option to Scan using 'Microsoft Update only' and this will cause the MBSA to get the update from the https://www.catalog.update.microsoft.com/Home.aspx website.

Once you have updated the setting, you will need to re-run the MBSA tool and generate a new report.

MBSA Tip 2:

On Windows 10 workstations, you make get flagged that your Windows Updates are not set to automatic. By default Windows Updates in Windows 10 are automatic, so this error flag is a false/positive.

If you get a false/positive about the Windows Update not being automatic, you can use Local Group Policy editor (gpedit) to set a registry property of the item that the MBSA tool uses to assess the Automatic Update setting:

You must have the proper authority to run/use the Local Group Policy Editor.

To start the Local Group Policy Editor, type gpedit and press enter from a Windows command prompt.

The setting you want to update is in the following registry path: Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Windows Update

The setting is Configure Automatic Updates and it should be set to Enabled as shown below:

Once you have updated the setting, you will need to re-run the MBSA tool and generate a new report.

MBSA Tip 3:

The MBSA tool will flag all accounts that are configured with non-expiring passwords. It is not uncommon for IT groups manage the passwords of some user accounts outside of the normal Windows process. If you get flagged for 'Non-Expiring Passwords' there is a file that you can be used to indicate that certain user accounts should not be flagged.

You can edit the following file:

C:\Program Files\Microsoft Baseline Security Analyzer 2\NoExpireOk.txt

Add the user accounts that are approved to have non-expiring passwords to the preceding file and then run the MBSA report again.

guides/mbsa_troubleshooting.txt · Last modified: by brett.zamora