This is an old revision of the document!
Microsoft Baseline Security Analyzer (MBSA) Troubleshooting Tips
Microsoft no longer supports the Microsoft Baseline Security Analyzer (MBSA) tool, however the tool still serves a meaningful purpose for CeRTNA's fundamental baseline security review.
Although the MBSA tool is not fundamentally supported under Windows 10, it does work, however, some tweaks may be required in order to obtain a clean (Strong Security) MBSA report. These tweaks are outlined below.
MBSA Tip 1:
The MBSA tools must be able to communicate with a master Windows Update catalog. In some environments this catalog is served up from a Windows Server Update Services (WSUS) server. If the MBSA tools has difficulty communicating with the WSUS server, you will see an indication of this in your report.
To overcome this condition you can use the Advanced update Services options checkbox:
If your are still not able to communicate with your WSUS server, you can select the option to Scan using 'Microsoft Update only' and this will cause the MBSA to get the update from the https://www.catalog.update.microsoft.com/Home.aspx website.
Once you have updated the setting, you will need to re-run the MBSA tool and generate a new report.
MBSA Tip 2:
On Windows 10 workstations, you make get flagged that your Windows Updates are not set to automatic. By default Windows Updates in Windows 10 are automatic, so this error flag is a false/positive.
If you get a false/positive about the Windows Update not being automatic, you can use Local Group Policy editor (gpedit) to set a registry property of the item that the MBSA tool uses to assess the Automatic Update setting:
You must have the proper authority to run/use the Local Group Policy Editor.
To start the Local Group Policy Editor, type gpedit and press enter from a Windows command prompt.
The setting you want to update is in the following registry path: Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Windows Update
The setting is Configure Automatic Updates and it should be set to Enabled as shown below:
Once you have updated the setting, you will need to re-run the MBSA tool and generate a new report.