Using the Microsoft Baseline Security Analyzer

Using the Microsoft Baseline Security Analyzer

Postby hbuhrmester » 12.02.2018, 13:16

Using the Microsoft Baseline Security Analyzer (MBSA) to search for missing updates

WSUS Offline Update is meant to download and install security updates. It uses two different sources:

  1. Some updates are defined with their complete URLs in the static download files in the wsusoffline/static directory. These are called statically defined updates.
  2. Most updates are extracted from the Microsoft update catalog file These updates are called dynamic updates.

The file contains security updates only. It does not include any optional updates, except maybe as part of full quality update rollups. But these update rollups also count as security updates. So WSUS Offline Update is expected to download and install security updates only: viewtopic.php?f=7&t=172

Now, after using WSUS Offline Update to install security updates, many users directly head to the Microsoft Update web site, to search for more updates, and they surely find some: But these are all optional updates.

So, searching the Microsoft Update web site is not the best way, to check the results of WSUS Offline Update. Maybe there are some more optional updates, but this is actually expected.

A better comparison for WSUS Offline Update is the Microsoft Baseline Security Analyzer (MBSA): It can work completely offline, and it uses the same update catalog file as WSUS Offline Update.


The Microsoft Baseline Security Analyzer 2.3 can be found at: ... 84924.aspx ... 84924.aspx


After installing the MBSA, you can find a help file in the application directory:

Code: Select all
C:\Program Files\Microsoft Baseline Security Analyzer 2\Help\mbsahelp.html

Note the description of the offline mode:

Do not download any files from the Microsoft Web site when scanning. Use this parameter to prevent the download of,, WindowsUpdateAgent30-x86.exe and WindowsUpdateAgent30-x64.exe during the scanning process. When this parameter is selected, MBSA will use any previously downloaded copies of the files. If you want, you can download the files yourself and place them in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\Cache. This parameter applies only to downloads from the Microsoft Web site to the scanning computer. Downloads from the scanning computer to the target computer are automatic and cannot be disabled if the corresponding features are used.

The option /nd is for the command-line tool, but the cache directory is used by the MBSA graphical user interface tool as well.

You should create the cache directory first:

Code: Select all
C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\Cache

or, on a German Windows XP:

Code: Select all
C:\Dokumente und Einstellungen\username\Lokale Einstellungen\Anwendungsdaten\Microsoft\MBSA\Cache

and copy the file from your wsusoffline installation to this directory.


Start the MBSA and select "Scan a computer"


On the next screen, check the options "Advanced Update Services options - Scan using offline catalog only"


The MBSA still tries to download some files, but this fails, it the computer is offline. It just goes on scanning the computer:


After some time, it presents the results: Here, one update for Silverlight on Windows XP is missing, and it also criticizes, that Automatic Updates are disabled.


It surely has some details about missing updates:


Once the last missing update is installed, and Automatic Updates are enabled, everything is "green":

(105.92 KiB) Not downloaded yet
(51.1 KiB) Not downloaded yet
(103.5 KiB) Not downloaded yet
(39.21 KiB) Not downloaded yet
(56.93 KiB) Not downloaded yet
(67.45 KiB) Not downloaded yet
Posts: 271
Joined: 11.10.2013, 20:59

Return to Informationen / Information

Who is online

Users browsing this forum: No registered users and 3 guests