The Microsoft Baseline Security Analyzer is a fantastic tool for scanning machines for missing hotfixes, security updates, and security configurations. I have used the MBSA since it’s original release to scan my home LAN that has 7-12 machines at any given time. It is an invaluable tool, especially for smaller networks that reduces the amount of time it takes to figure out what machines need to be updated. When used in conjunction with Windows Server Update Services (WSUS) it is a perfect solution for patch management for smaller networks.
It only recently occurred to me that the 3-4 Vista machines I run at home have never been scanned with MBSA because there hasn’t been a Vista version of the MBSA available. I have also been very pleased with the Automatic Updates on Vista and have not had to perform many manual updates to my machines. Of course there haven’t been a lot of updates released for Vista either to date. The latest beta release of MBSA enables the scanning of Vista machines.
I just installed the new MBSA 2.1 to my corporate laptop. I knew I was missing an update to SQL Express (MBSA 2.1 identified it), and due to the nature of testing I do, I suspected I might have a few other anomalies. Sure enough MBSA identified a weak password for a local account I used for some testing a few weeks ago (account is now gone) and also reminded that I had IIS installed on my Vista machine from back when I was testing Virtual Server (IIS removed now along with the IUSR account).
If you are looking for some extra information and support on MBSA and other patch management technologies, check out the MBSA Newsgroups. Also check out Captain’s Blog from Mark Shavlik. His company originally developed MBSA.