Microsoft Baseline Security Analyzer.

While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.

      MBSAcli [/c|/i|/r|/d domainname|ipaddress|ipaddressrange]
                 [/n option] [/sus SUS server|SUS filename]
                    [/s level] [/nosum] [/nvc] [/o filename] [/e] [/l] [/ls]
                       [/lr report name] [/ld report name] [/v] [/?]
                          [/qp] [/qe] [/qr] [/q] [/f] [/unicode]

The Computer to Scan:
  no option           - Scan the local computer.
  /c domainname\computername - Scan the named computer.
  /i xxx.xxx.xxx.xxx         - Scan the specified IP address.
  /r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scan the specified range of IP addresses.
  /d domainname              - Scan the named domain.

Items NOT to update

  /n IIS       - Skip IIS checks.
  /n OS        - Skip Windows operating system, IE, Office and Outlook checks.
  /n Password  - Skip password checks.
  /n SQL       - Skip SQL checks.
  /n Updates   - Skip security update checks.
   The above can be combined, for example:
   /n OS + IIS + Updates   -  skip IIS, Windows, and security update checks.

Security Update Scan Options
  /sus SUS server | SUS filename - Check only for security updates that are approved
          at the specified SUS server, or at the file path of the Approveditems.txt file.
          e.g. https://server or https://server/Approveditems.txt.
          If neither is specified, the value will default from the registry (set via Group Policy)
  /s 1    - Suppress security update check note messages.
  /s 2    - Suppress security update check note and warning messages.
  /s 3    - Suppress warnings except for service packs.
  /nosum  - Security update checks will not test file checksums.

Output File Name 
  /o filename    By default, the output filename uses the format "domain - computername (date)"

Display the Results
  /e              - List the errors from the latest scan.
  /l              - List all the reports that are available.
  /ls             - List the reports from the latest scan.
  /lr report name - Display an overview report.
  /ld report name - Display a detailed report.
  /v              - Display security update reason codes.

Miscellaneous Options
  /?       - Usage help.
  /qp      - Do not display progress.
  /qe      - Do not display error list.
  /qr      - Do not display report list.
  /q       - Do not display progress, error list, or report list.
  /f       - Redirect the output to a file.
  /unicode - Generate unicode output, useful for Japanese versions of Windows.

Early versions of this command were known as HFNETCHK.

“It's completely intuitive; it just takes a few days to learn, but then it's completely intuitive” ~ Terry Pratchett.

Related commands

Q296861 - Use QCHAIN to install multiple hotfixes with only one reboot.
Q310747 - System File Checker (Sfc.exe).
Equivalent bash command (Linux): rpm - Remote Package Manager.

Copyright © 1999-2024 SS64.com
Some rights reserved