How to scan a server without internet access for missing security updates?
Is there a way to scan a Windows 2003 server that doesn't have internet access for Microsoft Updates? If I could have something generate a list of the updates it needs, I can manually download them all and put them on a flash drive, then install them one by one.
October 21st, 2009 4:36pm

Hi, Alternatively you can check the list of installed updates and the exclude from the list of available updates. In the Add and Remove Programs snap-in tick "Show Updates" and you will see all installed updates. If you want to get a list with all installed updates you can use a small app called Belarc, it's free.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2009 4:44pm

try downloading and run Microsoft Baseline Security Analyzerhttp://technet.microsoft.com/en-us/security/cc184924.aspxhttp://technetfaqs.wordpress.com
October 21st, 2009 5:03pm

I thought MBSA needs an internet connection to download the latest update catalog? or does the installer come with the latest catalog always?
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2009 5:33pm

Hi there,I think you can install MBSA on one pc(with internet connection), load it, it will download the catalog.Then you can copy the catalog file to the server that doesn't has internet connection.I used this "workarround" sometimes a long time ago, i don't know if the new versions 2.x still work sthis way.Cya
October 21st, 2009 7:54pm

You can either perform the scan using the mbsacli command-line utility with the /nd (do not download) parameter, or you can perform the scan using the GUI. Before scanning you must copy the necessary files to the computer performing the scan. Four types of files are required: Security update catalog (wsusscn2.cab), available from the Microsoft Web site Windows Update Redistribution Catalog (wuredist.cab) located at http://update.microsoft.com/redist/wuredist.cab Authorization catalog (muauth.cab) for Windows Update site access, available from the Microsoft Web site or by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab Windows Update Agent standalone installers (if not already installed): For x86-based computers (WindowsUpdateAgent30-x86.exe) or For x64-based computers (WindowsUpdateAgent30-x64.exe) or For ia64-based computers (WindowsUpdateAgent30-ia64.exe), the latest versions are available by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab After downloading the files from the Microsoft Web site, copy all files listed above to the following folder on the computer performing the security update scan: C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache Important : To ensure that MBSA has access to the most current versions of these files, you should download them on a weekly basis or after any release of security bulletins from Microsoft. This is especially important in the case of the security update catalog (Wsusscn2.cab) because Microsoft releases an updated version of this file whenever new security bulletins are released or updated. When you run MBSA to perform security update checks on remote computers, MBSA deploys the Windows Update Agent to the remote computer. Although an ia64 version of the Windows Update Agent (WindowsUpdateAgent30-ia64.exe) is available for Itanium-based computers, MBSA does not automatically deploy this version. It must be installed and configureed on Itanium-based computers before performing a security scan on those computers. I hope this is helpful for you. Certifications: MCSA 2003 MCSE 2003
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2009 1:55am

Hi, At least, we need one server which has Internet access. As a workaround suggested by others, try to query installed updates on these servers and save the report to a Shared folder. After that, compare the results. You could run the command below to query installed updates and save to a shared folder: wmic /node:'server-name' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect >>\\server\folder\update.txt The following contains other methods: Scripts to query installed Service Packs, Patches/updates and Hotfixes http://msmvps.com/blogs/athif/archive/2005/11/20/76035.aspx Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
October 22nd, 2009 5:31am

Hi , I agree with mervyn, we need atleast one server for downloading all the updates server + clients (with internet access(without internet accessand downloaded updates)and points to server for updates) The above design holds good for SMS server , or WSUS server aswell. sainath !analyze
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2009 6:33am

Thanks Shadowman, that was exactly how I did it.
October 22nd, 2009 1:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics