Chapter Summary

The graphical MBSA console is the most efficient way to scan a single computer or multiple computers for the presence of updates. It can be configured to scan a single computer, a range of IP addresses, or all computers contained within a domain.

MBSA stores reports in XML format in the C:\Documents and Settings\username\SecurityScans folder by default. At any time, you can view these reports by using MBSA.

MBSACLI provides a scriptable, schedulable, command-line interface to MBSA’s scanning functionality. MBSACLI functions in two modes: standard MBSA mode and the backward compatible HFNetChk mode.

Computers should not be connected to the Internet or even to a private network with other hosts, until after the operating system and all updates have been installed. Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software.

You can reduce the time required to install new updates by slipstreaming a service pack into operating system installation files and configuring other updates to be automatically applied.

Microsoft updates support a standard set of command-line parameters to simplify the deployment of updates by using scripts. Use the /quiet (formerly /q) parameter to install an update silently. When chaining updates, use the /norestart (formerly /z) parameter to prevent the computer from automatically restarting.

The Automatic Updates client can be configured by using GPOs linked to Active Directory, to the local GPO, or to the registry.

SUS requires that IIS be installed on the local computer, and that the Web site be configured to use the default port 80.

Service packs include a Windows Installer package that can be used to deploy the service pack by using a GPO. This provides a simple way to install the service pack on a limited number of computers during a pilot deployment.