Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates

The Microsoft Baseline Security Analyzer (MBSA) determines the installation status of a software update by evaluating specific registry keys, file versions, and file checksums that are associated with a specific security update. There are some instances where MBSA cannot determine the installation status of the update because the detailed file and registry key information is not available for the specified security bulletin or for the update. A note message that is similar to the following note message is generated in situations where the Mssecure.xml file does not contain this information: Important The Microsoft Baseline Security Analyzer (MBSA) 1.2.1 tool will reach its end of life six months after the release of a new MBSA 2.0 add-in tool to support gaps in MBSA 2.0, Microsoft Update and WSUS detection. See the MBSA home page for more information. After these six months have elapsed, MBSA 1.2.1 will no longer be supported. Additionally, the Mssecure.xml file that MBSA 1.2 automatically downloads will no longer be updated to include new security bulletins. We encourage you to migrate to MBSA 2.0 as soon as possible, well in advance of the six-month migration time provided after the release of the MBSA 2.0 add-in tool.

Special note to users of the Software Update Services (SUS) Feature Pack for Systems Management Server (SMS) 2.0: Microsoft is committed to providing accurate security update detection and deployment for all Microsoft Security Resource Center (MSRC) security updates. Catalog data for SMS 2.0 with the SUS Feature Pack will continue to be updated to ensure continued security update detection for customers who are using SMS 2.0.

In addition to continued catalog updates for SMS, the Extended Security Update Inventory Tool will also be updated to ensure comprehensive detection and deployment for all Microsoft security issues that are listed on the following Microsoft Web site: Microsoft is committed to providing detection for and enabling deployment of security updates for all SMS clients.

The Microsoft Network Security Hotfix Checker (Hfnetchk) is included as part of the MBSA V1.1 tool. Users can perform scans with the Hfnetchk tool by using the following command in the MBSA command-line interface: Note for Microsoft Systems Management Server (SMS) users: Microsoft Systems Management Server 2003 and Microsoft Systems Management Server 2.0 (with the Software Update Services Feature Pack) use scan results that are obtained from MBSA to inventory and deploy patches. SMS can inventory only those patches that are detected by MBSA. SMS does not detect an update if either of the following conditions is true:

• MBSA does not support the product (so no detection result is returned).
• MBSA supports the product but returns a note message for the update.

Note messages do not indicate that the computer that you are scanning is not secure. Note messages indicate that for technical reasons, MBSA cannot determine whether the appropriate update or workaround was applied. Remediation of these issues typically involves a configuration change or a workaround instead of an update. You can ignore note messages after you apply the update or after you evaluate your computer and make configuration changes.

Programs that are supported in MBSA v1.1.1 and in MBSA v1.2

To determine whether MBSA detects an update, locate the appropriate item in the following table, based on the product that the security bulletin applies to. The table does not contain a complete listing of all Microsoft products.

Note for Microsoft Systems Management Server (SMS) users: SMS does not use MBSA to detect Microsoft Office updates.
Note The detection of Microsoft Office programs is not supported if you use the mbsacli.exe command-line command with the /hf option. The detection of Microsoft Office programs is supported in MBSA v1.2 if you use the Office Update Inventory Tool. For more information about how to obtain and use the Office Update Inventory Tool, visit the following Microsoft Web site: * Items with an asterisk in the MBSA version number column are detected by using a local computer scan only.

MBSA detection exceptions (notes and warnings)

To determine whether MBSA will generate a note message or a warning message when it detects an update, locate the appropriate item in the following table. Only programs that are supported by MBSA v1.1.1 or by MBSA v1.2 are included in this table. A note message is generated in situations where, for technical reasons, MBSA cannot determine whether the appropriate update or workaround was applied. A warning message is generated in situations where the version number of the file that is detected is a version number that is later than the versions of the file that are listed in the Mssecure.xml file.

Note SMS does not detect the security update if MBSA returns a note message for that particular update. In this situation, you can use SMS software inventory to audit the environment for file names and versions, and you can manually build Collections by using the file information from the Microsoft Knowledge Base article that documents the security update. For a comparison of MBSA 1.2.1, EST and MBSA 2.0 support, see the following Microsoft Knowledge Base article:

Suppress note messages

After you review each of the security bulletins that are associated with note messages and after you have tried to resolve the issues, you can suppress note messages in the Hfnetchk output, if you want to. To suppress note messages, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type the following command, and then click OK:
   mbsacli.exe /hf -v -s 1