"Andrew Aronoff" <NOSPAM_WRONG.ADDR...@yahoo.com> wrote in message

>I have written a VBS script that runs MBSACLI 2.0 with the /xmlout
> option and parses the XML output file to produce a readable text file.

> The script can be downloaded here:
> http://www.silentrunners.org/MBSACLI%20XML%20Parser.vbs

> The MD5 hash is: E2EE397BC540EC23D901018EC033890E
> This hash applies to the initial release, R00. The release number will
> always be found on line 15 of the script.

> The script is free, but is provided with no warranty, expressed or
> implied. It changes settings in the registry (and is designed to reset
> the registry to the initial settings before it's done) and requires
> Internet connectivity (so that it can retrieve hotfix datafiles from
> Microsoft). You use this script at your own risk!

> Please note:

> 1. The script must be located in the same directory as MBSACLI.EXE and
> WUSSCAN.DLL. (It will display an error message if it isn't.)

> 2. The output text file will be placed in the same directory as the
> script. The title root is "Hotfix Check Results.txt".

> 3. The script can be run with a single command line parameter that
> will be appended to the output file name. If "Workstation 999" is the
> command line parameter, the output text file title would be "Hotfix
> Check Results Workstation 999.txt".

> 4. The script can only be run under Windows 2000 and Windows XP, since
> earlier OS's are incompatible with MBSACLI 2.0. Running under an
> earlier OS will display an error message.

> 5. The script must be run under an Administrator account. Running
> under a non-admin account will display an error message.

> 6. The script will only report uninstalled hotfixes. The report format
> is:

> Sequence number. Hotfix title
> Security bulletin number, Knowledge Base article number, update type,
> update severity.
> (Optional) restart-pending notice.
> Security Bulletin URL
> Download URL

> A typical entry might be:

> #. Some alarmiing hotfix title here
> MS00-000 KB123456, Security Update, Maximum Severity: Critical
> Security Bulletin URL: http://www.microsoft.com/.../MS00-000.mspx
> Download URL: http://ridiculously_long_filename_here.exe

> 7. Microsoft Update Agent 2.0 is required for MBSACLI 2.0. Once it's
> installed, the script does not require the Automatic Updates service
> to be started. The script will enable the service if it's disabled and
> start it up. It will restore the original service status before it
> exits.

> 8. The script is written for use on workgroup PC's. Revisions are
> welcome so that it can be used in a domain.

> 9. The script will hang if MBSACLI.EXE cannot download its .CAB file.
> If someone has a suggestion to avoid this, please let me know.

> 10. If the script throws an error, please let me know and I'll fix the
> bug.

> 11. If you have an XML parsing suggestion, please let me know and I'll
> improve the script.

> 12. If you need customization assistance to get the script to work
> your way in your shop, make me an offer. ;-)

> 13. MS will, of course, provide their own scripts. I have no idea what
> their scripts will do.

> regards, Andy
> --
>                                  **********

>       Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

>         To identify everything that starts up with Windows, download
>                 "Silent Runners.vbs" at www.silentrunners.org

>                                  **********

"Andrew Aronoff" wrote:
> I have written a VBS script that runs MBSACLI 2.0 with the /xmlout
> option and parses the XML output file to produce a readable text file.

> The script can be downloaded here:
> http://www.silentrunners.org/MBSACLI%20XML%20Parser.vbs

> The MD5 hash is: E2EE397BC540EC23D901018EC033890E
> This hash applies to the initial release, R00. The release number will
> always be found on line 15 of the script.

> The script is free, but is provided with no warranty, expressed or
> implied. It changes settings in the registry (and is designed to reset
> the registry to the initial settings before it's done) and requires
> Internet connectivity (so that it can retrieve hotfix datafiles from
> Microsoft). You use this script at your own risk!

> Please note:

> 1. The script must be located in the same directory as MBSACLI.EXE and
> WUSSCAN.DLL. (It will display an error message if it isn't.)

> 2. The output text file will be placed in the same directory as the
> script. The title root is "Hotfix Check Results.txt".

> 3. The script can be run with a single command line parameter that
> will be appended to the output file name. If "Workstation 999" is the
> command line parameter, the output text file title would be "Hotfix
> Check Results Workstation 999.txt".

> 4. The script can only be run under Windows 2000 and Windows XP, since
> earlier OS's are incompatible with MBSACLI 2.0. Running under an
> earlier OS will display an error message.

> 5. The script must be run under an Administrator account. Running
> under a non-admin account will display an error message.

> 6. The script will only report uninstalled hotfixes. The report format
> is:

> Sequence number. Hotfix title
> Security bulletin number, Knowledge Base article number, update type,
> update severity.
> (Optional) restart-pending notice.
> Security Bulletin URL
> Download URL

> A typical entry might be:

> #. Some alarmiing hotfix title here
> MS00-000 KB123456, Security Update, Maximum Severity: Critical
> Security Bulletin URL: http://www.microsoft.com/.../MS00-000.mspx
> Download URL: http://ridiculously_long_filename_here.exe

> 7. Microsoft Update Agent 2.0 is required for MBSACLI 2.0. Once it's
> installed, the script does not require the Automatic Updates service
> to be started. The script will enable the service if it's disabled and
> start it up. It will restore the original service status before it
> exits.

> 8. The script is written for use on workgroup PC's. Revisions are
> welcome so that it can be used in a domain.

> 9. The script will hang if MBSACLI.EXE cannot download its .CAB file.
> If someone has a suggestion to avoid this, please let me know.

> 10. If the script throws an error, please let me know and I'll fix the
> bug.

> 11. If you have an XML parsing suggestion, please let me know and I'll
> improve the script.

> 12. If you need customization assistance to get the script to work
> your way in your shop, make me an offer. ;-)

> 13. MS will, of course, provide their own scripts. I have no idea what
> their scripts will do.

> regards, Andy
> --
>                                   **********

>        Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

>          To identify everything that starts up with Windows, download
>                  "Silent Runners.vbs" at www.silentrunners.org

>                                   **********

"SixDoubleO" <SixDoub...@discussions.microsoft.com> wrote in message

> Andy,

> Thanks for the script.  I am in the middle of writing something similar,
> although I use kix.  But I will take a look at your script.

> One question, though.  How do I deploy Window Update Agent to all my
> workstations?  I'm certain that not all of them have it.

> PS - Is it just me, or is this newest MBSA a complete step in the wrong
> direction?

> "Andrew Aronoff" wrote:

>> I have written a VBS script that runs MBSACLI 2.0 with the /xmlout
>> option and parses the XML output file to produce a readable text file.

>> The script can be downloaded here:
>> http://www.silentrunners.org/MBSACLI%20XML%20Parser.vbs

>> The MD5 hash is: E2EE397BC540EC23D901018EC033890E
>> This hash applies to the initial release, R00. The release number will
>> always be found on line 15 of the script.

>> The script is free, but is provided with no warranty, expressed or
>> implied. It changes settings in the registry (and is designed to reset
>> the registry to the initial settings before it's done) and requires
>> Internet connectivity (so that it can retrieve hotfix datafiles from
>> Microsoft). You use this script at your own risk!

>> Please note:

>> 1. The script must be located in the same directory as MBSACLI.EXE and
>> WUSSCAN.DLL. (It will display an error message if it isn't.)

>> 2. The output text file will be placed in the same directory as the
>> script. The title root is "Hotfix Check Results.txt".

>> 3. The script can be run with a single command line parameter that
>> will be appended to the output file name. If "Workstation 999" is the
>> command line parameter, the output text file title would be "Hotfix
>> Check Results Workstation 999.txt".

>> 4. The script can only be run under Windows 2000 and Windows XP, since
>> earlier OS's are incompatible with MBSACLI 2.0. Running under an
>> earlier OS will display an error message.

>> 5. The script must be run under an Administrator account. Running
>> under a non-admin account will display an error message.

>> 6. The script will only report uninstalled hotfixes. The report format
>> is:

>> Sequence number. Hotfix title
>> Security bulletin number, Knowledge Base article number, update type,
>> update severity.
>> (Optional) restart-pending notice.
>> Security Bulletin URL
>> Download URL

>> A typical entry might be:

>> #. Some alarmiing hotfix title here
>> MS00-000 KB123456, Security Update, Maximum Severity: Critical
>> Security Bulletin URL: http://www.microsoft.com/.../MS00-000.mspx
>> Download URL: http://ridiculously_long_filename_here.exe

>> 7. Microsoft Update Agent 2.0 is required for MBSACLI 2.0. Once it's
>> installed, the script does not require the Automatic Updates service
>> to be started. The script will enable the service if it's disabled and
>> start it up. It will restore the original service status before it
>> exits.

>> 8. The script is written for use on workgroup PC's. Revisions are
>> welcome so that it can be used in a domain.

>> 9. The script will hang if MBSACLI.EXE cannot download its .CAB file.
>> If someone has a suggestion to avoid this, please let me know.

>> 10. If the script throws an error, please let me know and I'll fix the
>> bug.

>> 11. If you have an XML parsing suggestion, please let me know and I'll
>> improve the script.

>> 12. If you need customization assistance to get the script to work
>> your way in your shop, make me an offer. ;-)

>> 13. MS will, of course, provide their own scripts. I have no idea what
>> their scripts will do.

>> regards, Andy
>> --
>>                                   **********

>>        Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

>>          To identify everything that starts up with Windows, download
>>                  "Silent Runners.vbs" at www.silentrunners.org

>>                                   **********

>How do I deploy Window Update Agent to all my workstations?

>Is it just me, or is this newest MBSA a complete step in the wrong
>direction?  

"Andrew Aronoff" <NOSPAM_WRONG.ADDR...@yahoo.com> wrote in message

> >How do I deploy Window Update Agent to all my workstations?

> When you run my script on a workstation that doesn't have Windows
> Update Agent 2.0, MBSACLI.EXE will fail to download the .CAB file, the
> script will detect a tiny .XML file and it will offer to send the
> default browser to the Update Agent 2.0 download location. That's one
> way to get it.

> The other way is to download it here:
> http://go.microsoft.com/fwlink/?LinkId=43264
> and use your preferred method of rolling out a hotfix.

>>Is it just me, or is this newest MBSA a complete step in the wrong
>>direction?

> That makes two of us.

> regards, Andy
> --
>                                  **********

>       Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

>         To identify everything that starts up with Windows, download
>                 "Silent Runners.vbs" at www.silentrunners.org

>                                  **********

"Rob Wickham [msft]" wrote:
> Regarding a "step in the wrong direction", can you be specific about your
> concerns?  Is it the fact that there is now a client-side component required
> for update scanning, or something else?

> --
> Rob Wickham [msft]
> This posting is provided "as is" with no warranties, and confers no rights.
> "Andrew Aronoff" <NOSPAM_WRONG.ADDR...@yahoo.com> wrote in message
> news:85hrc195l2r177uav28mqn95vvucqhnehe@4ax.com...
> > >How do I deploy Window Update Agent to all my workstations?

> > When you run my script on a workstation that doesn't have Windows
> > Update Agent 2.0, MBSACLI.EXE will fail to download the .CAB file, the
> > script will detect a tiny .XML file and it will offer to send the
> > default browser to the Update Agent 2.0 download location. That's one
> > way to get it.

> > The other way is to download it here:
> > http://go.microsoft.com/fwlink/?LinkId=43264
> > and use your preferred method of rolling out a hotfix.

> >>Is it just me, or is this newest MBSA a complete step in the wrong
> >>direction?

> > That makes two of us.

> > regards, Andy
> > --
> >                                  **********

> >       Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

> >         To identify everything that starts up with Windows, download
> >                 "Silent Runners.vbs" at www.silentrunners.org

> >                                  **********

"SixDoubleO" <SixDoub...@discussions.microsoft.com> wrote in message

> Sure!

> To get full functionality from the mbsacli.exe utility, it must be
> physically installed on the workstation.

> The new tool seems to focus around an administrator running it
> manually/interactively, directed at a large number of workstations.  This
> is
> not how I do things.  Everything I do is lights-out and occurs at the
> workstation.  In my particular environment, I have about 1400 workstations
> that I cannot necessarily guarantee will be turned on or even AT the
> office
> at a specified time.  So my strategy is to scan (and update) these
> machines
> right at logon....it's the one time I get a "captive audience" so to
> speak.
> So the Gui/reporting/console type functions are of no use to me.

> The new tools relies on the WUA component and MSI 3.1.  So I have to
> deploy
> these components to the workstation before I can even scan it.  I don't
> like
> this.

> It just seemed that HFNetChk/MBSA 1.2 was better suited to scripted
> environments as it had no dependencies on other components.  All I had to
> do
> was make the hfnetchk.exe and mssecure.xml files available in my netlogon
> share, and away we went.  I could parse the output of hfnetchk and fire
> off
> all needed updates automatically.

> On the bright side, I think the XML output will open up many more
> capabilities for me (although I agree with others that the use of the
> "Update
> Required=true/false" attribute is a very silly implementation).

> Like I said above, the tools seems geared toward interactive/manual
> scanning
> and not scheduled/scripted implementations.  Granted, many of us scripters
> have completely circumvented the need for costly SMS systems, and maybe
> therein lies the problem?

> Nonetheless, those are some of my concerns.  I appreciate you taking the
> time to hear them.

> "Rob Wickham [msft]" wrote:

>> Regarding a "step in the wrong direction", can you be specific about your
>> concerns?  Is it the fact that there is now a client-side component
>> required
>> for update scanning, or something else?

>> --
>> Rob Wickham [msft]
>> This posting is provided "as is" with no warranties, and confers no
>> rights.
>> "Andrew Aronoff" <NOSPAM_WRONG.ADDR...@yahoo.com> wrote in message
>> news:85hrc195l2r177uav28mqn95vvucqhnehe@4ax.com...
>> > >How do I deploy Window Update Agent to all my workstations?

>> > When you run my script on a workstation that doesn't have Windows
>> > Update Agent 2.0, MBSACLI.EXE will fail to download the .CAB file, the
>> > script will detect a tiny .XML file and it will offer to send the
>> > default browser to the Update Agent 2.0 download location. That's one
>> > way to get it.

>> > The other way is to download it here:
>> > http://go.microsoft.com/fwlink/?LinkId=43264
>> > and use your preferred method of rolling out a hotfix.

>> >>Is it just me, or is this newest MBSA a complete step in the wrong
>> >>direction?

>> > That makes two of us.

>> > regards, Andy
>> > --
>> >                                  **********

>> >       Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

>> >         To identify everything that starts up with Windows, download
>> >                 "Silent Runners.vbs" at www.silentrunners.org

>> >                                  **********

> Thanks for expressing these issues.  MBSA 2.0 is a next-generation tool
> using the next-generation scanning of WSUS.  The bonus is that a WSUS
> server or connection to Microsoft Update is not required, and we've kept
> in the /HF scenario of not needing to fully install the MBSA setup package
> just to scan for updates.  The ability to extend detection for new
> products without the need to change the detection engine on the client was
> also a significant point of interest for our users.  Next we needed to
> deliver a new scanning engine that can go all the way back to Windows 2000
> SP3, and still use a common, public client API and backend catalog of
> detection logic was a challenge.

> We think it was the best tradeoff we could make however, and we made MBSA
> 2.0 very flexible about how to deploy key components like WUA.
> Historically, it takes about 8 months to ship new detection engines in
> MBSA and we no longer have to wait that long based on the capabilities of
> WUA.  A newly shipped Microsoft product can have a security update hosted
> by Microsoft Update with no changes to the scanning engine on the client,
> or in MBSA 2.0.  Being able to respond quickly like this is good.

> Finally, even older versions of MBSA required components like remote
> registry and file sharing, so although there are new components of Windows
> required short-term, long term these will simply be a part of the OS
> without the need for out of band deployment and ongoing management.

> The RestartRequired='true' | 'false' attribute is interesting because it
> tells you that the update only needs the computer to be rebooted in order
> to provide the intended security protection.  Without this, the
> installation package would probably be run over and over until the reboot
> happened and you can integrate this added level of detail into your
> scripts and same some cycles on the client computers.

> If you have more questions about the xml attributes, please don't hesitate
> to ask.

> --
> Rob Wickham [msft]
> This posting is provided "as is" with no warranties, and confers no
> rights.
> "SixDoubleO" <SixDoub...@discussions.microsoft.com> wrote in message
> news:7433B208-B821-453E-9D10-A1B8A5647A74@microsoft.com...
>> Sure!

>> To get full functionality from the mbsacli.exe utility, it must be
>> physically installed on the workstation.

>> The new tool seems to focus around an administrator running it
>> manually/interactively, directed at a large number of workstations.  This
>> is
>> not how I do things.  Everything I do is lights-out and occurs at the
>> workstation.  In my particular environment, I have about 1400
>> workstations
>> that I cannot necessarily guarantee will be turned on or even AT the
>> office
>> at a specified time.  So my strategy is to scan (and update) these
>> machines
>> right at logon....it's the one time I get a "captive audience" so to
>> speak.
>> So the Gui/reporting/console type functions are of no use to me.

>> The new tools relies on the WUA component and MSI 3.1.  So I have to
>> deploy
>> these components to the workstation before I can even scan it.  I don't
>> like
>> this.

>> It just seemed that HFNetChk/MBSA 1.2 was better suited to scripted
>> environments as it had no dependencies on other components.  All I had to
>> do
>> was make the hfnetchk.exe and mssecure.xml files available in my netlogon
>> share, and away we went.  I could parse the output of hfnetchk and fire
>> off
>> all needed updates automatically.

>> On the bright side, I think the XML output will open up many more
>> capabilities for me (although I agree with others that the use of the
>> "Update
>> Required=true/false" attribute is a very silly implementation).

>> Like I said above, the tools seems geared toward interactive/manual
>> scanning
>> and not scheduled/scripted implementations.  Granted, many of us
>> scripters
>> have completely circumvented the need for costly SMS systems, and maybe
>> therein lies the problem?

>> Nonetheless, those are some of my concerns.  I appreciate you taking the
>> time to hear them.

>> "Rob Wickham [msft]" wrote:

>>> Regarding a "step in the wrong direction", can you be specific about
>>> your
>>> concerns?  Is it the fact that there is now a client-side component
>>> required
>>> for update scanning, or something else?

>>> --
>>> Rob Wickham [msft]
>>> This posting is provided "as is" with no warranties, and confers no
>>> rights.
>>> "Andrew Aronoff" <NOSPAM_WRONG.ADDR...@yahoo.com> wrote in message
>>> news:85hrc195l2r177uav28mqn95vvucqhnehe@4ax.com...
>>> > >How do I deploy Window Update Agent to all my workstations?

>>> > When you run my script on a workstation that doesn't have Windows
>>> > Update Agent 2.0, MBSACLI.EXE will fail to download the .CAB file, the
>>> > script will detect a tiny .XML file and it will offer to send the
>>> > default browser to the Update Agent 2.0 download location. That's one
>>> > way to get it.

>>> > The other way is to download it here:
>>> > http://go.microsoft.com/fwlink/?LinkId=43264
>>> > and use your preferred method of rolling out a hotfix.

>>> >>Is it just me, or is this newest MBSA a complete step in the wrong
>>> >>direction?

>>> > That makes two of us.

>>> > regards, Andy
>>> > --
>>> >                                  **********

>>> >       Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

>>> >         To identify everything that starts up with Windows, download
>>> >                 "Silent Runners.vbs" at www.silentrunners.org

>>> >                                  **********

Rob Wickham [msft] wrote:
> (snip)
> If you have more questions about the xml attributes, please
> don't hesitate to ask.