Unable to fetch mbsa reports of remote servers from the wsus server
Infra Details:- Computer has an older version of the client and security database demands a newer version. The current version is and the minimum required version is 220.127.116.1178.
Mbsa version 2.2.2170.0, wua version :- 7.6.7600.256, 445,135,139 ports opendcom enabled, all necessary service are started
Problem Statement:- I can fetch report from local but unable to fetch from wsus server remotely, below command using for fetch report.
mbsacli /catalog c:\tmp\wsusscn2.cab /listfile C:\servers.txt /nvc /wi /nd /n Password+OS+IIS+SQL /q
There are a number of things we can try to either update the WUA client on the remote machine with the latest WUA client or troubleshoot DCOM settings that will cause MBSA to believe the WUA client is too low of a version.
To update the WUA client on the target machine, you can either let MBSA automatically update the target machine by selecting the option ‘Configure computers for Microsoft Update and scanning prerequisites’ and performing a scan or you can follow the steps below to ensure the client is explicitly updated:
1) Download the latest WUREDIST.CAB file to find the download location of the latest MU client (http://update.microsoft.com/redist/wuredist.cab)
2) Open the CAB (use Notepad or any XML editor) and find the download URL for the latest WUA agent for the correct platform (x86, x64, ia64). For example, the latest WUA agent for x86 is version 7.0.6000.381 downloadable from http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.0.6000.381/WindowsUpdateAgent30-x86.exe
3) Run this Standalone WUA Installer on the target client and perform a new MBSA scan against the target machine with following switch:
If after this, MBSA still believes the WUA client is too low of a version, this is a DCOM issue that you can resolve with the steps below:
DCOM service not running or DCOM disabled. To resolve this, be sure to confirm that the “DCOM Server Process Launcher” service is running on both the target and scanning machines. If it is, confirm that the DCOM itself is not disabled by going to Component Services (usually under Control Panel | Administrative Tools – or from the MMC snap-in). Once in Component Services, expand the node for Computers, then right-click the My Computer node and select Properties. Then click the “Default Properties” tab and ensure ‘Enable Distributed COM on this computer’ is selected.
DCOM Has Insufficient Access To Perform a Remote MBSA Scan. In this case, it may be necessary to ensure Distributed COM is enabled and that the Windows Update Agent has sufficient remote access rights on the remote (target) machines.
To check and update these settings on the target computer, direct access to the remote computer in necessary. On the remote (target) computer, use the following steps:
- From a command prompt, type DCOMCNFG (or alternatively, open Component Services from an MMC console)
- Expand Component Services | Computers | My Computer
- From the My Computer node, right-click the ‘My Computer’ node and choose Properties
- From the ‘Properties’ dialog, confirm the option to ‘Enable Distributed COM on this computer’ is selected – then click OK
- From the My Computer node, expand the DCOM Config node
- Right-click the ‘Windows Update Agent – Remote Access’ object and select Properties
- From the ‘Windows Update Agent – Remote Access’ Properties dialog, select the ‘Security’ tab
- In the Security tab, choose EDIT to select each node to ensure the appropriate workgroup or domain credentials that will be used by the scanning MBSA 2.x machine are included in each of the 3 sections.