Mbsacli remote issues

UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
I will try to give a decent amount of info in the first post, so that we can cut out some of the 'poke and jab' technique to try and resolve this issue. (as i call it)

What I am attempting to do is remotely scan a Vista machine.(ultimate) I have a windows 2003 server machine with up-to-date patchs and everything. I have installed MBSA version 2.1 on this machine for the remote scan. The machine that is that is being scanned is on the same network and subnet. I added a registry key to the vista machine (machine that is being scanned) so to allow remote administration to that machine from a workgroup and a password to the administrator account for the logon.

I seem to running into an issue that mbsacli.exe supposedly tries to scan for a time and returns this. I removed the IP address from the output.
"Security assessment: Incomplete Scan
Computer name: WORKGROUP\HOME
IP address: ***.***.*.***
Security report name: WORKGROUP - HOME (5-9-2009 8-39 PM) (1)
Scan date: 5/9/2009 8:39 PM
Scanned with MBSA version: 2.1.2104.0
Catalog synchronization date:

Security Updates Scan Results

Issue: Security Updates
Score: Unable to scan
Result: Windows Update Agent is not supported on this operating system."

Any help with this issue would be helpful. thank you.

This site below is the site referenced for the registry add.
Error message when you try to access an administrative share on a Windows Vista-based computer from another Windows Vista-based computer that is a member of a workgroup: "Logon unsuccessful: Windows is unable to log you on"


  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Q: How can I scan a computer that is protected by a firewall? Step 1: Review system requirements
    MBSA cannot scan a remote computer protected by a firewall unless the firewall is configured to open the ports that MBSA uses to communicate with the computer. The Windows Update Agent implements a remote scanning interface based on DCOM. The account being used to scan must possess local administrator rights. The computer must also be configured to meet the following conditions:
    • The Server service, Remote Registry service, and File and Print Sharing service must be running on the remote computer.
    • The required ports must be open on the firewall.
    • The Windows Update Agent must be installed and the Automatic Updates service must not be disabled.
    Remote computer scans are performed using TCP port 135, a dynamic or static DCOM port, and ports 139 and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. You must allow these ports to be open on the remote firewall if a personal firewall is being used.
    Note: The use of DCOM for remote scanning through Windows Firewall on all versions of Windows XP may require a post-SP2 hotfix as described in Microsoft Knowledge Base article 895200. Customers may now obtain this fix by installing the COM+ update (Microsoft Knowledge Base article 902400) using these procedures:
    1. Download the update from http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-42D7-8E57-58656A3FB2F7 on the Microsoft Download Center.
    2. Copy the update to the computer you are updating and open a command prompt on that computer.
    3. Run the update using the command-line options described in Microsoft Knowledge Base article 824994 (specifically, the /B:SP2QFE command-line option). Doing this will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes, in addition to the fixes released in the security bulletin MS05-051.
    Step 2: Configure Unmanaged Computers
    DCOM allocates a dynamic port by default, but a firewall blocks access to these ports unless explicitly opened by using the following procedure:
    1. Open port 135 and a custom port in your firewall (some firewalls may allow port 135 by default). The port you select should be checked to ensure it is appropriate, or not associated with other applications.
    2. Configure Windows Update Agent to use this static custom port by setting a registry key as follows: HKEY_LOCAL_MACHINE\Software\Classes \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n” (where n is the port number you have decided to use.) You may also configure the endpoint using the Component Services application in Control Panel. The Windows Update Agent - Remote Access endpoint is located under the path Component Services\Computers\My Computer\DCOM Config. Right-click and select Properties, then use the Endpoints tab on the Properties page to configure the static port.
    Step 3: Configure Managed Computers
    Use Group Policy to deploy specific administrative firewall and COM+ settings to target computers. You may use the Group Policy editor to create the needed configuration settings as documented in “Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2”, in the section entitled “Deploying Windows Firewall Settings With Group Policy”.
    Windows Firewall Settings: The following Windows Firewall settings should be used:
    • Windows Firewall: Allow remote administration exception. Used to enable remote configuration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).
    • Windows Firewall: Allow file and print sharing exception. Used to specify whether file and printer sharing traffic is allowed.
    • Windows Firewall: Define port exceptions. Used to specify excepted traffic in terms of TCP and UDP ports. In this step, define the same ports as you selected for unmanaged computers and from the system requirements step.
    Additional details on the settings available within the administrative template for Windows Firewall have been documented in “Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2” the sections labeled "Enabling Remote Administration" and “Adding Static Ports to Windows Firewall’s Default Exceptions List.”
    COM+ Settings: The COM+ endpoint registry settings for the Windows Update Agent can be configured through Group Policy as part of a startup script. Guidance on how to assign startup scripts can be found on the Microsoft Web site: http://technet2.microsoft.com/WindowsServer/en/library/65aa4e48-8b1f-42bc-b20f-64f67367dadc1033.mspx?mfr=true. The script must include the following command: reg add HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492} /v Endpoints /t REG_MULTI_SZ /d ncacn_ip_tcp,0,n /f (where n is the port number you have decided to use).
    Note: When using this method, be aware that additional administrative template settings may be needed in order to remove this registry setting when the functionality is no longer desired.

  • UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    I am going to install Windows Update Agent on the Vista client. I guess I messed that up. I'm still learning the ropes on WSUS. I'll report back to see if it resovles the issue.
Sign In or Register to comment.