One disadvantage of using MBSA 2.0 with Microsoft Update is that the tool reports the status of scanned systems against the latest WSUSSCAN.CAB catalog file. Large enterprises might have sophisticated update or compliance management processes that permit controls other than software updates to be instituted to mitigate risk arising from vulnerability. When these enterprises use MBSA 2.0 and Microsoft Update to scan for security risks, MBSA might erroneously flag devices that don't comply with Microsoft's security recommendations, although these devices aren't "at risk" because they comply with the enterprise's secure configured baselines. In this scenario, you can configure MBSA 2.0 to use updates approved for installation through WSUS instead of Microsoft Update when scanning network devices.

To use WSUS during a scan, select Advanced Update Services options, then Scan using assigned Update Services servers only in the Baseline Security Analyzer window. (If you select Scan using Microsoft Update only , MBSA ignores the updates that have been approved for installation and checks the client for all updates that Microsoft Update deems applicable.) When you use MBSA 2.0 in conjunction with WSUS, MBSA 2.0 doesn't overwrite Update Server settings, even if it installs an up-to-date version of the Automatic Updates agent.