Access Denied: Making MBSA Ignore Patches to Disabled Services

Because we disable unneeded services and features, we don't install patches that address vulnerabilities in those features and services. We run Microsoft Baseline Security Analyzer (MBSA) against our network to identify systems that fall through the cracks and are missing updates. However, on the vulnerability report for each computer, MBSA reports as false positives all the patches that we've determined are unnecessary. How can we configure MBSA to ignore patches we choose not to install?

If you deploy your patches through Microsoft Software Update Services (SUS), you can configure MBSA 1.1 and later to prevent those false positives. On the MBSA Pick multiple computers to scan page, select the Use SUS Server check box and specify the address of your SUS server, as Figure 1 shows. When MBSA scans for missing updates, it will look only for updates that are approved on your SUS server and will report only the missing patches that you need.