This issue is covered in the MBSA 2.1 FAQ located at
Q: Why doesn't MBSA provide reboot pending status for the latest updates?
MBSA can only provide reboot pending status when the option to Check for
Windows administrative vulnerabilities is selected in the GUI or by default
if "/n Updates" is not added to the command-line utility (CLI) to suppress
this feature. Reboot pending status is obtained directly from the Windows
Update Agent (WUA) client on each target machine. As long as the security
update was installed using a WUA-supported process (Windows Update,
Microsoft Update, SMS w/ITMU, or WSUS Server), MBSA can report any required
pending reboot. If an update has been installed manually or through a
third-party installation process, MBSA is unable to report reboot pending
For customers using the /xmlout option from the command-line utility, the
pending reboot status is not available due to the limitation of using the
/xmlout option. Workarounds may include running mbsacli.exe without any
switches. This requires the full installation of MBSA (not the "MBSA Lite"
installation option to simply install a few necessary files for patch
scanning only). This will check the Administrative Vulnerabilities. If there
is a pending reboot, it will be reported as listed below:
Issue: Incomplete Updates
Score: Check failed (non-critical)
Result: A previous software update installation was not completed. You must
restart your computer to finish the installation. If the incomplete
installation was a security update, then the computer may be at risk until
the computer is restarted.
Another workaround is to query the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Upda teExeVolatile. More
details on the use of this registry key and the values that may be
represented can be found at Microsoft Knowledge Base article 832475.
Doug Neal [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
This e-mail address does not receive e-mail, but is used for newsgroup
"MowGreen [MVP]" <firstname.lastname@example.org> wrote in message
> You'd be better off asking this in the MBSA newsgroup:
> Forwarded for the poster's convenience.
> Jerrold wrote:
>> Has anybody had MBSA say a reboot isn't needed after a patch install even
>> though a reboot is needed?
>> I'm using MBSA command line to detect what patches our machines need then
>> after running patches with /quiet and /norestart switches I run MBSA
>> again to make sure they installed and if any reboots are needed. The
>> problem I've run into is testing some Office patches with the Office
>> applications open I see the oHotFix logs say a reboot is needed but MBSA
>> never reports back that a reboot is needed. This is with MBSA 2.1 on XP
>> and Win2k.
> MowGreen [MVP 2003-2008]
> *-343-* FDNY
> Never Forgotten