Thanks for posting the issue.
1. Although there is no specific way to exclude IP addresses within an IP
address range, there are two features that can be used from the command-line
a. You can perform multiple scans using smaller IP address ranges that
work around the IP addresses you do not want to scan. In fact, you could
even script this using the /r parameter to scan each range you want to scan.
b. If IP address ranges are too tedious you could use the /listfile
option from the command-line to list the NetBIOS machine names of the
machines you want to scan.
2. When an "Incomplete Scan" error is displayed please check for the
This is often the case when the C$ share and the remote registry of a target
machine are unavailable to the MBSA machine performing the scan. This
prevents MBSA 2.0 from pushing down the necessary catalog file (usually
WSUSSCN2.CAB) and potentially an updated version of the WUA client bits to
the target machine.
a. Verify firewall ports and COM+ are configured correctly on both
target and host machines.
b. The Server service, Remote Registry service, and File and Print
Sharing service must be running on the remote computer.
c. The Windows Update Agent must be installed and the Automatic
Updates service must not be disabled.
Here is some more information on firewall ports and COM+ configuration:
a. See the MBSA 2.0 FAQ under the section titled, “How can I scan a
computer that is protected by a firewall?”
b. Check and update DCOM settings on the target computer. On the
remote (target) computer, use the following steps:
• From a command prompt, type DCOMCNFG (or alternatively, open Component
Services from an MMC console)
• Expand Component Services | Computers | My Computer
• From the My Computer node, right click the ‘My Computer’ node and choose
• From the ‘Properties’ dialog, confirm the option to ‘Enable Distributed
COM on this computer’ is selected – then click OK
• From the My Computer node, expand the DCOM Config node
• Right-click the 'Windows Update Agent - Remote Access' object and select
• From the ‘Windows Update Agent – Remote Access’ Properties dialog, select
the ‘Security’ tab
• In the Security tab, choose EDIT to select each node to ensure the
appropriate workgroup or domain credentials that will be used by the scanning
MBSA 2.x machine are included in each of the 3 sections.
Hope this answers your questions.
Mercy Dworzak [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Gis Bun
1) Is there a way to scan a range of systems but exclude certain IP addresses?
2) We have the Windows XP turned on for our network. The MBSA 2.1 always
gives an incomplete message for the systems. Without turning off the
firewall, any way of ignoring this message or bypassing?