The SMS 2003 R2 Scan Tool for Vulnerability Assessment wizard installs components on the site server and creates SMS objects to install the scan tool on the SMS Advanced Clients. The Setup wizard creates the following objects by default:

During Setup, you must specify a base name for the objects that SMS creates. The suggested base name is Vulnerability Assessment Tool, but any unique base name can be used. If you choose another name, it must be different from any existing SMS objects. The documentation assumes you are using the default base name.


If you accept the default name, Setup creates the Vulnerability Assessment Tool package. The Vulnerability Assessment Tool package always obtains its source files from the <installation directory>\PkgSource directory.

Do not rename the package or move the package source folder after installation. Doing so will cause the inventory scans to fail.

Setup can automatically configure the package to be copied to all distribution points in the site and to all child sites. If you prefer to limit the distribution points that contain the inventory tool package, you can manually configure the distribution points for the Vulnerability Assessment Tool package after Setup is complete.


Setup creates the following programs to run the assessment tool on the SMS client computers:

  • Vulnerability Assessment (regular). This program runs the following command line: VulnerabilityAssessment.exe.

  • Vulnerability Assessment (expedited). This program runs the following command line: VulnerabilityAssessment.exe /kick.

    The /kick switch causes hardware inventory to be collected immediately after running the scan tool. This allows for timelier reporting of which software updates are and are not applied. Use care when running /kick in a production environment. The first time the expedited program runs, it may cause significant network traffic, even if clients are generating only delta hardware inventory. If the expedited program runs regularly, the network impact should decrease.

Both programs share the following property settings:

  • Run hidden.

  • Do not reboot the computer after running.

  • Can run only on Windows 2000, Windows XP, and Windows Server 2003.

  • Can run whether or not a user is logged on.

  • Run with administrative rights.

  • Suppress program notifications.

If the Create SMS objects to distribute MBSA is selected, Setup adds the MBSA 2.0 package and MBSA Install Silently (without shortcuts) program to the Run another program first setting on the Advanced tab of each Vulnerability Assessment program. This ensures that MBSA 2.0 is installed on the client before installing the tool and scanning for vulnerability assessments.


During Setup, you have the option to advertise the scan tool. This action creates the Vulnerability Assessment Tool advertisement, which distributes the Vulnerability Assessment Tool package and Vulnerability Assessment Tool (regular) program to the Vulnerability Assessment Tool (default) collection. By default, the advertisement is scheduled to recur every seven days, effective as soon as the object is created. Advanced Clients download the program from a local distribution point (if available) or remote distribution point (if no local distribution point is available) and then run the program from the cache. Changing the program to run directly from a distribution point is not recommended. For more information about the cache, see Microsoft Knowledge Base article 839513 at the Microsoft Help and Support site (


If the option to advertise the scan tool is selected during Setup, the following collections are created to assist you in testing and deploying the Vulnerability Assessment Tool package to your SMS clients:

  • Vulnerability Assessment Tool (pre-production)

  • Vulnerability Assessment Tool (default)

If Setup creates the advertisement and the collections, you must designate an SMS 2003 SP2 Advanced Client to use as a test computer. The computer must have the SMS Advanced Client installed and the client must belong to an existing collection that the account you are logged on with when running Setup has read access. Setup adds the test computer to the Vulnerability Assessment Tool (pre-production) collection.

The Vulnerability Assessment Tool (default) collection has one querybased membership rule to include all operating systems in which the version is greater than or equal to 5.0.2195, which evaluates to all computers that are running Windows 2000, Windows XP, or Windows Server 2003. However, because the default query rule properties limit the Vulnerability Assessment Tool (default) collection to the Vulnerability Assessment Tool (pre-production) collection, the effective membership after Setup includes only the single test computer. This ensures that initially the SMS 2003 R2 Scan Tool for Vulnerability Assessment runs only on the known test computer. After you have completed your tests, you can remove the collection limiting option and the Vulnerability Assessment Tool automatically distributes to all computers that are capable of running it.

For more information about managing the collections created by Setup, see Managing Collections for the Scan Tool for Vulnerability Assessment.

See Also