They suggest using Microsoft Baseline Security Analyzer (MBSA) for vulnerability scanning but of course there are many options from free to expensive.

FORBES: Vulnerability Intelligence Versus Vulnerability Management

Despite the fact that every security framework from Cobit to ITIL to ISO calls for vulnerability scanning, and PCI DSS requires it, most organizations are still doing it on an ad-hoc basis, if at all.

FORBES: Vulnerability Intelligence Versus Vulnerability Management