Home

Deploying Patch Jobs on Assets

You can deploy jobs to install patches that are missing or remediate any identified vulnerabilities. Based on your preference, you can deploy a patch job from any of the following tabs:

 - Jobs

 - Assets

 - Patches

The difference between the two options is when creating a job from the Jobs tab, you select the assets while creating the job, where as when creating job from Assets tab, you select the Assets first and then create deployment job to deploy patches on those assets. The assets are pre populated for the job when creating deployment job from the Assets tab.

Simply go to Jobs > Create Job, and click Deployment Job.  

Deployment Job option.

Optionally, you can go to the Assets tab, select the assets on which you want to apply the patches and then go to Actions > Add to New Job.

 Deployment Job option from assets.

Provide a job title, and then select assets or asset tags to apply the patches to.

Want to add assets later? Go to the Assets tab, and select one or more assets, then from the Quick Actions Menu of a single asset or from the Actions menu (bulk actions) click Add to Existing Job or click Add to New Job. You cannot add assets later to On-Demand or run-once (non recurring) jobs once they are enabled.

Note: Patches are deployed on the selected tags only for assets contained in the user's scope. When you select an asset tag, corresponding child tags get automatically selected. Select "Any" to include assets that have any of the selected tags. Select "All" to include only those assets in the patch deployment job that have ALL the selected tags.

Select "Add Exclusion Asset Tags" to exclude the assets from the deployment job that have All/ANY of the selected asset tags.   

Assets for the deployment job.

Select patches to apply to the assets. Use the patch selector link to select patches. On the Patch Selector page you can use the Within Scope option to view patches within the scope of the selected assets or view all available patches. Select the desired patches and click Add to Job and then click Close. On the Select Patches pane of the deployment job wizard, click Available Patches if you want to add more patches to the job.

You can use the Qualys Query Language (QQL) to create a criteria to automate the patches that are installed for a job. The query can be used for run-once and recurring jobs. You cannot use a combination of a QQL and Patch list to select patches that are added to a job. You must create a job that is executed based on the query or select the patches from the Patch List.

Want to add patches later? Go to the Patches tab, and select one or more patches, then from the Quick Actions Menu of a single patch or from the Actions menu (bulk actions) click Add to Existing Job or click Add to New Job. You cannot add patches later to On-Demand or run-once (non recurring) jobs once they are enabled.

Note that when you modify a patch job using the Add to Existing Job option from the Patches tab, you can add patches, but cannot add target assets or asset tags. To apply patches to an asset that is not added to the job, you can 1) edit an existing job from the Jobs tab, 2) select the asset from the Assets tab and use the Add to Existing Job option, or 3) create a new patch job for that asset.

Note: You can add maximum 2000 patches to a single job. Create another job to add patches above 2000.

QQLu can choose to run the scheduled job daily,

Choose when to install the patches, whether On-Demand or Schedule. The On-Demand option allows you to install the patches immediately once the job is created and enabled. The Schedule option allows you to install the patches at a set time. You can choose to run the schedules job daily, weekly, or monthly.

See Schedule Job Settings

In case of scheduled jobs, you can enable opportunistic patch download from Options > Additional Job Settings to allow the Cloud Agent to download the required patches before a scheduled job run begins. This will help the Cloud Agent to deploy patches in less amount of time instead of waiting to download the patches only after a job run starts. The “Enable opportunistic patch download” is recommended to be enabled only for Jobs Scheduled beyond 3 hours of current time. Jobs scheduled less than 3 hours ahead are ideal for being an On-Demand job instead.

Note: Monthly jobs which are scheduled to run on the 31st of the month will be scheduled every two months (where 31st date is available). Recurring jobs (Daily, Weekly, Monthly) should be enabled three hours prior to the scheduled time otherwise next eligible schedule will be considered.

Schedule patch deployment

You can configure how to notify the users about the patch deployment. You can configure pre-deployment messages, deferring the patch deployment certain number of times. You can also provide progress and completion messages. Finally, you can prompt the user or suppress reboot when asset reboot is required post patch installation.

User prompts for the deployment job.

These options are for reboot messages:

Suppress Reboot - This option allows you to patch systems in advance and defer reboot till the maintenance window.

Reboot Request - Many patches require reboot in order to take effect. When enabled, it will show a message to users indicating that a reboot is required. If no user is logged in, the reboot will start immediately after patch deployment.

You can configure this option to give the user the option to either reboot the machine immediately after the patch is deployed or defer the reboot "x" number of times so that the user can save the work and complete other tasks. Reboot will defer until 1) the user clicks OK when reboot message is shown or 2) maximum number of deferments are reached.

Reboot Countdown - If deferment limit is set in the Reboot Request, then configure this option to show countdown message to users after deferment limit is reached. When reboot countdown is enabled, this gives the end user an indication of how long it will take before the system is rebooted.

See Reboot Settings

We highly recommend that when you create the job, fill out both the message and description fields for these options as this will have better performance in the agent/platform acknowledging the requests. Keep the messages very brief and the descriptions as detailed as possible.

Reboot messages options.

Finally, choose Co-Authors for this job. Besides the owner, the selected Co-Authors can edit this job.

Job access screen shows co authors for the job.

Next, review the configuration.

Job can either be created in ENABLED state by using the Save & Enable option or in DISABLED state by using the Save button.

Save drop-down button showing options to save a deployment job.

You must enable the disabled job in order to run it. To enable a disabled job, simply go to the Jobs tab, then from the Quick Actions Menu of a job, click Enable. The Save & Enable option should be chosen only when you are confident that job is correctly configured, because this job will begin executing as soon as you "Save" the job. This option is available only when creating a Job the first time, not during editing the job.

Tip: You can use the Disable option to temporarily disable a scheduled job. You can then re-enable the job later at your convenience. On-Demand or run-once (non recurring) jobs cannot be edited or disabled once they are enabled.

See Enable/Disable Jobs

Note that the SuperUser or Administrator can change the job status (enable/disable), delete and edit the job.

Want to uninstall patches? See Uninstall patches from assets

 

User Roles and Permissions

Change Ownership of a Job

List of Asset Statuses