Managing Patch Jobs for Windows Assets

You can deploy jobs to install patches that are missing or remediate any identified vulnerabilities. Based on your preference, you can deploy a patch job from any of the following tabs:

 - Jobs

 - Assets

 - Patches

The difference between the two options is when creating a job from the Jobs tab, you select the assets while creating the job, where as when creating job from Assets tab, you select the Assets first and then create deployment job to deploy patches on those assets. The assets are pre populated for the job when creating deployment job from the Assets tab.

Note: Job title for each job must be unique. You cannot have the same job title as a Linux job. For example, if a Linux job titled Security Patches is created, you cannot have a Windows job titled as Security Patches.

About Zero-Touch Patch Jobs

All QQL-based recurring jobs are known as the Zero-Touch Patch jobs. All zero-touch patch jobs are denoted with the zero-touch icon Zero-Touch Icon

The Zero-Touch Patch Job option allows you to create an automated job to proactively patch current and future Windows vulnerabilities.

Zero-Touch Patch Job List

Creating Patch Job for Windows Assets

1. Simply go to Jobs > Create Job, and click Deployment Job.  

Deployment Job option.

Optionally, you can go to the Assets tab, select the assets on which you want to apply the patches and then go to Actions > Add to New Job.

 Deployment Job option from assets.

2. Provide a job title, and then select assets or asset tags to apply the patches to.

Want to add assets later? Go to the Assets tab, and select one or more assets, then from the Quick Actions Menu of a single asset or from the Actions menu (bulk actions) click Add to Existing Job or click Add to New Job. You cannot add assets later to On-Demand or run-once (non recurring) jobs once they are enabled.

Note: Patches are deployed on the selected tags only for assets contained in the user's scope. When you select an asset tag, corresponding child tags get automatically selected. Select "Any" to include assets that have any of the selected tags. Select "All" to include only those assets in the patch deployment job that have ALL the selected tags.

3. (Optional) Select Add Exclusion Assets check box to exclude specific assets from the deployment job.
Note: You can include and exclude maximum 50 assets from a job.

Exclude Assets

Note: Based on the selected options, the final list of assets is calculated taking into consideration included and excluded assets tags and included and excluded assets.

4. (Optional) Select Add Exclusion Asset Tags check box to exclude the assets from the deployment job that have All/ANY of the selected asset tags.

Note: You can include and exclude maximum 50 asset tags from a job. To understand how final assets are determined for a job, see Which Assets are Included for a Job.

Assets for the deployment job.

5. Select Pre-action that you want to execute on assets before the job starts. For more information, see About Pre-Actions and Post-Actions.

Select Pre-Action

6. Select patches to apply to the assets. You can select one of the following patch selection options:
-  Manual Patch Selection
-  Automated Patch Selection
-  Patch Selection from Another Job

After you select the Manual Patch Selection option, click the Take me to patch selector link to select patches. On the ‘Patch Selector page’ you can use the Within Scope option to view missing patches within the scope of the selected assets or view all available patches. Select the desired patches and click Add to Job and then click Close. 

On the Select Patches pane of the deployment job wizard, click Available Patches if you want to add more patches to the job.

Manual Patch Selection

You can use the Qualys Query Language (QQL) to create a criteria to automate the patches that need to be installed for a job based on vulnerabilities or patches. The query can be used for run-once and recurring jobs. You cannot use a combination of a QQL and Patch list to select patches that are added to a job. You must create a job that is executed based on the query or select the patches from the Patch List.

Note: You can use vulnerability tokens to create a QQL-based job only if you have a subscription for the VMDR app. You can use the RTI tokens only if you have an active subscription for the Threat Protection app.

Want to add patches later? Go to the Patches tab, and select one or more patches, then from the Quick Actions Menu of a single patch or from the Actions menu (bulk actions) click Add to Existing Job or click Add to New Job. You cannot add patches later to On-Demand or run-once (non recurring) jobs once they are enabled.

Note that when you modify a patch job using the Add to Existing Job option from the Patches tab, you can add patches, but cannot add target assets or asset tags. To apply patches to an asset that is not added to the job, you can 1) edit an existing job from the Jobs tab, 2) select the asset from the Assets tab and use the Add to Existing Job option, or 3) create a new patch job for that asset.

Note: You can add maximum 2000 patches to a single job. Create another job to add patches above 2000. You can choose to run the scheduled job daily, weekly, or monthly.


After you select the Patch Selection from Another Job option, click the Take me to job selector link. From the 'Select Job' Window, select the job from which you want to fetch the patches from its latest run and click Apply.

Patch Selection from Another Job

After selecting the required patches by using the options that are explained, click Next.

7. Select post action that you want to execute on the assets after the job completes. For more information, see About Pre-Actions and Post-Actions.

Post Action

8. Choose when to install the patches, whether On-Demand or Schedule. The On-Demand option allows you to install the patches immediately once the job is created and enabled. The Schedule option allows you to install the patches at a set time. You can choose to run the schedules job daily, weekly, or monthly.

See Schedule Job Settings

In case of scheduled jobs, you can enable opportunistic patch download from Options > Additional Job Settings to allow the Cloud Agent to download the required patches before a scheduled job run begins. This will help the Cloud Agent to deploy patches in less amount of time instead of waiting to download the patches only after a job run starts. The “Enable opportunistic patch download” is recommended to be enabled only for Jobs Scheduled beyond 3 hours of current time. Jobs scheduled less than 3 hours ahead are ideal for being an On-Demand job instead.

Monthly jobs which are scheduled to run on the 31st of the month will be scheduled every two months (where 31st date is available). You can schedule the job to run on the last day of the month which ensures that the job runs on the last day irrespective of whether the month has 28, 29, 30, or 31 days. For monthly jobs, you can also select the Patch Tuesday option to install patches released on a Patch Tuesday. For more information, see Scheduling Patch Tuesday Jobs.

Note: Recurring jobs (Daily, Weekly, Monthly) should be enabled three hours prior to the scheduled time otherwise next eligible schedule will be considered.

Schedule patch deployment

9. You can configure how to notify the users about the patch deployment.

Deployment Messages:

You can configure pre-deployment messages, deferring the patch deployment certain number of times. You can also provide progress and completion messages. Finally, you can prompt the user or suppress reboot when asset reboot is required post patch installation.

Reboot Messages:

These options are for reboot messages:

Suppress Reboot - This option allows you to patch systems in advance and defer reboot till the maintenance window.

Note: If you enable this option, the agent stops the subsequent patch scans or job deployments and starts again only after the reboot is done.

Reboot Request - Many patches require reboot in order to take effect. When enabled, it will show a message to users indicating that a reboot is required. If no user is logged in, the reboot will start immediately after patch deployment.

You can configure this option to give the user the option to either reboot the machine immediately after the patch is deployed or defer the reboot "x" number of times so that the user can save the work and complete other tasks. Reboot will defer until 1) the user clicks OK when reboot message is shown or 2) maximum number of deferments are reached.

Reboot Countdown - If deferment limit is set in the Reboot Request, then configure this option to show countdown message to users after deferment limit is reached. When reboot countdown is enabled, this gives the end user an indication of how long it will take before the system is rebooted.

See Reboot Settings
We highly recommend that when you create the job, fill out both the message and description fields for these options as this will have better performance in the agent/platform acknowledging the requests. Keep the messages very brief and the descriptions as detailed as possible.

Notification Settings:

You can choose to send email notifications for events, such as a job has started or a job has completed to the intended recipients.

Note: For a recurring job, if the email notification is configured, you will receive the email notification once per day for the job run. If the same recurring job is edited and scheduled again for the same day, you will not receive the email notification again on that day.

10. Finally, choose Co-Authors for this job. Besides the owner, the selected Co-Authors can edit this job.

Job access screen shows co authors for the job.

11. Next, review the configuration.

Job can either be created in ENABLED state by using the Save & Enable option or in DISABLED state by using the Save button.

Save drop-down button showing options to save a deployment job.

You must enable the disabled job in order to run it. To enable a disabled job, simply go to the Jobs tab, then from the Quick Actions Menu of a job, click Enable. The Save & Enable option should be chosen only when you are confident that job is correctly configured, because this job will begin executing as soon as you "Save" the job. This option is available only when creating a Job the first time, not during editing the job.

Tip: You can use the Disable option to temporarily disable a scheduled job. You can then re-enable the job later at your convenience. On-Demand or run-once (non recurring) jobs cannot be edited or disabled once they are enabled.

See Enabling or Disabling Jobs

Note that the SuperUser or Administrator can change the job status (enable/disable), delete and edit the job.

Want to roll back patches? See Roll back patches from assets.

User Roles and Permissions

Change Ownership of a Job

List of Asset Statuses