Qualys Patch Management User Manual
Patch Management
User Guide
Version 1.4
April 6, 2021
Copyright 2018-2021 by Qualys, Inc. All Rights Reserved.
Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
are the property of their respective owners.
Qualys, Inc.
919 E Hillsdale Blvd
4th Floor
Foster City, CA 94404
1 (650) 801 6100
Table of Contents
About this Guide .............................................................................................. 5
About Qualys ........................................................................................................................... 5
Qualys Support ........................................................................................................................ 5
Patch Management Overview....................................................................... 6
Get Started ............................................................................................................................... 6
Manage PM Licenses................................................................................................................ 7
Fallback to free version........................................................................................................... 8
View Your Assets ..................................................................................................................... 8
View Your Jobs ......................................................................................................................... 9
View Your Assessment Profiles and Licenses Information .............................................. 10
Install Cloud Agents for PM.......................................................................... 12
What are the steps? .............................................................................................................. 12
Download Installer ................................................................................................................ 13
Activate your agents for PM ................................................................................................. 15
Enable PM in a CA configuration profile ............................................................................. 15
User Roles and Permissions ........................................................................ 16
How to find PM Roles and view their permissions............................................................. 18
How are tags used to grant access to assets?..................................................................... 20
User Roles Comparison......................................................................................................... 21
Create Assessment Profiles......................................................................... 23
Review Missing and Installed Patches ..................................................... 24
Download Patch from the Vendor Site................................................................................ 26
Jobs to Deploy Patches on Assets ............................................................ 28
Schedule Job Settings ............................................................................................................ 35
Reboot Settings ...................................................................................................................... 37
Enable/Disable Jobs ............................................................................................................... 40
Use QQL to Automate Patch Selection for Jobs................................... 43
Example 1 Installing patches released on Patch Tuesday automatically....................... 43
Example 2 Installing critical patches for Chrome and Internet Explorer ....................... 44
Example 3 QQL for security patches ................................................................................... 44
Clone a Job..................................................................................................... 46
Cloning a Job .......................................................................................................................... 47
3
Change Job Ownership ............................................................................... 49
Uninstall Patches from Assets ................................................................... 50
Review Job Results ....................................................................................... 56
Asset, Deployment, and Patch Statuses .................................................. 57
Asset Statuses List................................................................................................................. 57
Deployment Job Statuses List............................................................................................... 58
Patch Specific Failure Reason Codes List............................................................................ 58
Exporting Patch Data.................................................................................... 61
How to Export Patch Data?................................................................................................... 62
URLs to be Whitelisted For Patch Download ......................................... 63
4
About this Guide
About Qualys
About this Guide
Welcome to Qualys Patch Management! We’ll help you get acquainted with the Qualys
solutions for patching your systems using the Qualys Cloud Security Platform.
About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses
simplify security operations and lower the cost of compliance by delivering critical
security intelligence on demand and automating the full spectrum of auditing,
compliance and protection for IT systems and web applications.
Founded in 1999, Qualys has established strategic partnerships with leading managed
service providers and consulting organizations including Accenture, BT, Cognizant
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT,
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also
founding member of the Cloud Security Alliance (CSA). For more information, please visit
www.qualys.com
Qualys Support
Qualys is committed to providing you with the most thorough support. Through online
documentation, telephone help, and direct email support, Qualys ensures that your
questions will be answered in the fastest time possible. We support you 7 days a week,
24 hours a day. Access online support information at www.qualys.com/support/.
5
Patch Management Overview
Get Started
Patch Management Overview
Qualys Patch Management saves you time and effort by automating patch management
on Windows assets, for both Microsoft and Non-Microsoft patches, using a single patch
management application. It provides instant visibility on patches available for your assets
and tells you whether these patches are already installed. You can automatically deploy
new patches as and when they are available.
The Cloud Agent downloads the required patches from external sources. However, patches
that require authentication cannot be downloaded by the agent. You can manually
download and install such patches on the assets. Qualys Patch Management will then
identify these patches as installed.
We do not support scanning assets running Windows evaluation versions. These assets
are scanned for missing/installed patches once they are upgraded to the full version of
Windows.
Note: Qualys Patch Management 1.4 has several search and token changes due to which
your existing dashboard widgets might stop working or show errors. To fix the widgets, see
the “Rebuild Widgets” topic in the online help.
Get Started
Follow the steps to get started with Patch Management.
Qualys Subscription and Modules required
You would require “Patch Management” (PM) module enabled for your account.
System support
Patch Management only supports installing patches on Windows at present.
Agent installation and configuration
Install Cloud Agents (using the CA app)
Enable PM in a CA configuration Profile (using the CA app)
Manage PM Licenses
Deploy patches
Create a custom assessment profile (Optional)
Review missing and installed patches
Jobs to Deploy Patches on Assets
Review patch deployment results (success / failure)
6
Patch Management Overview
Manage PM Licenses
Uninstall patches
Create a custom assessment profile (Optional)
Review missing and installed patches
Uninstall Patches from Assets
Review patch uninstall results (success / failure)
Manage PM Licenses
The Licenses tab, enabled only for paid subscribers, shows the number of licenses
consumed by Patch Management (PM). You can include asset tags to allow
installing/uninstalling patches on the assets contained in those asset tags. The Total
Consumption counter may exceed 100% if the number of assets activated for PM are more
than the number of PM licenses you have. Assets in the excluded asset tags are not
considered for patch management and you cannot deploy patches on those assets.
Note: In case the Total Consumption counter exceeds 100%, licenses will be consumed
based on the asset activation time stamp in ascending order.
Only admin / super users can manage licenses. Sub-users can only view the license
information.
7
Patch Management Overview
Fallback to free version
Fallback to free version
Patch Management will revert to the Free version once your Trial or Full subscription
expires. Existing scan intervals of less than 24 hours will get converted to intervals of 24
hours. Your existing jobs will be disabled and you can re-enable them once you renew
your subscription.
The free version allows you to create assessment profiles with a minimum scan interval of
24 hours and see a list of missing and installed patches on the assets in your environment.
It doesn’t allow creating deployment/uninstall jobs.
View Your Assets
The Assets tab displays all the assets in your account for which you activated Patch
Management from the Cloud Agent module. We display missing and installed patches for
all the successfully scanned assets, but you can patch only assets that have Patch
Management license. You can use the asset search token "licensed:true" to list licensed
assets.
Note that you will see only those assets in the Asset tab that are in your asset tag scope.
Go to the Administration utility and view what asset tags are added to your user. Only the
assets that have these asset tags are shown to you in the Asset tab. See "How are tags used
to grant access to assets?" section in the User Roles and Permissions.
For each asset, we show the date and time when the asset is scanned, asset name and its
operating system, total number of missing and installed patches, who logged into the
asset, and assets tags applied to the assets.
From the Assets tab, you can:
1) filter assets by patch status: Missing, Installed and only Latest Missing Patches. Missing
when selected displays the assets that have missing patches. Installed when selected
displays the assets that have installed patches. The third option "Only Latest Missing
Patches" when selected will include in the missing patches count for assets only the most
recent iterations of the patches for OS and applications.
2) enter QQL (Qualys Query Language ) queries in the search box to search for assets. Use
asset and patch tokens in the queries individually or in combination to search for assets.
To use the queries in combination click the plus icon in the search box. The Patch tokens
let you search for assets by patch information such as patch title, ID and so on. For
example, you can search what assets have patches missing with a certain patch ID. If you
have selected a filter (Missing/Installed), then the search will include those assets that
matches the selected filter. If the filter "Missing" is selected, then only the assets with
missing patches will be searched.
3) use the filters to search assets by OS Families and scanning status. When you click a
filter from the list, search box will show the filter query and the Assets page shows only
those assets that meet the filter conditions.
4) select an asset and use the Quick Action menu to view details of assets including
system information, network information, data and findings reported by other Qualys
modules and applications, and add the assets to a new job or an existing job.
8
Patch Management Overview
View Your Jobs
5) select one or more assets and use the Bulk Actions menu to add them to an existing job
or a new job.
6) use the Search Actions menu to view the recent searches, save search queries added in
the search box and manage saved searches.
View Your Jobs
The Jobs tab lists the patch jobs. On the Jobs page, we show you the job's status (Enabled,
Disabled and Completed), name, owner, schedule. In addition to these details, we also
show the total number of patches, assets and asset tags added to job. When you click the
total number of patches and assets links, we will show you the list of patches and assets.
Tagged assets show out of the total assets that have the selected asset tags how many are
included in the job. While adding tags, you can used AND and OR operators. Only the
assets that satisfy the condition will be added to the job.
Currently, we show all the jobs that are created in your subscription, but you can view or
edit only those jobs that you have created or you are the Co-Author. The Co-Author of a
job has permission to edit the job if the Co-Author has edit permission.
From the Jobs tab, you can 1) enter QQL (Qualys Query Language ) queries in the search
box to search for jobs, 2) use the filters to search jobs by status (Enabled, Disabled, and
Completed), schedule (On-demand, Daily, Once) and job type (Install, Uninstall), 3) select
filters to view the jobs that you have created or you are the Co-Author, 4) create
deployment or Uninstall jobs, 5) select a job and use the Quick Actions menu to view the
job details and progress, edit the job, change the owner of the job, delete a job, clone a job,
and enable or disable a job, 6) select multiple jobs and use the Bulk Actions menu to
change the ownership of jobs, delete and enable jobs. Note that you must be either Owner
9
View Your Assessment Profiles and Licenses Information
Patch Management Overview
or Co-Author of the job to perform the actions available from Quick Actions and Actions
menu, and 7) use the Search Actions menu to view the recent searches, save search
queries added in the search box and manage saved searches.
View Your Assessment Profiles and Licenses Information
The Configuration tab has two tabs: Profiles and License tab. The Profiles tab lists the
default assessment and custom assessment profiles and the Licenses tab show licenses
information. The Profiles tab displays a default assessment profile. Cloud Agents scan for
patches (missing and installed) at a specific interval using the configuration defined in the
default Assessment Profile. When no custom assessment profile is defined, then the
default assessment profile is applied to all agents, which scans the assets at an interval of
24 hours for free subscription and 4 hours for trial/paid subscription. The profile tab
Shows the assessment profile's status (enabled/disabled), name, date and time of
creation, schedule (the scan interval). Asset tags show what asset tags are added to the
assessment profiles.
From the profile tab, you can: 1) Create custom assessment profiles, 2) select a assessment
profile and use the Quick Actions menu to view, edit delete, enable and disable profiles.
Delete, Enable and Disable actions are not available for Default assessment profiles, 3)
select more than one assessment profiles and use the Actions menu to delete enable and
10
View Your Assessment Profiles and Licenses Information
Patch Management Overview
disable assessment profiles, and 4) click the Licenses tab to manage PM licenses for your
assets . The Licenses tab, enabled only for paid subscribers, shows the number of licenses
consumed by Patch Management (PM).
11
Install Cloud Agents for PM
Agent installations are managed in Cloud Agent (CA).
Let's get started!
Choose CA (Cloud Agent) from the app picker.
As a first time user, you’ll land directly into the Getting Started page.
Install Cloud Agents for PM
What are the steps?
What are the steps?
Create an activation key. Go to Activation Keys, click the New Key button. Give it a title,
provision for the PM application and click Generate.
12
Install Cloud Agents for PM
Download Installer
As you can see you can provision the same key for any of the other applications in your
account.
Download Installer
Click Install instructions next to Windows (.exe). Patch Management only supports
installing patches on Windows at present.
13
Install Cloud Agents for PM
Download Installer
Review the installation requirements and click Download.
You'll run the installer on each system from an elevated command prompt, or use a
systems management tool or Windows group policy. Your agents should start connecting
to our cloud platform.
Your host must be able to reach your Qualys Cloud Platform (or the Qualys Private Cloud
Platform) over HTTPS port 443. On the Qualys Cloud Platform, go to Help > About to see
the URL your host needs to access. For more information about connectivity
requirements/proxy settings refer to the platform specific Cloud Agent Installation Guides
available on https://www.qualys.com/documentation/.
Click here for a list of URLs that you must whitelist for the Cloud Agent to successfully
download patches on your host.
14
Activate your agents for PM
Go to the Agents tab, and from the
Quick Actions menu of an agent,
click "Activate for FIM or EDR or
PM or SA". (Bulk activation is
supported using the Actions
menu).
Enable PM in a CA configuration profile
Install Cloud Agents for PM
Activate your agents for PM
You can create a new profile or edit an existing one. The PM module is enabled by default.
The Cache size setting determines how much space the agent should allocate to store
downloaded patches on the asset. By default, 2048 MB are allocated. If you are planning
on using the opportunistic download, where an agent downloads patches before
deployment, it is recommended to increase the cache size, or to allow for Unlimited Cache
size. Note that the agent will clear the cached files after deployment.
You're ready!
Select PM from the application picker and then create a deployment job to start installing
patches on your assets.
15
User Roles and Permissions
User Roles and Permissions
Role Based Access Control gives you flexibility to control access to Patch Management
features based on the roles of the individual users.
Each user is assigned a pre-defined user role which determines what actions the user can
take.
We have 5 OOTB (Out-of-the-box) roles for PM users. Each role, except Patch Security, is an
incremental role to the previous one.
1) Patch Reader: This is the default role designed to most (sub-)users, present in the
system today, with minimum permissions possible. This role is granted to allow users
viewing/ read-only capabilities in the Dashboards developed to provide an insight into the
Patching operations. This role has only view permissions on assigned jobs, assessment
profiles, and dashboards.
2) Patch Dashboard Author: This is a special role that would be needed only for larger
organizations that delegate development of dashboards to a dedicated team especially,
one that does NOT operate/ manage the patching jobs. This role includes all the Patch
Reader permissions.
3) Patch User: This role is designed for the operators of the Patching job, who interact and
manage patching activities on a regular basis. In most cases, these users will also build
dashboards for reporting information to their respective department/ team. This role
includes all the Patch Dashboard Author permissions.
4) Patch Security: This role is mutually exclusive to all the earlier set of roles. It is meant
for the Security Expert in organizations where IT operations and Security operations
(SecOps) are owned by distinct team. These users have very limited capabilities that allow
them to pass on a list of selective patches to the IT operations team to operationalize their
patching on the endpoints across the organization. All the job advisories created by Patch
Security user are “Partially Configured Job” and only after assigning these jobs to a Patch
User/ Patch Manager, the owners can choose the right tags/ assets, schedule and other
options. Only the Patch Manager role has “Change Owner” permission enabling it to take/
assign ownership of a “Partially Configured Job” to other users, with Patch Manager or
Patch User roles. These users can neither own nor edit/co-edit any job.
5) Patch Manager: A Patch Manager has all the permissions except create job advisory
permission.
Note: For Patch Management, we refer to the Global Dashboard Permissions to determine
what operations the user can perform on Unified Dashboard. The Global Dashboard
Permissions will only allow the Patch Manager, Patch User, and Patch Dashboard Author to
create, edit and delete their own dashboards. For permissions to edit, delete other users'
dashboard and print/download dashboard, contact SuperUser or Administrator.
Our earlier RBAC model, was more restrictive enforcing a clear compartmentalization of
users from each other and basic roles only. With the new RBAC model, we have added
more roles, depicting the real-life hierarchies and responsibilities. With the upgrade of the
16
User Roles and Permissions
RBAC model, all existing sub-users will take the Patch User role and all the existing superusers will have all the permission defined in RBAC. All other roles will need to be explicitly
managed by the superuser.
Also note, that these roles are exclusive to the Patch Management module only. The roles
defined in other modules have NO correlation with that defined in Patch Management.
Note: We recommend users to NOT create custom roles for the Patch Management users
by assigning or unassigning permissions available through the default roles. Such
customization of roles or change of permissions may lead to user roles not working as per
the design.
Job Sharing with other users
A job can be shared with other users by making them co-authors of the job, allowing them
to edit/operate the job equivalent to the creator, provided they have the same (or higher)
role and same (or larger) asset scope assigned to them for administration.
See Jobs to Deploy Patches on Assets/Uninstall Patches from Assets. From Assets to assign
co-authors to a job.
Note that co-authors of a job do not have permission to add/remove assets to/from the job
but they can add/remove asset tags to/from the job. Though co-authors of a job can add
an asset tag to the job, only the assets that are in the owner's asset scope will be picked up
when the job is run. Remember that execution of a job is restricted by the tag scope of the
job owner.
Partially Configured Job
Patching Job has 3 critical components:
a) Patch(es): One or more patches to be applied as a part of the job.
b) Asset(s)/ Tags: One or more assets on which the patches are to be applied. A logical
collection of assets is referred to as Tags.
17
How to find PM Roles and view their permissions
User Roles and Permissions
c) Schedule: The Patching job needs to be executed at a scheduled date and time. In case
of a recurring Patching job, each job run is scheduled for a selected time, at a frequency
across selected dates/ days of a month.
All these 3 components are important for the completeness of a job. If any of them is
pending in a job definition, we have a Partially Configured Job.
The “Patch Security” role is restricted to defining only the first component i.e. patch list of
a job. This ensures that the security advisors leave the operational aspects at the
discretion of the Patch Users. Other users who are permitted to create/edit a job can also
create Partially Configured Jobs. A job can be executed only when it is Fully Configured.
Apart from the above 3 mandatory components, a Fully Configured Job could also have
some other options.
How to find PM Roles and view their permissions
You can assign roles from our Administration utility module. Within the Administration
utility, you'll find roles and their related permissions in the Role Management section. See
Qualys Administration utility Online Help.
1) From the application module picker, click Administration.
18
How to find PM Roles and view their permissions
User Roles and Permissions
2) Go to the Role Management tab and enter "patch" in the search box to view all the
patch management roles.
3) Select a role from the list and from the Quick Actions menu, click View.
19
How are tags used to grant access to assets?
User Roles and Permissions
4) On the Roles View screen, go to the Permissions tab to view the permission for the
selected role.
How are tags used to grant access to assets?
An asset tag is a tag assigned to one or more assets. Tag scopes define what assets the user
can view when creating a job or when user go to Assets tab in patch management.
Assigning a tag to an asset enables you to grant users access to that asset by assigning the
same tag to the users scope. Want to define tags? It's easy - just go to the Asset
Management (AM) application.
To assign asset tags to the user,
1) Go to the Administration module and then from the User Management tab search a or
select the user.
2) From the Quick Actions menu, click Edit.
3) On the User Edit screen, go to the Roles and Scopes tab.
20
User Roles and Permissions
User Roles Comparison
4) In the Edit Scope section, select one or more asset tags that you want to assign to the
user. Then click Save.
User Roles Comparison
The following table provides a comparison of privileges granted to user roles for Patch
Management.Note that Assigned Jobs of a user are the jobs that the user has created or
permission to edit as a co-author.
Privileges Patch
Manage License Permissions
Manage License Y
Assessment Profile Permissions
Create Profile Y
Edit Profile Y
Delete Profile Y
View Profile Y Y Y Y Y
Deployment Job Permissions
Change Job Owner(ship) Y
View Any Job Y
Edit Any Job Y
Enable/disable any Job Y
Delete Any Job Y
Create job Y Y
Manager
Patch
User
Patch
Dashboard
Author
Patch
Reader
Patch
Security
21
Loading...