Qualys Patch Management (PM):

The Qualys app can be run on its own but when combined with VMDR, patch management becomes really easy and can easily be prioritized and automated on cadence from scan results.

Patch downloads come from CDNs and can quickly be pushed from anywhere. All patches are validated twice (at Download then again by Qualys Malware Insights). Patches will only be downloaded once and saved to the Qualys Gateway Service host and will be available for all assets that need it.

Patches with the key icon cannot be downloaded by Qualys and must be applied with other methods.

Some Patches cannot be rolled back by Qualys if something were to go wrong. These can be seen with a similar search.

Deployment Jobs:

First ensure the License are current for assets Configuration->License->select tags. This will show what assets will be available in PM.

From the Jobs tab in PM,

1. Create Jobs->Deployment Job

2. Fill in the Job name and description

3. Select assets by name or using tags

4. Go to Patch Selector and select the needed patches. Filter out old patches with (isSuperseded: false). Only patches in scope of the assets will be displayed by the Patch Selector. You can also filter down if you do not want to push all patches.

5. Schedule a Deployment Job (demand, weekly, monthly)

6. Select the Communication Option. This is the setting for various endpoint countdown clocks and annoyance to have the patch accepted by the user.

7. Job access Permissions: Which users can edit this job.

8. Confirmation/Review

Patch Jobs have 3 states, Enabled, Disabled, Completed. Further details and actions can be seen/done with the quick actions drop down for the job.