Cloud Agent — Frequently Asked Questions

The following section highlights the commonly observed issues and their solutions:

Why does Qualys Windows Cloud Agent 6.0 require access to the Instance Metadata Service (IMDS) to provision?Why does Qualys Windows Cloud Agent 6.0 require access to the Instance Metadata Service (IMDS) to provision?

Qualys Windows Cloud Agent version 6.0 and later requires access to the cloud instance metadata service (IMDSv1 or IMDSv2) to retrieve the Instance ID during provisioning.

If the agent cannot fetch the Instance ID, provisioning fails and a warning similar to the following may appear in the agent logs: CAPI aborted due to failure or empty InstanceId while retrieving cloud metadata

This issue typically occurs when access to the metadata service is blocked by firewall rules, network policies, or missing IP/port whitelisting. Ensure the following endpoints are reachable from the host:

  • AWS / Azure VMs: 169.254.169.254:80
  • Azure Arc (Hybrid IMDS): localhost:40342

You can validate access by manually calling the metadata API from the affected system. If the API call fails, engage your cloud provider and internal network/security teams to allow metadata service access so the agent can successfully provision and communicate.

Why does the remote log request for a Windows Cloud Agent in Qualys stay in Processing, and how can it be fixed?Why does the remote log request for a Windows Cloud Agent in Qualys stay in Processing, and how can it be fixed?

If you encounter this issue while requesting logs, follow the steps outlined in the article below:

https://success.qualys.com/support/s/article/000007240

Once you complete these steps, you will be able to request logs remotely directly from your Qualys UI.

Why does Windows Cloud Agent deployment via scanner show a QualysAgentHealthCheck.exe error even though the status is PASSED?Why does Windows Cloud Agent deployment via scanner show a QualysAgentHealthCheck.exe error even though the status is PASSED?

This error occurs because the asset already has an existing Agent installed with an unsupported version (below 5.5). Older Agent versions do not support the latest QualysAgentHealthCheck.exe PowerShell script.

How to resolve:

  • Option 1: Uninstall the existing Agent and redeploy through the scanner scan job.
  • Option 2: Enable auto Agent update within the assigned Agent configuration profile.

Why does a Cloud Agent auto-update to the expected version even when an Agent Version Control (AVC) profile is in place?Why does a Cloud Agent auto-update to the expected version even when an Agent Version Control (AVC) profile is in place?

This usually happens when the AVC profile settings are not properly applied or prioritized. To resolve the issue:

  1. Ensure the Agent can communicate and check in with Qualys.
  2. Verify the AVC profile is assigned to the correct tag (matching the Agent assets).
  3. Check for multiple AVC profiles under the Cloud Agent module. If multiple profiles exist:
    • Go to Cloud Agent > Configuration > Agent Version Control profile tab.
    • Locate your AVC profile in the list and ensure it is in the desired order (higher priority is better).
    • If the affected AVC profile is not in the proper order, select Reorder and adjust the profile priority accordingly.

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026