Qualys Cloud Agent for Windows Release 6.4
January 29, 2026
With this release of Cloud Agent for Windows, we are introducing the following new features and enhancements.
ETM Identity Support for Windows
We have updated the Windows Cloud Agent to support a new Qualys module — ETM Identity. The ETM Identity is optimized for secure and efficient posture data collection from Active Directory (AD) Domain Controllers.
The ETM Identity collects identity-related data from AD objects via LDAP directory searches, packages the results, and securely uploads the data to the Qualys Platform for analysis.
This feature helps with visibility and assessment of identity-related cyber risks, including the generation of attack paths, risk insights, and remediation recommendations for Active Directory environments. It also supports domain trust map visualization across multiple forests and domains. The ETM Identity also helps with attack path generation and remediation insights.
| Required Application Version | ETM Identity 0.5 |
Database Assessment with Client Authentication
We have updated the Windows Cloud Agent to support client authentication for database assessments.
This enhancement verifies the user identity using a client certificate before retrieving database credentials from a vault (e.g, CyberArk). Only trusted users are allowed to fetch credentials and initiate DB assessments.
The Client Authentication is supported only for the CCP vaults. You must enable the Database Authentication for CCP to use this feature.
Key Capabilities
- Client certificate–based authentication
- Secure credential retrieval from vault servers
- Support for User Principle Name (UPN) and non-UPN username formats
- Improved access control
| Required Application Version | Cloud Agent Application 2.5.0 |
Proxy Randomization Enhancements
We have enhanced the proxy randomization feature to improve reliability and load distribution when multiple proxies are configured.
For each new outbound request, the agent randomly selects a proxy. If the selected proxy fails, the Cloud Agent attempts the remaining proxies before falling back to a direct connection. Chunk downloads continue to use the same proxy to ensure download consistency.
By default, proxy randomization is disabled. To enable this feature, use the QualysProxy.exe /r {on|off} parameter while configuring the proxy.
- /r on: Enables proxy randomization
- /r off: Disables proxy randomization
Example:
QualysProxy.exe /r on
Patch Management Enhancements
Feature Update Support for Windows OS and Applications
Cloud Agent for Windows now supports feature updates, allowing in-place upgrades within the same Windows OS or application family.
This enhancement enables administrators to deploy upgrades such as Windows 11 21H2 to 22H2 or SQL Server 2016 SP2 to SP3 using patch deployment jobs, without requiring a full OS reinstallation.
This feature is supported when:
- Upgrading in-place Windows OS feature
- Upgrading application service pack and feature
This feature is not supported when:
- Upgrading Windows 10 to Windows 11
- OS edition changes
- Reinstalling Clean OS
| Required Application Version | Patch Management 3.10.0 |
Override Reboot Support for Patch Deployment Jobs
We have added an Override Reboot option for patch deployment jobs. When enabled, this option allows patch jobs to execute even if a manual system reboot is pending from a previous patch deployment.
This enhancement helps ensure continuity of patch operations in environments where reboots are suppressed.
| Required Application Version | Patch Management 3.11.0 |
Disk Space Validation Before Patch Download
Before initiating patch downloads, Cloud Agent now validates available disk space on the target system.
The required disk space is calculated as:
Total Disk Space Required for Patch Download: (Total patch download size × 2) + 100 MB (SDK buffer) + 2 GB (threshold)
If sufficient disk space is not available, the patch job fails with an appropriate status code.
Enhanced Patch Failure Status Reporting
The agent now reports a completed with failure status for assets in patch jobs where patch installation or actions fail during execution.
In such cases, Cloud Agent reports:
- Patch state: 1
- Status code: 2036
This provides improved visibility into the patch execution process in the Patch Management user interface.
CPU Throttling Support for Patch Scan
We have introduced configurable CPU throttling for patch scans to prevent excessive CPU usage during scanning.
When enabled, patch scans are executed under the Cloud Agent’s CPU throttling limits, ensuring better resource control on the host system.
Important Notes
Enabling Cloud Agent CPU Throttling for Patch scans may result in:
- Patch scan duration may increase when CPU throttling is enabled
- Smaller patch windows may cause job timeouts due to an increase in scan duration.
| Required Application Version | Cloud Agent Application 2.5.0 |
Behavior Changes
There are no behavior changes in this release.
Platform Coverage Support
There is no new platform coverage added in this release.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| On-demand scan | Cloud Agent could not launch the on-demand scan because of a pending delta from previous scans. Now, Cloud Agent logs clearly highlight the scan failure information in Cloud Agent logs. |
| CPU Throttling | Cloud Agent was causing high CPU usage during the patch management scans. We fixed this issue by implementing the CPU throttle limits for Patch Management. |
| Cloud Agent Upgrade | We fixed an issue where Cloud Agent could not be upgraded to new versions due to a discrepancy in the Cloud Agent permissions. |
| Cloud Agent Installation | We fixed an issue where the Cloud Agent upgrade failed due to a missing MSI cache file, leading to an inconsistent agent installation state. |
| Cloud Agent Scans | We fixed an issue where the scan status was not reported correctly on Cloud Agent user interface. |
| Cloud Agent Service | We fixed a known issue where the Cloud Agent service was crashing and creating minidump files on host assets. |
| Manifest Download | We fixed an issue where the updated manifests were not downloaded because the Cloud Agent was stuck in decompressing the uncompressed self-patch binary. |
| Patch Management-False Negative | We fixed an issue where patch management reported missing patches for the unsupported Windows platforms. Now, Cloud Agent no longer reports missing patches for unsupported platforms. |
| Patch Installation | Patch installation was incorrectly reported as failed due to the system reboot during patch installation. Now we scan the failed patches after reboot to ensure the correct patch status. |
| Patch Installation | We fixed an issue where Cloud Agent could not install patches when a single QGS proxy was configured and direct connection was disabled. |
| EDR Activation | We fixed an issue where the Endpoint Detection and Response (EDR) application could not be activated by updating the EDR buffer memory allocation. |
| SwCA Scan | We fixed an issue where SwCA scans failed when scanning a non-standard package file with an unsupported format. |
| SwCA Scan | The SwCA Scans were failing as Cloud Agent could not retry the scan delta upload. We fixed this issue by implementing the scan delta upload retry mechanism. |
Known Issues, Limitations, and Workarounds
Patches installed with Windows Cloud Agent 6.3 or earlier versions, and have Pending Reboot status, display the status as Failed when Cloud Agent is upgraded to the latest version 6.4. The patch status is not updated even after a system reboot.
Workaround: If there are patch jobs with Pending Reboot status, restart your system before upgrading Cloud Agent to version 6.4.