Before you go ahead with patch job creation for Windows assets, go through Managing Patch Jobs for Windows Assets, wherein the details about patch jobs for Windows assets are mentioned.
Navigate to Jobs > Windows tab and then go to Create Job > Deployment Job.
Note:
Optionally, you can go to the Assets tab > Windows and select the assets to which you want the patches to be applied. From the Quick Actions menu, click Add to New Job.
Optionally, you can go to the Patches tab > Windows. Select the patch to add to the new job and click Add to New Job from the Quick Actions menu.
Complete the following steps to create a Windows deployment job:
6. Schedule
7. Options
8. Job Access
9. Confirmation
Enter a job title and description, and click Next.
Refer to the following details, select the assets you want to apply patches to, and click Next.
The following two asset selection options are available:
- Manual Asset Selection: This option allows you to select assets manually.
- Import Assets: This option allows you to import the asset from the CSV file you upload.
Refer to the following manual asset selection steps:
i. Select assets or asset tags to which you want to apply the patches.
Want to add assets later? Go to the Assets tab, select one or more assets from the Quick Actions menu of a single asset, or from the Actions menu (bulk actions), click Add to Existing Job or Add to New Job. Once enabled, you cannot add assets later to On-Demand or run-once (non-recurring) jobs.
Note: Patches are deployed on the tags you select only for assets in the user's scope. The corresponding child tags are automatically selected when you select the asset tag.
- Select Any to include assets that have any of the selected tags.
- Select All to include only those assets in the patch deployment job with ALL the selected tags.
ii. (Optional) Select the Add Exclusion Assets check box to exclude specific assets from the deployment job.
Note: You can include and exclude a maximum of 50 assets from the job.
Note: Based on the selected options, the final list of assets is calculated considering included and excluded asset tags and included and excluded assets.
iii. (Optional) Select the Add Exclusion Asset Tags checkbox to exclude the assets from the deployment job with All/ANY of the selected asset tags.
Note: You can include and exclude a maximum of 50 asset tags from a job. To understand how final assets are determined for a job, see Which Assets are Included in a Job.
Refer to the import assets steps:
1. Click Import Assets.
2. Upload the CSV that includes the Assets you want to upload.
Important to Know!
- You can import a maximum of 5000 assets from the CSV file.
- The asset names are case-sensitive. Hence, you must include the correct asset name in the CSV file. Incorrectly spelled assets or assets not available in your subscription are not considered for import.
- The CSV file is validated during the import process, and the reasoning or error for skipped assets is also recorded. You can download the validated file and get these details. Note that the CSV file validation and import process might take longer based on the number of assets included, which increases the file size.
Select the Pre-action you want to execute on assets before the job starts and click Next. For more information, see About Pre-Actions and Post-Actions.
Important to Know!
If any of your assets were waiting for a system reboot, you needed to reboot such assets manually. Also, if the suppress reboot option is enabled, the asset reboot is suppressed unless you manually reboot it.
However, you are no longer required to do it. You can now automate a system reboot by creating a job that includes such assets and only a "System Reboot" pre-action.
Important: When you create a job, make sure that you select only a "System Reboot" pre-action and don't select any other pre-action, post-action, or patch options. Such a job will be prioritized, and the system reboot is automatically initiated when the job reaches the agent at the scheduled job time, even if it's waiting for another reboot.
i. Refer to the following details, select patches to apply to the assets, and click Next.
You can select one of the following patch selection options:
- Manual Patch Selection
- Automated Patch Selection
- Patch Selection from Another Job
Manual Patch Selection:
After you select the Manual Patch Selection option, click the Select patches link to select patches. On the Patch Selector page, you can use the Within Scope option to view missing patches within the scope of the selected assets or all available patches. Select the desired patches, click Add to Job, and click Close.
On the Select Patches pane of the deployment job wizard, click Available Patches if you want to add more patches to the job.
Automated Patch Selection: You can use the Qualys Query Language (QQL) to create criteria to automate the patches that need to be installed for a job based on vulnerabilities or patches. The query can be used for run-once and recurring jobs. You cannot use a combination of a QQL and Patch list to select patches added to a job. You must either create a job that is executed based on the query or choose the patches from the Patch List.
Click Preview to view available patches associated with assets and/or tags that can be added to the job.
Note:
- You can use vulnerability tokens to create a QQL-based job only if you have a subscription to the VMDR app. You can use the RTI tokens only if you have an active subscription to the Threat Protection app.
- During the automated patch selection, you can use the patches or vulnerabilities tokens individually or in combination.
Want to add patches later? Go to the Patches tab and select one or more patches. Then, click Add to Existing Job or Add to New Job from the Quick Actions menu of a single patch or the Actions menu (bulk actions). Once you enable On-Demand or run-once (non-recurring) jobs, you cannot add patches later.
You can add patches but not target assets or asset tags when you modify a patch job using the Add to Existing Job option from the Patches tab. To apply patches to an asset that is not added to the job, you can choose one of the following approaches:
1) Edit an existing job from the Jobs tab
2) Select the asset from the Assets tab and use the Add to Existing Job option
3) Create a new patch job for that asset.
Note: You can add a maximum of 2000 patches to a single job. Create another job to add patches above 2000. You can run the scheduled job daily, weekly, or monthly.
Patch Selection from Another Job: After you select the Patch Selection from Another Job option, click the Select the job to fetch patches link. From the Select Job window, select the job you want to fetch the patches from its latest run and click Apply.
Note:
- When you select and apply the job from which you want to fetch the patches from its latest run, its run cycle details, such as the previous and the next run are shown. The run cycle details are not shown for Run Once and On-demand jobs and jobs with the Disabled status.
- If the selected job has unresolved patches, no patches will be fetched for the job that you create. Also, when you view the job progress of the job that you created, the status will be shown as 'No patch available'.
ii. After selecting the required patches by using the options that are explained, click Next.
Select the post-action that you want to execute on the assets after the job is completed and click Next. For more information, see About Pre-Actions and Post-Actions.
Refer to the following details, complete the job schedule settings, and click Next.
i. Choose when to install the patches, whether On-Demand or Schedule.
- The On-Demand option lets you install the patches immediately once the job is created and enabled.
- The Schedule option allows you to install the patches at a set time. You can run the scheduled job daily, weekly, or monthly.
For more information, see Schedule Job Settings.
Good to Know!
- In case of scheduled jobs, you can enable opportunistic patch download from Options > Additional Job Settings to allow the Cloud Agent to download the required patches before a scheduled job run begins. This will help the Cloud Agent to deploy patches in less amount of time instead of waiting to download the patches only after a job run starts. The “Enable opportunistic patch download” is recommended to be enabled only for Jobs Scheduled beyond 3 hours of current time. Jobs scheduled less than 3 hours ahead are ideal for being an On-Demand job instead.
- Monthly jobs scheduled to run on the 31st of the month will be scheduled every two months (where the 31st date is available). You can schedule the job to run on the last day of the month which ensures that the job runs on the last day irrespective of whether the month has 28, 29, 30, or 31 days. For monthly jobs, you can also select the Patch Tuesday option to install patches released on a Patch Tuesday. For more information, see Scheduling Patch Tuesday Jobs.
Recurring jobs (Daily, Weekly, Monthly) should be enabled three hours before the scheduled time; otherwise, the next eligible schedule will be considered.
ii. (Optional) To configure a Patch Window, click Set Duration.
A Patching Window is used to enforce time-bound execution. The Patch Window can be set between 30 minutes to 168 hours or 10080 minutes.
iii. (Optional) To randomize download time, click Set Duration.
You can configure the Randomize Patch Download time period for Windows deployment jobs to download patches at random times after the job starts on the asset. This optimizes the network bandwidth utilization for a defined job across multiple assets that are part of the same job.
Tips:
The configured Randomize Download Time works only if the Windows Cloud Agent version 5.5.x or later is installed.
The Randomize Download Time cannot be more than the Patch Window.
The maximum Randomize Download Time limit is 2 hours or 120 minutes.
In the case of Scheduled jobs, if the Randomize Download Time is set, you can not enable the Opportunistic Patch Download.
Configure the communication options by referring to the following details on how to notify users about the patch deployment, and click Next.
You can configure pre-deployment messages, deferring the patch deployment certain number of times. You can also provide progress and completion messages. Finally, you can prompt the user or suppress reboot when asset reboot is required post patch installation.
These options are for reboot messages:
a) Suppress Reboot - This option allows you to patch systems in advance and defer reboot till the maintenance window.
Note: If you enable this option, the agent stops the subsequent patch scans or job deployments and starts again only after the reboot is done.
b) Reboot Request - Many patches require reboot in order to take effect. When enabled, it will show a message to users indicating that a reboot is required. If no user is logged in, the reboot will start immediately after patch deployment.
You can configure this option to give the user the option to either reboot the machine immediately after the patch is deployed or defer the reboot "x" number of times so that the user can save the work and complete other tasks. Reboot will defer until 1) the user clicks OK when reboot message is shown or 2) maximum number of deferments are reached.
c) Reboot Countdown - If deferment limit is set in the Reboot Request, then configure this option to show countdown message to users after deferment limit is reached. When reboot countdown is enabled, this gives the end user an indication of how long it will take before the system is rebooted.
See Reboot Settings
We highly recommend that when you create the job, fill out both the message and description fields for these options as this will have better performance in the agent/platform acknowledging the requests. Keep the messages very brief and the descriptions as detailed as possible.
d) Reboot Countdown Upon Login: While creating or editing the Windows deployment job, when the toggle next to this option is turned on, the reboot countdown time is counted for the end user only when the end user is logged in. If this toggle is turned off, the reboot countdown time is counted irrespective of whether the end user is logged in or logged out.
By default, the toggle next to the Reboot Countdown Upon Login option is in the turned off state.
Important to Know!
- Windows Cloud Agent version 5.7.0 is the prerequisite for this option.
- If the toggle next to the Suppress Reboot option is turned off, the Reboot Request, Reboot Countdown, and Reboot Countdown Upon Login options are not shown on the UI.
- If the toggles next to the Reboot Request and Reboot Countdown options are turned off, the Reboot Countdown Upon Login toggle is not available to use. When you turn on either of them, the Reboot Countdown Upon Login toggle is available to use.
You can choose to send email notifications for events, such as a job has started or a job has been completed on assets, to the intended recipients. You can enter a maximum of 50 email addresses. Also, the distribution list is not supported.
Important to Know!
- If the email notification is configured for a recurring job, you will receive it once per day for the job run. If the same recurring job is edited and scheduled again for the same day, you will not receive the email notification again on that day.
- The job completion email is sent after the job is sent to all agents, considering all agent timezones, and after the job completion criterion is met. When this is implemented, the email notifications might be impacted for that day.
- The email notifications are tracked for up to six months. Agent getting updates after six months might trigger false email notifications.
See the examples of the 'Patch Job Started' and 'Patch Job Completed' email notifications, respectively.
Enable the following additional job settings as per your requirement and click Next.
- Download Patches from the Internal Repository
- Enable opportunistic patch download
- Minimize job progress window
i. Turn the Download Patches from the Internal Repository toggle to On to allow cloud agents to download the patches from the internal repository server.
ii. Select the name of the internal repository server from the Select Name list. The URL associated with the server is auto-populated. Note that you can add only one internal repository server.
Note: You can enable this setting only if the Download Patches from the Internal Repository Subscription-level setting is enabled and the internal repository server and URL are entered. For more information, see the "Enabling Download Patches from the Internal Repository" section from the Subscription Level Settings topic.
When the job is created, you can see the internal repository details from the Options tab on the Job Details page.
Turn the Enable opportunistic patch downloads toggle On to allow downloading patches before execution for scheduled jobs to save time.
Turn the Minimize job progress window toggle On to minimize the job progress window shown on the machine when the patch job is in progress.
Choose Co-Authors for this job and click Next. The co-authors can perform job actions based on their permissions, such as editing the job.
Review your selections, and choose to Save or Save & Enable the job.
Note that the SuperUser or Administrator can change the job status (enable/disable), delete and edit the job.
- When you click Save, the job is saved, and its status is DISABLED. You can enable it later.
To run a job in the DISABLED state, you must enable it. To enable it, go to the Jobs tab and click Enable from the Quick Actions menu of a job.
- When you click Save & Enable, the job is saved and ENABLED. This option is available only when creating a Job the first time, not during editing the job.
The Save & Enable option should be chosen only when you are confident that the job is correctly configured because it's enabled and in a good-to-execute state.
Note:
You can use the Disable option to temporarily disable a scheduled job. Later, at your convenience, you can re-enable the job.
On-demand or run-once (nonrecurring) jobs cannot be edited or disabled once enabled.
See Enabling or Disabling Jobs
Want to roll back patches? See Roll back patches from assets.