Creating Default Patch Job

A default patch deployment job is created to deploy patches on the assets that have been inactive for certain duration and also for the newly activated assets. Default jobs are tag based and you cannot add individual assets to it. A default deployment can be created for Windows, Linux and Mac assets. 

You can configure the number of days the asset has been inactive on which you want to deploy patches. You can also select to run the job on the newly activated assets if the asset is a part of the asset tag included in the default job. You can exclude asset tags that you do not want the job to be run on. 


- Default job supports only adding asset tags and not individual assets explicitly to the job.
- Each user can create maximum 20 default jobs for each Windows, Linux and Mac platforms. 

Navigate to Jobs > Windows tab and then go to Default Jobs >  Create Job.

Complete the following steps to create a Windows deployment job:

  1. Basic Information
  2. Conditions
  3. Select Pre-actions
  4. Select Patches
  5. Select Post-actions
  6. Options
  7. Job Access
  8. Review and Confirm

1. Basic Information

Enter a job title and description, and click Next.

Basic Information.

2. Conditions



Refer to the following steps to configure the conditions:

  1. Select the asset tags that you want to apply patches. 
  2. (Optional) Select the Add Exclusion Asset Tags checkbox to exclude the assets from the deployment job with All/ANY of the selected asset tags.

  3. Select the Condition for inactive asset checkbox if you want the job to run on the inactive assets. In the Asset Inactive Days field, enter the number of days the asset was inactive on which you want to run the job.

     The number of inactive days must be between 3 and 180.

  4. Select the Include new asset checkbox if you want to run the job on the assets that are newly activated and part of the asset tag that you included in the job. 

3. Select Pre-actions

Select the Pre-action you want to execute on assets before the job starts and click Next. For more information, see About Pre-Actions and Post-Actions.

Important to Know

If any of your assets were waiting for a system reboot, you needed to reboot such assets manually. Also, if the suppress reboot option is enabled, the asset reboot is suppressed unless you manually reboot it.

However, you are no longer required to do it. You can now automate a system reboot by creating a job that includes such assets and only a "System Reboot" pre-action.

When you create a job, make sure that you select only a "System Reboot" pre-action and don't select any other pre-action, post-action, or patch options. Such a job will be prioritized, and the system reboot is automatically initiated when the job reaches the agent at the scheduled job time, even if it's waiting for another reboot.

If you find the pre-action option disabled, contact your administrator to get the required permissions. You must have the Patch Action Manager role assigned to configure the pre-actions. For more information, see User Roles and Permissions.

Job with only system reboot pre-action.

4. Select Patches

i.  Refer to the following details, select patches to apply to the assets, and click Next.

You can select one of the following patch selection options:

Manual Patch Selection:

After you select the Manual Patch Selection option, click the Select patches link to select patches. On the Patch Selector page, you can use the Within Scope option to view missing patches within the scope of the selected assets or all available patches. Select the desired patches, click Add to Job, and click Close. 

On the Select Patches pane of the deployment job wizard, click Available Patches if you want to add more patches to the job.

Automated Patch Selection: 

You can use the Qualys Query Language (QQL) to create criteria to automate the patches that need to be installed for a job based on vulnerabilities or patches. The query can be used for run-once and recurring jobs. You cannot use a combination of a QQL and Patch list to select patches added to a job. You must either create a job that is executed based on the query or choose the patches from the Patch List.

Click Preview to view available patches associated with assets and/or tags that can be added to the job.


-  You can use vulnerability tokens to create a QQL-based job only if you have a subscription to the VMDR app. You can use the RTI tokens only if you have an active subscription to the Threat Protection app.
-  During the automated patch selection, you can use the patches or vulnerabilities tokens individually or in combination.

You can add a maximum of 2000 patches to a single job. Create another job to add patches above 2000. You can run the scheduled job daily, weekly, or monthly.

5. Select Post-actions

Select the post-action that you want to execute on the assets after the job is completed and click Next. For more information, see About Pre-Actions and Post-Actions.

If you find the post-action option disabled, contact your administrator to get the required permissions. You must have the Patch Action Manager role assigned to configure the post-actions. For more information, see User Roles and Permissions.

6. Options

Configure the communication options by referring to the following details on how to notify users about the patch deployment, and click Next

Deployment Messages

You can configure pre-deployment messages, deferring the patch deployment certain number of times. You can also provide progress and completion messages. Finally, you can prompt the user or suppress reboot when asset reboot is required post-patch installation.

Reboot Messages

These options are for reboot messages:

a) Suppress Reboot: This option allows you to patch systems in advance and defer reboot till the maintenance window.

If you enable this option, the agent stops the subsequent patch scans or job deployments and starts again only after the reboot is done.

b) Reboot Request: Many patches require reboot in order to take effect. When enabled, it will show a message to users indicating that a reboot is required. If no user is logged in, the reboot will start immediately after patch deployment.

You can configure this option to give the user the option to either reboot the machine immediately after the patch is deployed or defer the reboot "x" number of times so that the user can save the work and complete other tasks. Reboot will defer until 1) the user clicks OK when reboot message is shown or 2) maximum number of deferments are reached.

c) Reboot Countdown: If the deferment limit is set in the Reboot Request, then configure this option to show a countdown message to users after the deferment limit is reached. When reboot countdown is enabled, this gives the end user an indication of how long it will take before the system is rebooted.

See Reboot Settings. We highly recommend that when you create the job, fill out both the message and description fields for these options as this will have better performance in the agent/platform acknowledging the requests. Keep the messages very brief and the descriptions as detailed as possible.

d) Reboot Countdown Upon Login: While creating or editing the Windows deployment job, when the toggle next to this option is turned on, the reboot countdown time is counted for the end user only when the end user is logged in. If this toggle is turned off, the reboot countdown time is counted irrespective of whether the end user is logged in or logged out.

By default, the toggle next to the Reboot Countdown Upon Login option is in the turned off state. 

Important to Know

-  Windows Cloud Agent version 5.7.0 is the prerequisite for this option.

-  If the toggle next to the Suppress Reboot option is turned off, the Reboot Request, Reboot Countdown, and Reboot Countdown Upon Login options are not shown on the UI.

-  If the toggles next to the Reboot Request and Reboot Countdown options are turned off, the Reboot Countdown Upon Login toggle is not available to use. When you turn on either of them, the Reboot Countdown Upon Login toggle is available to use.

e) Always Show Patch Job Deployment Completion Pop-Up Window: Turn on this toggle while creating or editing the Windows job. By doing this, you can show the patch job deployment completion pop-up message on patched machines for Windows deployment jobs irrespective of whether the patches are failed, skipped, or successfully deployed.

 Windows Cloud Agent version 6.1.x or later is the prerequisite to show the patch job deployment completion pop-up message.

 

Additional Job Settings

Enable the following additional job settings as per your requirement and click Next.

Download Patches from the Internal Repository

Turn the Download Patches from the Internal Repository toggle to On to allow cloud agents to download the patches from the internal repository server.

ii. Select the name of the internal repository server from the Select Name list. The URL associated with the server is auto-populated. Note that you can add only one internal repository server.

You can enable this setting only if the Download Patches from the Internal Repository Subscription-level setting is enabled and the internal repository server and URL are entered. For more information, see the "Enabling Download Patches from the Internal Repository" section from the Subscription Level Settings topic. 

When the job is created, you can see the internal repository details from the Options tab on the Job Details page.

Internal repository server details - Options tab.

Enable opportunistic patch download

  This option is not supported for the default deployment job.

Minimize job progress window

Turn the Minimize job progress window toggle On to minimize the job progress window shown on the machine when the patch job is in progress.

Reattempt failed patches

Turn    On the Reattempt failed patches toggle to install the failed patches in the same deployment job. You can configure the number of reattempts and the time interval between consecutive attempts to install the failed jobs.  
The default number to reattempt the failed patches is 1, and the default time interval is 5 seconds.  

8. Job Access

Choose Co-Authors for this job and click  Next. The co-authors can perform job actions based on their permissions, such as editing the job.

 

9. Review and Confirm

Review your selections, and choose to Save or  Save   & Enable the job.

Note that the SuperUser or Administrator can change the job status (enable/disable), delete and edit the job.

  • When you click Save, the job is saved, and its status is DISABLED. You can enable it later. 

To run a job in the DISABLED state, you must enable it. To enable it, go to the Jobs tab and click Enable from the Quick Actions menu of a job.

  • When you click Save  &   Enable, the job is saved and ENABLED. This option is available only when creating a Job the first time, not during editing the job.

The Save  & Enable option should be chosen only when you are confident that the job is correctly configured because it's enabled and in a good-to-execute state.

You can use the Disable option to temporarily disable a scheduled job. Later, at your convenience, you can re-enable the job. 
On-demand or run-once (nonrecurring) jobs cannot be edited or disabled once enabled.
See Enabling or Disabling Jobs

 

 

 

 

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.