Enable Vendor Acquired Windows Patch

Users with the Patch Manager, Patch User, and Patch Security roles can enable, add, and edit vendor-acquired patches to Windows deployment jobs. 

Identify the “AcquireFromVendor” type patches available for adding to Windows deployment patch jobs by navigating to the Patches > Windows tab.

By running the “downloadMethod:AcquireFromVendor” QQL query, you can see patches available for enablement.

Patches with the Lock   icons are available for enablement.

Patches with the Unlock   icons are enabled for adding to patch jobs.

Refer to the following sections:

• Enabling Vendor-Acquired Patch
• Adding Patch to Windows Deployment Job

Enabling Vendor-Acquired Patch

You can enable the “AcquireFromVendor” type of Windows patches, and then you can add them to existing or new Windows deployment jobs.

In the case of on-demand jobs, the required cloud agent version for vendor-acquired patch enablement is 5.2 and above.

Complete the following steps:

1. Go to the Patches > Windows tab, and run the “downloadMethod:AcquireFromVendor” QQL query. You can see patches with the Lock   icons. These patches are available for enablement.
2. Select the check box next to the patch you want to enable and click Enable Patch.
   
   
3. From the "Enter Repository URL or Upload File" page, select either of the following:
   1. Use Existing URL: This option is pre-selected by default. Complete the following steps:
      
      
      1. Select the required language, for example, All Languages, from the Language Support list.
      2. Enter the respective local repository URL in the URL field, and click Add. You can enter both the HTTP and HTTPS types of links.
      3. After the URL is added, click Add URLs.
         Note: You can also find the Vendor URL on this page. Click the VENDOR URLS tab, where you can see the vendor URL. Click the Copy  icon next to the vendor URL. Refer to the Add Patch Process shown in the following screen capture. You can hide the Add Patch Process representation by clicking Remove.
         The following message is shown. Click OK to close.
         
         
   2. Upload File to Qualys Cloud: You can upload your installer files to the Qualys Cloud storage. Each subscription is allocated 15 GB of storage on the Qualys Cloud, shared across all users within the subscription and can only upload a file up to 500MB at once. The supported file types for upload are .exe and .msi. 

      This feature is supported starting with Windows Cloud Agent version 6.3.

      
      
      1. Select the required language, for example, All Languages, from the Language Support list.
      2. Click Browse to upload the installer file and then click Add. 
      3. (Optional) Click to edit and  X to remove the uploaded file.  
      4. Click Add URLs. 
         
         To ensure Cloud Agents can access the Qualys CDN URLs, you must add the following URLs in the allowlists, for your network configurations to access them.
         
         URLs to be added in AllowlistsURLs to be added in Allowlists

         America: 

         US1: https://caskcf.qg1.apps.qualys.com · 

         US2: https://caskcf.qg2.apps.qualys.com  · 

         US3: https://caskcf.qg3.apps.qualys.com  · 

         US4: https://caskcf.qg4.apps.qualys.com  · 

         CA1: https://caskcf.qg1.apps.qualys.ca · 

         IAD2: https://caskcf.gov1.qualys.us/

         EMEA: 

         · EU1: https://caskcf.qg1.apps.qualys.eu 

         · EU2: https://caskcf.qg2.apps.qualys.eu 

         · EU3: https://caskcf.qg3.apps.qualys.it 

         · UK1: https://caskcf.qg1.apps.qualys.co.uk 

         · AE1: https://caskcf.qg1.apps.qualys.ae  

         · KSA: https://caskcf.qg1.apps.qualysksa.com

         APAC: 

         · IN1:  https://caskcf.qg1.apps.qualys.in 

         · AU1:  https://caskcf.qg1.apps.qualys.com.au

        The patch you selected is now enabled. You can now add the patch to the Windows deployment job.

         When you view the details of that patch from the Basic Information tab, you can see the custom Repository you entered. 

Adding Patch to Windows Deployment Job

After enabling the patch, you can add it to an existing or a new Windows deployment job.

Complete the following steps:

1.  Go to the Patches > Windows tab, and run the "enabledVendorAcquiredPatches:true" QQL query. The patches with the Unlock   icons are enabled for adding to patch jobs.

2.  Select the check box next to the patch you want to add to the deployment job, and click Add to Existing Job or Add to New Job as required.

You can also add multiple patches to an existing job or a new job. 

-  If you click Add to Existing Job, you are navigated to the "Add Patches: Existing Deployment Jobs" page.  Select the check box next to the job and click Add. The Adding Patches window is shown, wherein it's mentioned that the patch has been successfully added. Click Continue. 

Note: Make sure that you turn the Enable opportunistic patch download toggle to ON from the job you selected.

-  If you click Add to New Job, you are navigated to the "Create: Windows Deployment Job" page. Complete the Windows Job creation steps, and the patch is added to the new Windows deployment job. 

Note: Refer to the following screen capture. While completing step 4 - Select Patches, you can see the patch you enabled is automatically added to the new job that you are creating. 

While completing step 7, make sure you turn the Enable opportunistic patch download toggle to ON. 

Important to Know

After you enabled a patch, added it to the job, and want to modify it, the edits will be reflected if and when the job manifests are triggered for active or ongoing jobs. The active or ongoing jobs are the ones for which we are still waiting to receive results from the agent.