Patch Management Release 3.10

November 09, 2025

Upload Software Installer Files to Qualys Cloud Storage   

You can now upload your software application installer files directly to Qualys Cloud Storage. This feature provides access to a secure, cloud-based repository within Qualys, with allocated storage space to save and manage your files. 

Prerequisite

To ensure Cloud Agents can access the Qualys CDN URLs, you must add these URLs in the allowlists for your network configurations to access them. To view the list of these URLs, see Qualys Patch Management Embraces CDN for Binary Distribution.

You can use this feature through the following two workflows:

  • From the Jobs tab: While creating a deployment job, on the Select Pre-actions tab, when you select the pre-action as the Install Software from the drop-down list, a new option, Upload File to Qualys Cloud, is now available. This allows you to store your installer files on the cloud storage to use during job execution.

  • From the Patches tab: When enabling the patches that are downloaded and acquired from the vendor, a new Upload File to Qualys Cloud option is now displayed. 

This feature provides access to a secure, cloud-based repository within Qualys, with allocated storage space to save and manage your files. For more details, see About Pre-Actions and Post-Actions and Enable Vendor Acquired Windows Patch.


- This feature is supported starting with Windows Cloud Agent version 6.3.
- Each user is allocated 15 GB of storage on the Qualys Cloud and can only upload a file up to 500MB at once.
-Supported file types for upload include .msi, .zip, .exe, 7z.

Add Assets to Jobs from the Assets Tab   

You can now create a new Patch Rollback Deployment, Isolation, or Isolation Rollback job from the Assets tab, or add assets to existing jobs. 
Previously, you could create these jobs through the Eliminations or Jobs tab. 
If an asset is not activated for the Patch Management or Isolation application, the Create Job and the Add  to Existing Job options will be disabled.

When selecting multiple assets for  a job, any assets  not activated for Patch Management or Isolation are excluded and listed in the Excluded Assets window.

Support for IPv6 in Isolation Exceptions 

You can now add IPv6 addresses to the Isolation Exceptions list when creating the Isolation Linux job for Linux assets. This enhancement allows isolated Linux assets to communicate with IPv6 machines. You can add the IPv6 addresses directly while creating the job.

 This feature works with Linux Agent 7.3.0 and later and will be available with Patch Management 3.11 release.


You can also add the IPv6 address through Configurations > Asset Isolation Exceptions > Allowed IPs.

Enhanced Report Download Options 

While downloading the report, you can now select the columns that you want to include in the report. This enhancement applies to reports from Patches, Assets, Job Progress, and Aggregated Job Progress tabs.

When you click Download, the Generate Report window opens. In this window:

  • All columns are pre-selected, you can further modify your selection of columns.

  • You must provide a report  name and select at least one column.

For Job Progress reports, if you select the Include Actions checkbox, all the columns under it are pre-selected. You can further modify your selection of action columns. To generate the report, you must enter the report name, select the required default columns, and include action columns when applicable.
With this release, the Job Progress report also generates the details of patches with the Skipped status.

Support Patching for Mac Platform 

We now support patching for Mac Tahoe 26.x operating system (OS). For more information on the supported operating systems, see Supported Mac Products.

Display Details for Skipped Mitigation Jobs

With this release, the detailed reasons for the Skipped mitigations in the job are now displayed on the View Job Progress page. 

Enhanced Script Output Visibility for Mitigation Jobs

With this release, we have extended the script output visibility to include Succeeded and Skipped mitigation jobs. Previously, script output was available only for Failed jobs.
To view the script output, navigate to the Job Progress page, and click on the number under the Mitigation Actions > Skipped column. Expand the Skipped status and click Show More for the individual skipped CVEs.

Support for Auth ID Client Management from UI    

With this release, we have extended our support for OpenID Connect Authentication Client Management capabilities from UI. This update allows for secure authentication and authorization of API access directly from the user interface. Our API interactions are now authenticated with enhanced security measures.

ID tokens are generated and validated with utmost security. This seamless integration requires minimal changes to the existing infrastructure, allowing to maintain the highest level of security for APIs.

Access Control

Manager users can create two types of clients based on access requirements:

  • User Level Clients: These clients are associated directly to individual user accounts, making them ideal for scenarios where user-specific access control is required. Users can access APIs and PM functionalities that are provided in this client.
    The token generated through the User Level client becomes invalid if the user is deactivated.
  • Subscription Level Clients: These are independent of user identities and offer broader access within the subscription. It means that the token generated through this client is tied to the subscription rather than an individual user.
    The token generated for a subscription-level client continues to function even if the user is deactivated.

 Currently, the Subscription Level clients are not supported by the Patch Management APIs.

Non-manager users are restricted to creating only User Level Clients, ensuring limited access control.

With the Auth ID Client Management from UI, you can:

  • Manage authentication and authorization processes more intuitively, providing a smoother user experience.
  • Easily handle API access permissions directly from the UI, simplifying the process of granting and revoking access when needed.
  • Maintain your existing workflows with minimal changes, enabling you to continue your tasks without the need to learn new processes extensively.

To access the client management tab, navigate to your profile icon, located at the top-right corner, and click View Profile  > Auth Id Client Management tab.

For client creation, select either User Level, and then click New Client.

Only users with manager privileges can view and access the Subscription Level tab.

While creating a client, you can select all modules at once or individual modules as required. You can also set various permissions including global permissions, dashboard permissions, tagging permissions, as well as API access. Depending upon these permissions a user can access the modules and their features that are assigned to the client.

Based on the permissions you select:

  • If the API Access permission is not enabled under Global Permissions >  Access, the API returns a response with this message:

    User does not have permission to access API module

  • If the  PM Access permission under Patch Management >    PM Permissions is not enabled, the API returns a response with this message: 

    User does not have permission to access PM module.

Once you click Create, a Client ID and Client Secret Key are automatically generated. The Client Secret Key is displayed only once. Make sure to copy and store it securely. This key is essential for generating JWT access tokens and cannot be retrieved later. For more information, refer to Patch Management Release 3.10 API.

New QQL Tokens

Refer to the following table to learn more about the new and updated tokens in this release.

Tab Token (New) Usage
  • Patches > Linux
  • Assets > Linux
  • Reports > Linux
  • Jobs > Linux >
    Create Deployment/Rollback Job
    > Select Patches > Manual Selection
  • Jobs > Linux >
    Create Deployment/Rollback Job
    > Select Patches > Automatic Selection
  • Jobs > Linux > Quick Actions > View Progress (For single jobs and aggregated jobs)
  • Jobs > Linux > Quick Actions > View Details > Patches
 patch.isRollback  To find the Linux patches that can be rolled back. 

Issues Addressed

The following reported and notable customer issues are fixed in this release.

Component/Category Description
PM - Job Windows An issue was observed where, for run-once patch jobs, duplicate entries for the assets were displayed on the Job Progress page and the generated report. 
The issue is now fixed and only single entries of the assets are displayed.
PM - UI The Reboot Deferred count on the patch Job Progress page, encountered the following issues:
  • If the number of deferrals available were 0, the count displayed a blank value, instead of 0. For example, it displayed "(3 of)" rather than the correct count "(3 of 0)".
  • The deferral count displayed the total available deferral counts rather than displaying the configured count in the job settings.
The issue is fixed and the deferral count now displays the correct count.
PM - Job Windows An issue was observed in which a job was stuck in the queue, pending execution. The issue is fixed and the job now executes successfully. 
PM - Job Windows An issue occurred in which the job status icons were greyed out after clicking on the status. The issue is fixed and the icons remain active after clicking the status.
PM - UI The following issues were observed for the PM Dashboard widgets:
  • In the Query Settings, after selecting the Assets option, if the Compare with another reference query checkbox was selected, the API failed to send the results.
  • In the Query Settings, if you selected the Assets option and specified multiple patch QQL tokens in the Patch Query field, inaccurate results were displayed.
  • In the Query Settings, with the Jobs option selected, if the Numerical widget type was selected, the result displayed zero count.
All issues have now been resolved, and the correct data is now displayed.
PM - UI An issue was observed with existing Bar type widgets, where if you selected any value in the Group By field, although the data appeared correctly, the bars displayed the term "Undefined" rather than the actual names.  
The issue is now fixed and the bars display the correct names.
PM - Reports An issue was observed where, when generating the patch report, the report was downloaded but displayed incomplete details with an error message: "The list of records is truncated, as it reached the maximum time limit to generate" at the end of the report. This issue occurred when unwanted records were printed in the report if the installed, missing, and superseded filter was selected
This issue is now fixed, and the report generates all the data without any error. 
PM - UI An issue was observed in which, although the patch job completes and displays the Completed status, the number of installed, skipped, and failed patches displayed zero count. 
The issue is now fixed, displaying the correct count.
PM - UI An issue was observed where the QQL token asset.lastRebootDate query returned inconsistent results with the assets displaying old last reboot date. 
The issue is now fixed, and the QQL token query displays the actual reboot date of the assets.
MTG - UI An issue was observed in which the QIDs on the VMDR application displayed inconsistent Mitigation icons. 
The issue is now fixed, and the VMDR application displays consistent Mitigation icons for the QIDs that are mitigable.
PM - Job Windows An issue was observed in which users were unable to delete a linked job. The issue occurred while removing the job linking, if no patches were selected and the job was tried to be saved, an error was displayed and after selecting the patches, the linked job details were removed from the UI, but remain linked from backend. 

This issue is now fixed, and the linked jobs have been completely removed, allowing users to delete them.
MTG - Jobs Scheduling An issue was fixed where assets displayed an incorrect message stating that Mitigation was not enabled, even though the Mitigation application was activated from the Cloud Agent side.
PM - Licensing An issue occurred where users were unable to enable ESU patching in Patch Management. This issue is now fixed with the required support enabled, and users can now perform ESU patching. 

API Release Updates

For more details on the API updates for this release, see Patch Management API Release 3.10.

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.