Qualys Patch Management

To keep our computers safe and up-to-date, UVA and Engineering IT has started to employ  Qualys Patch Management. This tool helps us automatically find and fix software vulnerabilities on Windows, Linux, and Mac systems, making sure we meet University and Engineering IT policies and standards

Why are we doing this / Benefits for the School

  • Meet Compliance: Automatically satisfy UVA security requirements and reduce risk for disruption of network access.
  • Enhanced Security: Vulnerabilities addressed quickly, reducing cyber threat exposure
  • Minimal Disruption: Automated scheduling designed to reduce work interruptions with generous deferment options
  • Transparency: Clear visibility into needed patches and application timing

What You Can Expect

  • Minimal disruption: We are designing the scheduled jobs to reduce the number of reboots and avoid interfering with your work.  Additionally, deferment options will be provided for larger security patches requiring reboot.
  • Improved security: Vulnerabilities are addressed quickly, reducing exposure to cyber threats.
  • Allowed exceptions for research: If you are running a computational process that cannot be interrupted with a reboot, you may petition your Information Technology professional to reschedule a reboot cycle.     

How It Works

  • The system continuously scans your device to detect missing patches.
  • It provides visibility into which patches are available, which have already been installed, which have ransomware or high severity implications, and high-risk devices due to lack of patches.
  • Patches are deployed through scheduled jobs. Please see below the Engineering patching schedule.

Timeline and Transition       

Through October and November, Engineering IT will be implementing Qualys patching initially for Windows systems, with macOS systems to be implemented later.  For more details on its implementation, please talk to your IT Professionals.

Windows Patch systems and schedules

The Windows security patching process involves multiple systems that will be scheduled to apply patches as on the following schedule:

  • Weekly:
    • Browser updates: to ensure you are running the most current browser.  These do not typically require rebooting.
    • Others: Future security updates that do not require rebooting.
  • Monthly (Security Updates – typically require rebooting)
    • 2nd Tuesday: Microsoft releases patches. You may apply them through the Microsoft Update process at your convenience.
    • 3rd Monday: Any unapplied patches will be installed by SCCM.  You will be prompted to reboot.
    • 3rd Friday: If the system has not been rebooted, a forced reboot will be enabled.
    • 1st Monday (of the following month): Qualys patching will be run to ensure any missed patches are applied.  If necessary, a reboot will be enabled.
  • Bi-monthly: More complex patching efforts that require additional programming and testing.
  • Ad hoc: Occasionally there will be the discovery of system vulnerabilities that will need to be immediately rectified.  In those circumstances, patches will be quickly pushed out.
  • Scheduled: Patches that pertain to research applications with will be scheduled with PIs to ensure there is little disruption to their work.