I find it to be a common occurrence that after applying a patch to a system, a subsequent Qualys scan will still flag the system as vulnerable. This is a frequent scenario. After looking at the QID information the usual reason is there is a manual registry change that must be applied to be considered fully protected. So there are "additional steps" required.
I have a few questions about this.
1. Why doesn't Microsoft apply the registry changes with the patch?
2. I would like to see patches that require additional steps be flagged as such, for easy identification.
3. The upcoming Patch Management module that Qualys has been working on, will it only deploy the patch or will it also deploy the "additional steps"?
4. I'd like to get a consensus of companies out there that bother with the additional steps, or do you simply instruct Qualys to ignore that QID during scans?