A Patching Strategy template contains specific fields that you can configure to make a unique Patching Strategy for your environment. Tenable recommends opening an existing strategy that contains most of the configuration items you want, and then saving it with a new name and description. The configuration options are the same whether you create a new strategy or modify an existing strategy.

Each Advanced Patching Strategy has many customizable settings and many are created with building blocks that allow you to create and reuse objects across multiple strategies. Each building block can be created separately outside of the New Strategy setup.

The following table shows each setting and a link for more information regarding its related building block.

Setting	Building Block
General Settings	None
Products	None
Trigger Metadata Properties	None
Deployment Settings	Deployment Waves Deployment Bots Patching Process Deployment Channel Business Units Schedules
Approval Chains	Approval Chains
Notifications	Notification Chains Notification Bots
Customer Extension Data	None
Content Prestaging Settings	None
Business Unit Addition Settings	Business Units Patching Process

General Settings

General settings allow you to create a unique name that reflects what the strategy does conceptually, an optional description to further describe what your Patching Strategy does, and the ability to enable the Strategy for use.

Products

In TPM, configuration options provide several opportunities to select or exclude software products for a patching strategy. Options include making product sections when creating a strategy, exempting products from business units, and more.

For more information about the products available with TPM, refer to Software Products.

Note: When you add Business Units to a Strategy, the Patching Exceptions set for the Business Unit take precedence over the Product settings in the Patching Strategy.

• Include All Products

If toggled ON will include all products in your patching strategy. This will also change Include Products to Excluded Products. This allows for an efficient way to select the products you want and excluding the ones you don't.

• Included Products

Allows you to choose a small subset of products to your strategy.

• Include All Platforms

Only available when Include All Products is toggled on. This will allow you to specify which platforms you want to add to your strategy that only adds products that are applicable to that platform.

Note: When you add Business Units to a Strategy, the Patching Exceptions set for the Business Unit take precedence over the Product settings in the Patching Strategy.

Trigger Metadata Properties

Tenable provides several Trigger Metadata Properties, including properties specific to Tenable and Windows Defender Antivirus.

If a trigger metadata property changes in a given patch, and the patch meets each of the requirements below, the Patching process re-presents the patch to the Patching Strategy.

For example, a patch that was originally marked not applicable would normally never download. However, if you have Falcon.KnownExploitExists selected as a Trigger Property, Tenable will re-check that value. If the Falcon.KnownExploitExists status changes, that patch may move from not applicable to applicable, causing it to be reconsidered by the Patching Strategy.

The changed patch must:

• Belong to a product included in the strategy.

• Be applicable on at least one device in the chosen Business Unit(s).

• Have been presented previously.

Deployment Settings

Deployment settings in a Patching Strategy include choosing a Deployment Wave, Creating a Deployment Bot Runtime configuration, and choosing whether to present each patch to the first matching Deployment bot only (defaults to disabled). When customizing an existing Patching Strategy (recommended), settings may include tables with configuration selections other than the default.

• Deployment Wave

You can choose a Deployment Wave that will target selected Business Units in order to load balance the rollout of deployments.

Tenable provides a Single Wave-All Clients Deployment Wave, which includes a Business Unit called All Clients Business Unit. For more information on the available templates for Deployment Waves, see Deployment Waves.

• Deployment Bot Runtimes

In Patching Strategy templates, the Create Deployment Bot Runtime dialog provides a single location to add processes to your Patching Strategy. Use these settings for more advanced operations.

For example, when you have multiple Business Units that require the same Patch Deployment Bot but use a different Patching Process and schedule, you can create multiple Deployment Bot Runtime combinations to patch according to different requirements.

When creating the Deployment Bot Runtime, you can include the following:

• Patch Deployment Bot - See Deployment Bots

• Patching Process - See Patching Processes

• (Optional) Deployment Channel - See Deployment Channels and Deployment Channel Processes

• Business Units - See Business Units

Note: The Business Units you add here must be the same Business Units included in the Patching Strategy Deployment Wave. If you select other Business Units here or select All Business Units, the Patching Strategy takes no action on those that do not match the Deployment Wave settings.

• Patching Process Settings

These Patching Processes will execute to handle the approval and optional deployment of patches. Patching Processes defined here must match Patching Processes defined in any Patch Deployment bots defined within this strategy.

• Present each Patch only to first matching Deployment Bot

This toggle switch enables or disables whether the Patching Strategy stops presenting patches to Deployment Bots as soon as it discovers the first matching Deployment Bot. If you choose to enable this behavior, be sure to order the Bots in your Deployment Bot Runtime from most important to least.

Approval Chains

This setting allows you to add various approval chains to your patching strategy.

See Approval Chains for more information.

• Product Owner

Approval Chain for Product Owners. The Patching Process Workflow can use this chain for obtaining patch manager approvals if desired.

• Patch Management

The Patching Process Workflow can use this chain for obtaining patch manager approvals if desired.

• Security

The Patching Process Workflow can use this chain for obtaining security team approvals if desired.

• Test Lab

The Patching Process Workflow can use this chain for obtaining test lab owner approvals if desired.

• Change Management

The Patching Process Workflow can use this chain for obtaining change manager approvals if desired.

• Custom Approval Chains

Custom Approval Chains are used for specific business needs. These chains can be retrieved and used in the Patching Process Workflow to extend and customize the product.

• Approval Merging Behavior

This field determines how approvals are merged in Patching Cycles when multiple approvals target the same patch.

Notifications

Patching Strategy, Deployment Channel, and Business Unit objects include a Notifications dialog where you can configure notification details. The configuration choices differ slightly for each object.

• Notification Chain

Notification Chains send notifications to the administrator roles you specify, informing them about pending deployments. They exist in the object templates for Patching Strategies, Deployment Channels, and Business Units.

See Notification Chains for more information.

• Patch Notification Bots

This setting will allow you to choose or create a new Notification Bot.

• Notification Settings

The Notification Settings specify the notification urgencies supported by your Patching Strategy, its schedule(s), and a Notification Cycle Workflow.

Customer Extension Data

Customer Extension Data is an advanced feature of Tenable. The Customer Extension Data fields allow advanced users to specify different key/value pairs for use in customized Patching Strategies, Deployment Chains, or Business Units when necessary to achieve different results.

Customer Extension Data fields relate directly to fields in a customized template. If you do not have customized templates with key/value pairs you can modify, you do not need to configure or use this feature.

If you want to create customized templates that use key/value pairs for some settings, contact Tenable Customer Support.

Content Prestaging Settings

The Content Prestaging feature deploys content to devices ahead of the scheduled deployment, either pushing content to a location or allowing a client to pull content. Prestaging content makes the content available on the device locally when the deployment time arrives. This reduces the deployment time and minimizes the chances of missing service windows or having devices going offline before a content download finishes.

You can create Content Prestaging Settings within the Patching Strategy, Business Unit, or Deployment Channel templates.

• Server Content Push

The Tenable server pushes the content to the best-suited sources in all locations that require the content.Tenable recommends this type of prestaging when the Deployment Strategy targets only a subset of devices. High-availability machines receive the content and function as local sources during discovery and deployment.

• Not Enabled - Disables any prestaging as part of the Patching Process workflow or Patching Strategy.

• Handled by System - The Tenable system handles the prestaging automatically and pushes content to three automatically chosen devices within the office that require the content.

• This push occurs at once when the metadata updates include the latest content that meets patching requirements.

• Handled by Workflow - When enabled as part of a Patching Process, Deployment Channel, or Business Unit template, pushes the content upon deployment of the Patching Process.

• Server Content Pull

This option enables any client that requires the content to download and cache it before deployment. Suitable when a Deployment Strategy targets all clients that need the updated content.

• Not Enabled - Disables any prestaging as part of the Patching Process workflow or Patching Strategy.

• Handled by System - The Tenable system handles the prestaging automatically. The Client pulls content from the Server and instructs all Clients that require the content to download and cache it ahead of any deployment.

• Handled by Workflow - When enabled as part of a Patching Process, Deployment Channel, or Business Unit template, the Client pulls the content upon deployment.

Business Unit Addition Settings

When you have added a new Business Unit to an enabled Patching Strategy that has already completed the current patching cycle, you must use the Business Unit Addition Settings to add the parent Business Unit that contains the details, such as Patches, Patch Approval Settings, and any Business Unit added to the Strategy will inherit these details.

The Business Unit you specify here includes the patch approvals the Patching Strategy will use for any Business Units you add to the Strategy after the Strategy has run.

The Patching Process you select here is the same process you identified in the Deployment Bot Runtime configuration of the Patching Strategy.