Tenable Patch Client Installation
The Tenable Patch Client must be installed on every device that is managed. The Tenable Client supports manual installation or a silent unattended installation. For complete coverage, the client agent setup can be added to a GPO-enforced startup script, the OS deployment process, and deployed using the peer-to-peer MSI. See Peer-to-Peer (P2P) MSI.
Client Installation Files
You can find the Tenable Patch Client installation media in the Installers folder of the compressed build files. For more information on the supported operating systems, refer to Supported Operating Systems, Software, Drivers, and BIOS.
Windows client full installer
windows\tenable-patch-client-p2p-<version>-windows.msi
Windows Installer-based application.
windows\tenable-patch-client-p2p-<version>-windows.msi
The Installer first attempts to find the Windows client installer on the local subnet, then downloads it from the specified location.
Debian and Ubuntu installation packages:
cross-platform/tenable-patch-client-<version>-amd64.deb
CentOS Stream and Red Hat Enterprise installation packages:
cross-platform/tenable-patch-client-<version>-1.el9.x86_64.rpm
MacOS installation package client installer:
cross-platform/tenable-patch-client-<version>-macOS.pkg
Note: The <version> represents the version number, which changes with each build release.
Client Installation Logs
In the case where an administrator needs to troubleshoot an Tenable Client installation, the table below contains the installation log locations. Other logs exist in the installation folder.
Standard client installation
%windir%\AdaptivaSetupLogs\Client\AdaptivaClientSetup.log
P2P MSI client installation
%windir%\AdaptivaSetupLogs\Client\AdaptivaP2PClientSetup.log
Cross Platform Client installation
Mac
/opt/tenable/patchclient/logs/adaptiva.log
Linux
sudo journalctl -u adaptivaclientd.service > .\AdaptivaClientdService.log
Full Installation for Windows
Manual Attended Installation
Use this method on a one-off basis during testing, initial rollout or to supplement automatic deployment.
-
Execute the tenable-patch-client-<version>-windows.exe as Administrator, found in the installation source folder.
-
At the Tenable Patch Management Client Installer dialog, verify or change the following installation options, and then select Install.
Client Install Path
Directory where you install the Tenable Client.
Server Bindings
Specify one of the following:
-
Server Host Name or IP Address - The fully qualified domain name or IP address of the TPM server.
-
Optional – Client Authorization Password - Check the Use Password For Installation checkbox and enter the password provided by your TPM Administrator.
Note: You can find the password in the Admin Portal under Settings > Client Authorization.
Server’s GUID
Enter the Server GUID provided by your TPM Administrator. This option is required for Tenable Patch Management.
Note: You can find the password in the Admin Portal under Settings > Server Activation.
Enable Wake On LAN
Allows the client to be woken up using peer-to-peer WOL.
Add/Remove Programs Entry
Adds an entry allowing for uninstallation of the client agent from the Control Panel.
Add Windows Firewall Exception
Adds exceptions to the local Windows Firewall for the default client ports, refer to Communication and Network Requirements for a list of these ports.
-
-
Click Install.
The client is installed and then the installer runs the Adaptiva Client Validator.
Adaptiva Client Validator
The Adaptiva Client Validator verifies the connectivity requirements for the client.
If all checks pass (or are not applicable), then the client is fully online and ready to be managed. If any of the checks fail, you can make the appropriate firewall or network configurations and then rerun the Client Validator tool from the Tenable client installation location (C:\Program Files\Tenable\PatchClient\bin\AdaptivaClientValidator.exe).
Validation check detail
The following describes the validation checks being performed:
-
HTTP Connection: Verifies the client can connect with cloud services.
-
Cloud Relay Connection: Verifies the client can connect to the cloud relay system. The TPM Server must be activated for this check to pass.
-
Client-Server Messaging: Verifies the client can send and receive messages to the TPM Server.
-
Client-Server Handshake: Verifies the client can successfully perform a handshake with the TPM Server and has obtained a client id.
-
Client to Client: Checks if the client has peers in the office and verifies connectivity with those clients.
-
Content Download: Verifies that the client can download a sample package of 8 bytes.
Unattended Installation EXE Command Line Parameters
In some cases, an administrator may want to use an unattended method to install the Tenable Patch Management Client. The table below describes the command line parameters available for the Windows client installer.
| Required Parameters | Usage |
|---|---|
| -cleaninstall |
Uninstalls the existing client installation and cleanly installs a new copy of the client. |
| -installorupgrade | Installs the Tenable Client or upgrades the existing client. |
| -uninstall | Uninstalls the Tenable Client. |
| -servername <servername> | FQDN of the Tenable Server. |
| -serverIP <server IP> | IP address of the Tenable Server. |
| -serverguid <GUID> | The GUID of the TPM Server can be provided by the TPM administrator. This property is required when specifying the -cloudrelay. |
| -cloudrelay> | This property is required for Tenable Patch Management server installations. It enables the client to use the Cloud Relay Service to connect when off-premises. |
| Optional Parameters | Usage |
|---|---|
| -custompacurl <URL of PAC file> | The installer will access the PAC file to gather the proxy information. |
| -customproxy <server>:<port>:<scheme> | The installer will use the information to access the proxy when trying to contact Cloud Services. (e.g., -customproxy 10.10.10.1:9000:http) |
| -customproxybypass <server1>;<server2>;<server3> | When -customproxy is used the servers included in the custom proxy bypass list is excluded from using the proxy. |
| -delay <seconds> | Delays the starting of the installation executable. |
| -folder <folder path> | The desired installation path. By default, the Tenable Client is installed under: %ProgramFiles%\Tenable\PatchClient |
| -mem <memorysize> | Maximum Java heap size, in MB (defaults to 256). |
| -noarp | The installer will NOT create an entry in Add/Remove Programs. |
| -nocachedel | This parameter can be used with the options: -uninstall or -cleaninstall. If this parameter is used the cache will not be deleted. |
| -nofirewall | The installer will NOT create Windows Firewall rules for the Tenable Client. |
| -nomif | The installer will not send ConfigMgr MIF status in the case of any errors found during installation. |
| -nowol | Specify this option to disable Wake on LAN. By default, the Tenable Client enables Windows Wake on LAN settings on all the network cards installed in the machine. |
| -password <provided password> | Provides additional security. Enter the password that was created on the Tenable Server. |
| -preferuserproxy true | false | When preferuserproxy is true the proxy settings are obtained from the Internet Explorer settings. Defaults to false. |
| -serverurl <server-url:port> | Tells the client to communicate to the Tenable Server with HTTP instead of using UDP. |
| -tenantguid | Use this to access the Managed Services Provider (MSP) functionality and create and maintain multi-tenant environments. |
Peer-to-Peer (P2P) MSI
Peer-to-Peer (P2P) MSI The Tenable Client P2P MSI installer reduces the bandwidth required for the distribution of the Tenable agent. Using the Tenable Client P2P MSI installer, the Tenable Client can be pushed using a group policy, a startup script, SysInternals psexec, or any other remote execution method available.
Once executed, the Tenable P2P Client MSI installs the full Tenable Client. The MSI does not contain the full client installation. Instead, the MSI – which is specific to a particular version of the Tenable Client agent – first looks for the Tenable Client on a peer system in the same subnet with the correct version. If it finds a device with the correct version, it retrieves the setup executable tenable-patch-client-<version>-windows.exe from that local client and installs the Tenable Client from that executable. If it cannot find a peer with the correct version, the MSI retrieves the executable tenable-patch-client-<version>-windows.exe from a UNC or URL path specified on the command line. If multiple systems run the MSI simultaneously and none of them find the correct version of the client locally, an election takes place among those clients. Only the winner of the election downloads the executable from UNC or URL path, and it then makes the executable available to the other client systems.
Note: Ensure that the installation account executing the MSI has read and execute access at the destination UNC path.
The Tenable P2P Client MSI can be used interactively or as a completely silent installer with no user interaction.
The P2P installer is named tenable-patch-client-p2p-<version>-windows.msi and is in the compressed .zip product download source.
Manual Attended Installation
-
Locate the tenable-patch-client-p2p-<version>-windows.msi executable file on your machine and double-click it to execute.
The Tenable Peer To Peer Client Installer Setup dialog appears:
-
Select Next to initiate the setup.
The Install, update, clean, or remove installation dialog appears:
-
Select Install or Upgrade.
The Ready to Install or Upgrade dialog appears:
-
Select Install or Upgrade, and then select Finish to exit the installer setup wizard.
The other options perform the following tasks:
-
Update - Upgrades the existing client to the version of the p2p client installer.
-
Clean - Uninstalls the existing client, and then installs the Windows client.
-
Uninstall - Uninstalls the Windows client.
Unattended Installation MSI Command Line Parameters
The following table contains the MSI properties valid for the P2P client installer.
Note: Be sure to enter these properties on the command line as <PROPERTY>=<Value>.
| Required Properties | Value | Description |
|---|---|---|
| SERVERIP | SERVERNAME |
IP address of server or server name. |
The Tenable Server that this client will report to. SERVERIP takes precedence over SERVERNAME if both are specified. |
| SOURCEUNCPATH | SOURCEURLS | <UNC path of source>\tenable-patch-client-<version>-windows.exe -or- URL address of tenable-patch-client-<version>-windowsTenableClientSetup.exe | SOURCEUNCPATH: The location to download the client installer from if it cannot be found in the local office. The account executing the installation must have at least read access to the UNC path. SOURCEURLS: The list of Source CDN URLs (where each SOURCE URL is separated by '<' character) from where the P2P installer downloads the tenable-patch-client-<version>-windows.exe by HTTP protocol in case it is not available in the local office. |
| CLOUDRELAY |
1: Use the cloud relay feature 0: Do not use the cloud relay feature (default) |
When enabled, allows the client to communicate with the Cloud Relay server. Include the SERVERGUID property. |
| SERVERGUID |
GUID of the Tenable Server |
The GUID of the Tenable can be provided by the Tenable Admin. Required when the client is on the internet. This property can only be used if CLOUDRELAY=1. |
| Optional Properties | Value | Description |
|---|---|---|
| ARPSYSTEMCOMPONENT |
1: suppresses creation 0: does not suppress creation (default) |
Suppresses the creation of an Add/Remove Program entry for the actual Tenable Client. The P2P MSI creates a hidden Add/Remove Program entry for itself named Tenable Peer to Peer Client Installer. |
| CLEANINSTALL |
1: performs a clean installation 0: perform an InstallOrUpgrade installation (default) |
Uninstalls the existing client installation and cleanly installs a new copy of the client. If not specified, the InstallorUpgrade option is used by default. |
| MEM |
<memory in MB> |
The amount of memory in MB to be used by the Tenable Client. Defaults to 256 MB. |
| CUSTOMPACURL |
<URL of PAC file> |
The installer will access the PAC file to gather the proxy information. |
| CUSTOMPROXY |
<server>:<port>:<scheme> |
The installer will use the information to access the proxy when trying to contact Cloud Services. (e.g., -customproxy 10.10.10.1:9000:http) |
| CUSTOMPROXYBYPASS |
<server1>;<server2>;<server3> |
When -customproxy is used, the servers included in the custom proxy bypass list is excluded from using the proxy. |
| NOCACHEDEL |
1: cache is preserved 0: cache is deleted during uninstallation (default) |
Preserves the Client cache after uninstallation. This property is only valid when used in conjunction with the UNINSTALL property. |
| NOFIREWALL |
1: does not create any firewall exceptions 0: creates firewall exception (default) |
Disables creating exceptions in the Windows Firewall for the Tenable Client Installer. |
| NOLOGGING |
1: only FATAL errors are logged, but no other logging is done 0: normal INFO logging (default) |
Controls the logging level during the client install. Only logging fatal errors is helpful if the client system uses shared storage and to minimize logging. |
| NOWOL |
1: disables WoL 0: enables WoL (default) |
Disabled Wake-on-LAN |
| PASSWORD |
Password provided by Tenable Admin |
The password is entered by Tenable Admin in the workbench to ensure only authorized connections. This property can only be used if CLOUDRELAY=1. |
| PREFERUSERPROXY |
true | false |
When preferuserproxy is true the proxy settings are obtained from the internet explorer settings. Defaults to false. |
| SERVERURL |
Server FQDN URL:port |
Tells the client to communicate to the Tenable Server with HTTP, instead of using UDP. |
| TARGETDIR |
<path of desired install folder> |
The installation folder of the Tenable Client. Defaults to %SystemDrive\Program Files\Tenable or %SystemDrive%\Program Files (x86)\Tenable. |
| TENANTGUID |
Tenant GUID provided by the Tenable administrator. |
Use this to access the Managed Services Provider (MSP) functionality and create and maintain multi-tenant environments. |
| UNINSTALL |
1: performs an uninstallation 0: performs an installation (default) |
Ignores all other properties and performs an uninstallation of the Tenable Client. |
| WAITFORCOMPLETION |
1: the MSI installer waits for the client installation to finish 0: the MSI will not wait for the Tenable Client installation to be completed (default) |
Specifies whether the Tenable P2P Client Installer MSI will wait until the installation completes. |
| WANBYTESPERSECOND |
X: bytes per second 0: Unlimited (default) |
The maximum download speed that is used while downloading the Tenable Client Installer exe over the WAN from the SOURCEUNCPATH. |
Installation command line examples
To deploy the Tenable P2P Client Installer, the only file needed for the package source is tenable-patch-client-p2p-<version>-windows.msi which can be found in the Tenable installation source. The tenable-patch-client-<version>-windows.exe must be accessible from a Share or a URL.
Install with Server Share Source and secondary Internet Source:
Msiexec.exe /I tenable-patch-client-p2p-<version>-windows.msi /qn SERVERNAME=Server.domain.com SOURCEUNCPATH=\\ServerFQDN\TenableClient\tenable-patch-client-<version>-windows.exe WAITFORCOMPLETION=1
Uninstall and leave the files in the AdaptivaCache folder:
Msiexec.exe /I tenable-patch-client-p2p-<version>-windows.msi /q UNINSTALL=1 NOCACHEDEL=1
Note: Include the following switches as required if you use the Cloud Relay service or HTTP client communications: Cloud Relay service: CLOUDRELAY=1, SERVERGUID=<GUID> HTTP communications: SERVERURL=<ServerURL:port>
In the Admin Portal in
Settings > Server Activation.On the in HKLM\Software\Adaptiva\server\client_data_manager.server_guid
Uninstall and leave the files in the AdaptivaCache folder:
Msiexec.exe /I tenable-patch-client-p2p-<version>-windows.msi /q UNINSTALL=1 NOCACHEDEL=1
Note: The uninstall command line uninstalls any version of the Tenable Client. Using the standard Windows Installer uninstall parameter (/x) only uninstalls the specific version of the Tenable Client corresponding to the version of the MSI – the MSI packaged with each version of the product is specific to that client version.
Client Installation on Linux or MacOS
You can install the Tenable Patch client on Linux and MacOS by installing the appropriate package and running the adaptivactl setup command. The setup command will install the TPM client, configure firewall rules, and run post-installation checks to ensure functionality. The setup progress will print to the terminal and exit with a 0 exit-code if successful. If the client setup fails for any reason, it will exit with a non-zero exit-code.
The adaptivactl setup command checks for port availability before client setup. If a firewall is detected, setup will create firewall rules using the appropriate application: ufw with the DEB package, firewalld with the RPM package, and socketfilterfw with the MacOS package.
The client will now run post-setup checks to confirm connectivity with the server and other services. The setup will wait for these checks to be completed. You can skip these checks using the --skip-connection-checks flag.
There are several different installation packages provided for cross-platform device installations. Be sure to use the correct one for your operating system. Locate the installers\cross-platform folder in the downloaded .zip file. Replace <version> with the appropriate version.
Note: When installing the cross-platform client for the Tenable Patch Management Cloud tenant, refer to SaaS Client Installation for more information on installing the cross-platform client.
Linux Installation
-
Open a Command terminal window, then run the following command to execute the package:
-
CentOS, RHEL - sudo dnf install ./tenable-patch-client-<version>-1.el9.x86_64.rpm
-
Debian, Ubuntu - sudo apt install ./tenable-patch-client-<version>-amd64.deb
Note: When running the apt install interactively, you may ignore the following message if returned: N: Download is performed unsandboxed as root as file ‘/<path-to-install-package>’ couldn’t be accessed by user ‘_apt’. – pkgAcquire::Run (13: Permission denied)
-
-
Run the following adaptivactl command in setup mode to configure the client:
-
sudo /opt/tenable/patchclient/bin/adaptivactl setup <flags>
Note: The --server flag is required, and all other flags are optional. See the following table for the available parameters. Example: sudo /opt/tenable/patchclient/bin/adaptivactl setup --server server.corp.example --server-guid 1cb07a9e-a88c-4db2-8fe3-2eb7748545d6
-
-
Once the client installation is completed, the client will perform a series of connection checks
-
[info] Running connection checks…
-
[info] The connection check ‘HTTP Connection’ has started
-
[info] The connection check ‘HTTP Connection’ has passed
-
-
When the connection checks are completed, the Patch Client is fully online and ready to be managed.
MacOS Installation
-
Open a Command terminal window, then run the following command to execute the package:
-
sudo installer -tgt / -pkg ./tenable-patch-client-<version>-macOS.pkg
-
-
Run the following adaptivactl command in setup mode to configure the client:
-
sudo /opt/tenable/patchclient/bin/adaptivactl setup <flags>
Note: The --server flag is required, and all other flags are optional. See the following table for the available parameters. Example: sudo /opt/tenable/patchclient/bin/adaptivactl setup --server tpmserver.corp.example --server-guid 1cb07a9e-a88c-4db2-8fe3-2eb7748545d6
-
-
Once the client installation is completed, the client will perform a series of connection checks
-
[info] Running connection checks…
-
[info] The connection check ‘HTTP Connection’ has started
-
[info] The connection check ‘HTTP Connection’ has passed
-
-
When the connection checks are completed, the Patch Client is fully online and ready to be managed.
adaptivactl command line parameters
| Required Flag | Value |
|---|---|
| --server <hostname> | <ip address> | url:port |
IP Address, hostname, or URL of the Tenable Server to which the client reports to. |
| --server-guid <guid> |
The GUID of the Tenable Server to use to connect to the server using the Cloud Relay server. If absent the cloud relay will not be used. |
| Optional Flags | Value |
|---|---|
| --auth-secret <secret> |
The client authentication secret to use to authenticate with the server. If absent, no authentication is performed with the server. |
| --proxy <scheme>://<host>:<port> |
The HTTP proxy to use. Has the format <scheme>://<host>:<port>. If absent, the system-wide proxy is used if configured. |
| --tenant-guid <guid> |
The Tenant GUID used in multi-tenant environments. |
| --cloud-tenant-id <tenant id> |
The ID of the cloud tenant in cloud-hosted environments. |
| --system-config <property>=<value> |
A system config value to set during setup. Has the format <property>=<value>. This flag may be repeated multiple times. |
| --skip-firewall-rules> |
Skip the creation of firewall rules. |
| --skip-connection-checks> |
Skip the post-setup connection checks. |
Examples
Direct server using an IP address, an HTTP proxy, and a custom system config:
sudo /opt/tenable/patchclient/bin/adaptivactl setup --server 198.50.100.241 --proxy http://198.50.100.3:8080 --system-config onesite.server_message_retry_interval=60
Server using cloud relay, hostname, client authentication:
sudo /opt/tenable/patchclient/bin/adaptivactl setup --server server.corp.example --server-guid 1cb07a9e-a88c-4db2-8fe3-2eb7748545d6
Modify system configuration:
The adaptivactl command can also be used to read and write system config values using the config operation.
The following command reads the value of a system config property:
sudo /opt/tenable/patchclient/bin/adaptivactl config get <property>
The following command sets the value of a system config property:
sudo /opt/tenable/patchclient/bin/adaptivactl config set <property> <value>
Cross Platform Upgrade
If you need to upgrade existing cross-platform clients to a newer version manually, perform package upgrades using the following commands. For more information on the supported operating systems, refer to Supported Operating Systems, Software, Drivers, and BIOS.
Debian / Ubuntu
sudo apt install ./tenable-patch-client-9.3.968.19-amd64.deb
CentOS / RHEL
sudo dnf upgrade ./tenable-patch-client-9.3.968.19-1.el9.x86_64.rpm
MacOS
sudo installer -tgt / -pkg ./tenable-patch-client-9.3.968.19-macOS.pkg
Note: Due to an issue in the 9.2.967 RPM packages, upgrading from 9.2.967 to 9.3.968 or later requires the following commands: sudo dnf upgrade ./tenable-patch-client-9.3.968.19-1.el9.x86_64.rpm and sudo systemctl enable --now adaptivaclientd.service