Exceptions

Patching Exceptions allow teams to define exceptions for specific business units or environments, create multiple exceptions under a single policy, and more. This means you can manage exceptions for several patches or products simultaneously.

Patching Exceptions

When Business Units require exemption from specific updates on certain products, or the entire enterprise must remain at a specific version of a product, Patching Exceptions provide a mechanism for creating and implementing these rules.

Product Exceptions

Product Exceptions allow you to set Desired State Overrides for chosen products within a desired business unit. For instance, if you want to ensure a product is not installed on a client devices in your specified business unit, you can add them to Desired State Override > Do Not Install.

Desired State Override Options

Desired State Override are both available for Patching and Product exceptions. Below is a description of each option.

  • Mandatory Install: Allows client devices to treat the product as mandatory for installation purposes.

  • Do Not Install: Allows client devices to block the installation of a particular product.

  • Rollback: Forces a rollback to a specific product version on a client device, when Tenable Patch Management detects a later product version than allowed.

  • Uninstall: Removes the product from client devices in the specified Business Unit.

Last Allowed Version

Last Allowed Version is only available for Patching Exceptions as an additional Override Strategy.

When specified, the Last Allowed Version allows you to choose a version that will not be updated past the chosen version for each product's patches.

For example, if you want to ensure your Java (JDK) version does not go beyond version 17, you can add Java 17 to the list of Last Allowed Version Patches in your Patching Exception. This ensures a version beyond 17, is not installed.

Create a Patching Exception

  1. Select Advanced Settings > Flex Controls > Exceptions > Patches.

  2. Select +New on the upper-right to open a Patching Exception template.

  3. Enter a unique Name.

  4. Enter a detailed Description of the purpose for this exception.

  5. Select the Set Last Allowed Patch Versions for your Override Strategy.

  6. Select +Browse.

    • Enter a product name in the search line, and then select Search. This example uses Google Chrome.

    • Select the product from the list, and then select OK.

  7. Select +Browse next to Target Business Units.

  8. Select one or more Business Units to include in the Patching Exception.

  9. Select OK.

  10. Select Save.